" . update_finding_status() . ""; } elseif ($action == 'update_finding_ia_controls') { print "" . update_finding_ia_controls() . ""; } elseif ($action == 'update_finding_notes') { print "" . update_finding_notes() . ""; } elseif ($action == 'update_risk_status') { print update_risk_status(); } elseif ($action == 'update_risk_analysis') { print update_risk_analysis(); } elseif ($action == 'update_control_completion') { print update_control_completion(); } elseif ($action == 'update_stig_control') { print update_stig_control(); } elseif ($action == 'refresh_counts') { print "" . refresh_counts() . ""; } elseif ($action == 'get_control_details') { if ($_REQUEST['id'] == 'overall') { print get_STE_details(); } else { print get_control_details(); } } elseif ($action == 'update_STE') { print update_STE_details(); } elseif ($action == 'update_STE_risk') { $conn->real_query( "UPDATE `sagacity`.`ste` SET `risk_status`='" . strtolower($conn->real_escape_string($_REQUEST['status'])) . "' WHERE `id`=" . $conn->real_escape_string($ste)); } elseif ($action == 'get_hosts') { $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); if (is_numeric($cat_id)) { print get_hosts($cat_id); } else { print json_encode(['error' => 'Invalid category ID']); } } elseif ($action == 'new-get-hosts') { $cat_id = filter_input(INPUT_POST, 'cat-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); if (is_numeric($cat_id)) { print new_get_hosts($cat_id); } else { print json_encode(['error' => 'Invalid category ID']); } } elseif ($action == 'get_target_data') { print get_target_data($_REQUEST['type']); } elseif ($action == 'save_filter') { print $db->save_Filter($_REQUEST['type'], $_REQUEST['name'], $_REQUEST['criteria']); } elseif ($action == 'target-filter') { print header(JSON) . target_filter($ste, $_REQUEST['criteria']); } elseif ($action == 'scan-filter') { print scan_filter($ste, $_REQUEST['criteria']); } elseif ($action == 'finding-filter') { print finding_filter($ste, $_REQUEST['criteria']); } elseif ($action == 'reference-filter') { print reference_filter($ste, $_REQUEST['criteria']); } elseif ($action == 'get-saved-filter') { print get_saved_filter($_REQUEST['type'], $_REQUEST['name']); } elseif ($action == 'update-target-field') { print update_target_field($_REQUEST['field'], $_REQUEST['data']); } elseif ($action == 'get_category_details') { $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT); print header(JSON) . get_category_details($cat_id); } elseif ($action == 'add_scans') { $import = new import(); $import->scan_Result_Files(false); print header(JSON) . json_encode(array( 'success' => 'Thread running' )); } elseif ($action == 'auto-categorize') { $db->auto_Catorgize_Targets($ste); print header(JSON) . json_encode([ 'success' => 'Categorized Targets' ]); } elseif ($action == 'delete-cat') { $cat_id = filter_input(INPUT_POST, 'cat_id', FILTER_VALIDATE_INT); if ($db->delete_Cat($cat_id)) { print header(JSON) . json_encode([ 'success' => 'Successfully deleted category' ]); } } elseif ($action == 'delete-file') { $file = filter_input(INPUT_POST, 'filename', FILTER_SANITIZE_STRING); $file = realpath($file); if ($file && preg_match("/^" . preg_quote(TMP, '/') . "/", $file)) { if (unlink($file)) { print header(JSON) . json_encode([ 'success' => 'Deleted file' ]); } else { print header(JSON) . json_encode([ 'error' => "Failed to delete $file" ]); } } else { $file = filter_input(INPUT_POST, 'filename', FILTER_SANITIZE_STRING); print header(JSON) . json_encode([ 'error' => "$file does not exist" ]); } } elseif ($action == 'get-cat-data') { $fname = filter_input(INPUT_POST, 'fname', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE); $checklist = $db->get_Checklist_By_File($fname); if (isset($checklist[0])) { $chk = $checklist[0]; $chk->type = ucfirst($chk->type); print header(JSON) . json_encode($chk); } else { print header(JSON) . json_encode(array('error' => 'Error finding checklist')); } } elseif ($action == 'checklist-remove-software') { $chk_id = filter_input(INPUT_POST, 'chk_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $sw_id = filter_input(INPUT_POST, 