Newer
Older
DirtyScripts / ReportToolz / floss.php
#!/usr/bin/php
<?php
//error_reporting(0);
include('config.php');

/***
 * Main program - Don't edit below
 */
echo "·▄▄▄▄▄▌        .▄▄ · .▄▄ · \n▐▄▄·██•  ▪     ▐█ ▀. ▐█ ▀. \n██▪ ██▪   ▄█▀▄ ▄▀▀▀█▄▄▀▀▀█▄\n██▌.▐█▌▐▌▐█▌.▐▌▐█▄▪▐█▐█▄▪▐█\n▀▀▀ .▀▀▀  ▀█▄▀▪ ▀▀▀▀  ▀▀▀▀ \n";

foreach (glob("classes/*.php") as $filename)
    include $filename;

$definitions = new \Clapp\CommandLineArgumentDefinition(
    array(
        "help|h"            => "Shows help message",
        "path|p=s"          => "/path/to/jsons/"
    )
);

$filter = new \Clapp\CommandArgumentFilter($definitions, $argv);

if ($filter->getParam('h') === true || $argc < 2) {
	echo "The JSON prettyfier\n\n";
    fwrite(STDERR, $definitions->getUsage());
    exit(0);
} 

if(!file_exists($vulnDB."/floss.csv"))
    die("[!] floss.csv not found, is config.php correct?\n");

// create the CSV array
$csv = array();
$file = fopen($vulnDB."/floss.csv", 'r');
while (($result = fgetcsv($file)) !== false){
    $csv[] = $result;
}
fclose($file);

// see if doc exists 
if ($filter->getParam("path") == false)
	die("[-] no path set\n");

// load vdb vulns
$vdbVulns = getDirContents($vulnDB);
foreach($vdbVulns as $h => $i){ // remove begining of vdb path (keeps clean)
    $vdbVulns[$h] = str_replace($vulnDB, "", $i);
}
echo "VDB: ".sizeof($vdbVulns).", ";

// get all vulns
$vuln = array();
$files = glob($filter->getParam("path")."*.json");
foreach($files as $finding){
    $vuln[]['orig'] = str_replace(".json", "", str_replace($filter->getParam("path"), "", $finding));
}

echo "Vulns: ".sizeof($vuln)."\n";

// check for existing
foreach($vuln as $key => $finding){
    foreach($vdbVulns as $issue){
        $title = substr($issue, strrpos($issue, '/') + 1);
        if($finding['orig'].".json" == $title){
            $vuln[$key]['new'] = $issue;
            //echo $finding['orig']." -> ".$issue."\n"; // DEBUG
        }
    }
}

// check for pattern match in floss.csv
foreach($csv as $finding){
    foreach($vuln as $key => $issue){
        if(fnmatch($finding[0], $issue['orig'])){
            $vuln[$key]['new'] = $finding[1];
            //echo $issue['orig']." -> ".$finding[1]."\n"; // DEBUG
        }
    }
}

//print_r($vuln); // DEBUG

$flossFolder = substr($filter->getParam("path"), 0, strrpos( $filter->getParam("path"), '/') )."/flossed";
if(!file_exists($flossFolder."/")){
    mkdir($flossFolder."/");
    echo "[+] created directory $flossFolder/\n";
}
$checkFolder = substr($filter->getParam("path"), 0, strrpos( $filter->getParam("path"), '/') )."/to_check";
if(!file_exists($checkFolder."/")){
    mkdir($checkFolder."/");
    echo "[+] created directory $checkFolder/\n";
}

$flossed = 0;
$flossArr = array();
$fp = fopen($filter->getParam("path")."flossed/".date("d-m-Y_H-i-s").".log", "wb");
foreach($vuln as $key => $finding){
    if(isset($finding['new'])){

        $content = $finding['orig']." -> ".$finding['new']."\n"; // log changes
        fwrite($fp,$content);

        rename($filter->getParam("path").$finding['orig'].".json",$filter->getParam("path")."flossed/".$finding['orig'].".json");
        if($finding['new'] != "-del-"){
            $title = substr($finding['new'], strrpos($finding['new'], '/') + 1);
            copy($vulnDB.$finding['new'], $filter->getParam("path").$title);
            $flossArr[] = $finding['new'];
        }
        $flossed++;
    }else{
        rename($filter->getParam("path").$finding['orig'].".json",$filter->getParam("path")."to_check/".$finding['orig'].".json");
    }
}
fclose($fp);

$flossedInto = sizeof(array_unique($flossArr));
$left = sizeof($vuln)-$flossed;
echo "Flossed: ".$flossed." -> ".$flossedInto."\n";
echo "To Check: ".$left."\n";
echo "________________________________________________
|                                               |
|Please (on VDB) either add a rule to floss.csv |
|or create a new vulnerability for each .json   |
|in /to_check to help the team and make         |
|reporting easier for everyone!                 |
|_______________________________________________|\n";


function getDirContents($path) {
    $rii = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path));

    $files = array(); 
    foreach ($rii as $file)
        if (!$file->isDir())
            $files[] = $file->getPathname();

    return $files;
}