0
import os
def find_method(name):
        i = 0
        found_dic = { "$_GET":[], "$_POST":[], "include":[], "require":[], "mysql_query":[], "SELECT":[], "system":[], "exec":[], "passthru":[], "readfile":[], "fopen":[], "eval":[] }

        for i, line in enumerate(file(name, "r")):
                found = False
                for key in found_dic:
                        if key in line.strip():
                                found_dic[key].append("LINE:"+str(i)+":" + key)
                                found = True

        for key in found_dic:
                if found_dic[key]:
                        print " ", "-"*10, key, "-"*10
                        for r in found_dic[key]:
                               print "  ",r

def search(dirname):
        flist = os.listdir(dirname)
        for f in flist:
                next = os.path.join(dirname, f)
                if os.path.isdir(next):
                        search(next)
                else:
                        doFileWork(next)

def doFileWork(filename):
        ext = os.path.splitext(filename)[-1]
        #if ext == '.html': print filename
        if ext == '.php':
               # print "target:" + filename
                find_method(filename)

problem here 1. I need my result need to show like 

EX) === /var/www/html/zboard/zboard.php ==
---------- exec ----------
   LINE:288:$a_setup="<a onfocus=blur() href='admin_setup.php?exec=view_board&no=$setup[no]&group_no=$setup[group_no]&exec2=modify' target=_blank>"; else $a_setup="<Zeroboard ";

but this only shows like 

---------- exec ----------
   LINE:287:exec
  ---------- mysql_query ----------
   LINE:43:mysql_query
   LINE:95:mysql_query
   LINE:120:mysql_query

how can I show like example using this code

poke
  • 369,085
  • 72
  • 557
  • 602
Kyung Park
  • 1
  • 2
  • You really should be using `os.walk` instead of trying to build it yourself on top of `os.listdir` and `os.path.isdir`. (Also, `next` is a built-in function, so you probably don't want to rebind it to mean something else.) – abarnert Apr 02 '13 at 21:57

2 Answers2

0

If I understand your question correctly, you're asking how to get the absolute file path. That question has already been answered in this stackoverflow question.

To repeat the answer you'll find there:

>>> import os
>>> os.path.abspath("mydir/myfile.txt")
Community
  • 1
  • 1
Rob Watts
  • 6,866
  • 3
  • 39
  • 58
  • I don't think this is his problem. It's not that he's printing a relative path rather than an absolute path, but that he's not printing any path at all. – abarnert Apr 02 '13 at 22:05
0

It seems like you have two different problems.

First, you apparently want to prefix each batch of "finds" with the file they were found in, like this:

EX) === /var/www/html/zboard/zboard.php ==

I'm not sure exactly what that format is supposed to be, but… you've got all the info you need in doFileWork, and you just aren't printing it. Just add this line to the top of the doFileWork function:

print "EX) === {} ==".format(filename)

If you want to guarantee that it's an absolute path, even if you started with a relative path, just:

print "EX) === {} ==".format(os.path.abspath(filename))

Second, you apparently want each match to print the entire matching line, rather than just the matched key.

Again, you also have the info you need; the problem is that you're explicitly using key instead of line.strip(). Just replace this:

found_dic[key].append("LINE:"+str(i)+":" + key)

… with this:

found_dic[key].append("LINE:"+str(i)+":" + line.strip())
abarnert
  • 354,177
  • 51
  • 601
  • 671