pyparsephp
https://bitbucket.org/blackaura/pyparsephp
pyparsephp is a set of libraries which can be used to parse PHP files. The library is designed to be used in PHP source code analysis tools, especially security related tools. This code will eventually be used in a larger project which will try to identify bugs in PHP code such as SQL injection and XSS.
Best runs on Python2.7.
The library files can also be used as standalone programs.
phpextract.py
usage: phpextract.py [-h] -d DIR [-o OUTPUT]
optional arguments:
-h, --help show this help message and exit
-d DIR, --dir DIR Directory
-o OUTPUT, --output OUTPUT
Output file
This program extracts PHP source code that it finds in files. It recursively crawls the directory DIR for PHP files and extracts code between .
phpgetfunctions.py
usage: phpgetfunctions.py [-h] -d DIR [-o OUTPUT]
optional arguments:
-h, --help show this help message and exit
-d DIR, --dir DIR Directory
-o OUTPUT, --output OUTPUT
Output file
phpgetfunctions.py extracts functions from PHP files.
phpgetclass.py
usage: phpgetclass.py [-h] -d DIR [-o OUTPUT] [-e]
optional arguments:
-h, --help show this help message and exit
-d DIR, --dir DIR Directory
-o OUTPUT, --output OUTPUT
Output file
-e, --execdot Execute dot
phpgetclass.py extracts classes from PHP files and generates a class diagram in the form of a Graphviz dot file. If the parameter -e is supplied it tries to execute dot and generate a PNG of the class diagram (Note: you need graphviz to be installed)
Example:
>pyparsephp>phpgetclass.py -d testcases\classes\simple -o testcases\classes\simple.report -e
Parsing classes
Generating testcases\classes\simple.report
Generating testcases\classes\simple.report.dot
Generating testcases\classes\simple.report.dot.png
simple.report
\A
extends: None
implements: None
use: []
functions
a1
{'body': ['function a1()', '{', '}'],
'name': 'a1',
'use_predef': {
'files': [], 'get': [], 'global': [], 'request': [],
'server': [], 'session': [], 'cookie': [], 'env': [],
'post': []
}, 'access': None, 'static': False, 'params': None}
\X
extends: None
implements: None
use: []
functions
x2
{'body':
['public function x2()', '{', '}'],
'name': 'x2',
'use_predef': {
'files': [], 'get': [], 'global': [], 'request': [],
'server': [], 'session': [], 'cookie': [], 'env': [],
'post': []
},
'access': 'public', 'static': False, 'params': None}
x3
{'body': ['protected function x3()', '{', '}'],
'name': 'x3',
'use_predef': {
'files': [], 'get': [], 'global': [], 'request': [],
'server': [], 'session': [], 'cookie': [], 'env': [],
'post': []
}, 'access':
'protected', 'static': False, 'params': None}
x1
{'body': ['private function x1()', '{', '}'],
'name': 'x1',
'use_predef': {
'files': [], 'get': [], 'global': [], 'request': [],
'server': [], 'session': [], 'cookie': [], 'env': [],
'post': []
}, 'access': 'private', 'static': False, 'params': None}
x4
{'body': ['function x4()', '{', '}'],
'name': 'x4',
'use_predef': {
'files': [], 'get': [], 'global': [], 'request': [],
'server': [], 'session': [], 'cookie': [], 'env': [],
'post': []
}, 'access': None, 'static': False, 'params': None}
\B
extends: None
implements: None
use: []
functions
\C
extends: \A
implements: \B
use: []
functions
\Y
extends: \C
implements: None
use: []
functions
\Z
extends: \Y
implements: None
use: []
functions
dot report: simple.report.dot
digraph G { Node1 [label="\\A", shape=box];
Node2 [label="\\X", shape=box];
Node3 [label="\\B" , shape=box, style=dotted];
Node4 [label="\\C", shape=box];
Node5 [label="\\Y", shape=box];
Node6 [label="\\Z", shape=box];
Node4 -> Node1;
Node4 -> Node3 [style=dotted];
Node5 -> Node4;
Node6 -> Node5;
}
dot graphical result
phpgetexecutable.py
usage: phpgetexecutable.py [-h] -d DIR [-o OUTPUT] [-p]
optional arguments:
-h, --help show this help message and exit
-d DIR, --dir DIR Directory
-o OUTPUT, --output OUTPUT
Output file
-p, --params Show only if predefined variables ($_GET, $_POST,
etc..) are present
phpgetexecutable.py extracts code from PHP pages that can be readily executed when the PHP page is loaded. Elements such as functions and classes are skipped.
Posts