using YARA for finding bugs in PHP

yara-code-audit.md

YARA bad PHP code signatures

$ cat code_audit.yar
rule PHP_INFOLEAK
{
    strings:
        $leak1 = /phpinfo\s?\(|show_source\s?\(|highlight_file\s?\(/
    condition:
        $leak1
}
rule PHP_CODE_EXEC
{
    strings:
        $exec1 = /eval\s?\(/
        $exec2 = /system\s?\(/
        $exec3 = /shell_exec\s?\(/
    condition:
        $exec1 or $exec2 or $exec3
}
rule PHP_FILE_INCLUSION
{
    strings:
        $inclusion1 = /_SERVER\[\s*('|")HTTP_HOST('|")\s*\]/
        $inclusion2 = /require\s?(\(|'|\"|$).*\\$.*$/
        $inclusion3 = /require_once\s?(\(|'|\"|$).*\\$.*$/
        $inclusion4 = /include\s?(\(|'|\"|$).*\\$.*$/
    condition:
        $inclusion1 or $inclusion2 or $inclusion3 or $inclusion4
}
rule PHP_XSS
{
    strings:
        $xss1 = /\.\=.*?\s*\$_((POST|GET)\[.*?\]|SERVER\[.?(REQUEST_URI|QUERY_STRING))/
        $xss2 = /(echo|print|print_r|exit|die|printf|vprintf).*?\s*\$_((POST|GET)\[.*?\]|SERVER\[.?(REQUEST_URI|QUERY_STRING))/
    condition:
        $xss1 or $xss2
}
rule PHP_SQLi
{
    strings:
        $sqli1 = /mysql_query\s?\(|mysqli_query\s?\(|pg_execute\s?\(|pg_insert\s?\(|pg_query\s?\(|pg_select\s?\(|pg_update\s?\(|sqlite_query\s?\(|msql_query\s?\(|mssql_query\s?\(|odbc_exec\s?\(|fbsql_query\s?\(|sybase_query\s?\(|ibase_query\s?\(|dbx_query\s?\(|ingres_query\s?\(|ifx_query\s?\(|oci_parse\s?\(|sqlsrv_query\s?\(|maxdb_query\s?\(|db2_exec\s?\(/
        $sqli2 = /\"\ *(S|s)(E|e)(L|l)(E|e)(C|c)(T|t)[^"]*"\ *\.\ *\w[^.]*\.\ *\"/
    condition:
        $sqli1 or $sqli2
}

Test on damn vulnerable web app

$ yara -w ./code_audit.yar ./DVWA/
PHP_INFOLEAK ./DVWA//phpinfo.php
PHP_SQLi ./DVWA//login.php
PHP_CODE_EXEC ./DVWA//security.php