'sw_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $db->help->delete("sagacity.checklist_software_lookup", null, array( array( 'field' => 'chk_id', 'op' => '=', 'value' => $chk_id ), array( 'field' => 'sw_id', 'op' => '=', 'value' => $sw_id, 'sql_op' => 'AND' ) )); if ($db->help->execute()) { print header(JSON) . json_encode(array('success' => 'Relationship deleted')); } else { print header(JSON) . json_encode(array('error' => 'Failed to delete relationship')); } } elseif ($action == 'checklist-add-software') { $sw_id = filter_input(INPUT_POST, 'sw_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $chk_id = filter_input(INPUT_POST, 'chk_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $db->help->insert("checklist_software_lookup", array( 'sw_id' => $sw_id, 'chk_id' => $chk_id ), true); if (!$db->help->execute()) { print header(JSON) . json_encode(array('status' => 'Error adding the software to the checklist')); } else { print header(JSON) . json_encode(array('status' => 'Successfully added the software')); } } elseif ($action == 'save-checklist') { $rel_date = new DateTime(filter_input(INPUT_POST, 'rel-date', FILTER_SANITIZE_STRING)); $db->help->update("sagacity.checklist", [ 'name' => filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING), 'description' => filter_input(INPUT_POST, 'desc', FILTER_SANITIZE_STRING), 'icon' => filter_input(INPUT_POST, 'icon', FILTER_SANITIZE_STRING), 'date' => (is_a($rel_date, 'DateTime') ? $rel_date->format(MYSQL_D_FORMAT) : (new DateTime())->format(MYSQL_D_FORMAT)) ], [ [ 'field' => 'id', 'op' => '=', 'value' => filter_input(INPUT_POST, 'id', FILTER_VALIDATE_INT) ] ]); if($db->help->execute()) { print json_encode(['success' => 'Successfully updated checklist']); } else { print json_encode(['error' => 'Error updating checklist']); } } elseif ($action == 'export-ckl') { $cat_id = filter_input(INPUT_POST, 'cat', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $tgt_id = filter_input(INPUT_POST, 'tgt', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $script = null; if (!is_numeric($ste)) { die; } if ($cat_id && is_numeric($cat_id)) { $script = (defined('PHP_BIN') ? realpath(PHP_BIN) : realpath(PHP)) . " -c " . realpath(PHP_CONF) . " -f " . realpath(DOC_ROOT . "/exec/export-ckl.php") . " --" . " -s=$ste" . " -c=$cat_id"; } elseif ($tgt_id && is_numeric($tgt_id)) { $script = (defined('PHP_BIN') ? realpath(PHP_BIN) : realpath(PHP)) . " -c " . realpath(PHP_CONF) . " -f " . realpath(DOC_ROOT . "/exec/export-ckl.php") . " --" . " -s=$ste" . " -t=$tgt_id"; } if (!is_null($script)) { if (strtolower(substr(PHP_OS, 0, 3)) == "win") { $shell = new COM("WScript.Shell"); $shell->CurrentDirectory = DOC_ROOT . "/exec"; $shell->run($script, 0, false); } elseif (strtolower(substr(PHP_OS, 0, 3)) == 'lin') { exec("cd " . realpath(DOC_ROOT . "/exec") . " && {$script} > /dev/null &"); } } } elseif ($action == 'delete-host') { $sel_tgts = json_decode(html_entity_decode(filter_input(INPUT_POST, 'selected_tgts', FILTER_SANITIZE_STRING))); if (is_array($sel_tgts) && count($sel_tgts)) { foreach ($sel_tgts as $tgt_id) { if (!$db->delete_Target($tgt_id)) { print header(JSON) . json_encode(array('error' => "Failed to delete target ID $tgt_id")); break; } } } elseif (is_numeric($sel_tgts)) { if (!$db->delete_Target($sel_tgts)) { print header(JSON) . json_encode(array('error' => "Failed to delete target ID $sel_tgts")); } } print header(JSON) . json_encode(['success' => "Deleted all selected target(s)"]); } elseif ($action == 'get-target-notes') { $tgt_id = filter_input(INPUT_POST, 'tgt-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); if (is_numeric($tgt_id) && $tgt_id > 0) { $db->help->select("target", ['notes'], [ [ 'field' => 'id', 'op' => '=', 'value' => $tgt_id ] ]); $row = $db->help->execute(); if (is_array($row) && count($row) && isset($row['notes'])) { print header(JSON) . json_encode(['notes' => $row['notes']]); } } } elseif ($action == 'save-target-notes') { $tgt_id = filter_input(INPUT_POST, 'tgt-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $notes = filter_input(INPUT_POST, 'notes', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE); if (is_numeric($tgt_id) && $tgt_id > 0) { $db->help->update("target", [ 'notes' => htmlentities($notes) ], [ [ 'field' => 'id', 'op' => '=', 'value' => $tgt_id ] ]); if ($db->help->execute()) { print header(JSON) . json_encode(['success' => 'Updated target notes']); } else { print header(JSON) . json_encode(['error' => $db->help->c->error]); } } } elseif ($action == 'get-load-status') { $set = $db->get_Settings([ 'cpe-count', 'cpe-dl-progress', 'cpe-progress', 'cve-count', 'cve-dl-progress', 'cve-progress', 'nvd-cve-count', 'nvd-cve-dl-progress', 'nvd-cve-progress', 'nvd-year', 'stig-count', 'stig-dl-progress', 'stig-progress', 'nasl-count', 'nasl-dl-progress', 'nasl-progress' ]); print json_encode($set); } elseif ($action == 'delete-scan') { $scan_id = filter_input(INPUT_POST, 'scan-id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $del_tgts = (bool) filter_input(INPUT_POST, 'delete-targets', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); if ($scan_id) { if ($db->delete_Scan($ste, $scan_id, $del_tgts)) { print json_encode(['success' => 'Deleted Scan']); } else { print json_encode(['error' => 'Error deleting scan']); } } } function update_tgt_notes() { global $db; $notes = str_replace(" ", "", filter_input(INPUT_POST, 'notes', FILTER_SANITIZE_STRING)); $tgt = filter_input(INPUT_POST, 'tgt', FILTER_VALIDATE_INT); $db->help->update("sagacity.target", array( 'notes' => $notes ), array( array( 'field' => 'id', 'op' => '=', 'value' => $tgt ) )); if (!$db->help->execute()) { return "failure"; } else { return "success"; } } function chk_filter() { global $db; $tgt_id = filter_input(INPUT_POST, 'tgt_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $filter = filter_input(INPUT_POST, 'filter', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE); $hide_old = (boolean) filter_input(INPUT_POST, 'hide_old', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); $ret = array(); $db->help->create_table("c", true, $db->help->select("sagacity.checklist", null, array(), array( 'order' => '`ver` DESC, CONVERT(`release`, DECIMAL(4,2)) DESC' ))); if (!$db->help->execute()) { return $ret; } $where = array(); $flags = array(); if (!empty($filter)) { $where = array( array( 'field' => 'c.name', 'op' => LIKE, 'value' => "'%{$filter}%'" ) ); } if (!empty($tgt_id)) { $where[] = array( 'field' => 'tc.chk_id', 'op' => IS, 'value' => null, 'sql_op' => 'AND' ); $flags['table_joins'] = array( "LEFT JOIN sagacity.target_checklist tc ON tc.chk_id = c.id AND tc.tgt_id = $tgt_id" ); $flags['order'] = 'c.name'; } if ($hide_old) { $flags['group'] = 'c.name, c.type, c.id'; } $db->help->select("c", array('c.id'), $where, $flags); $rows = $db->help->execute(); if (is_array($rows) && count($rows) && isset($rows['id'])) { $rows = array(0 => $rows); } if (is_array($rows) && count($rows) && isset($rows[0])) { foreach ($rows as $row) { $chk = $db->get_Checklist($row['id']); if (is_array($chk) && count($chk) && isset($chk[0]) && is_a($chk[0], 'checklist')) { $ret[] = $chk[0]; } } } return json_encode($ret); } function sw_filter($is_os = false) { global $db; $ret = []; $filter = "'%" . filter_input(INPUT_POST, 'filter', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE) . "%'"; $tgt_id = filter_input(INPUT_POST, 'tgt_id', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $db->help->select("sagacity.software s", ['s.id', 's.cpe', 's.sw_string'], [ [ 'field' => 's.cpe', 'op' => LIKE, 'value' => $filter, 'open-paren' => true ], [ 'field' => 's.sw_string', 'op' => LIKE, 'value' => $filter, 'sql_op' => 'OR' ], [ 'field' => 's.short_sw_string', 'op' => LIKE, 'value' => $filter, 'sql_op' => 'OR', 'close-paren' => true ], [ 'field' => 'ts.sft_id', 'op' => IS, 'value' => null, 'sql_op' => 'AND' ], [ 'field' => 's.cpe', 'op' => LIKE, 'value' => ($is_os ? "'%/o%'" : "'%/a%'"), 'sql_op' => 'AND' ] ], [ 'table_joins' => [ "LEFT JOIN `sagacity`.`target_software` ts ON ts.`sft_id` = s.`id`" . ($tgt_id ? " AND ts.`tgt_id` = $tgt_id" : "") ], 'order' => 's.cpe' ]); $sw = $db->help->execute(); if (is_array($sw) && count($sw) && isset($sw['id'])) { $sw = [0 => $sw]; } if (is_array($sw) && count($sw) && isset($sw[0])) { foreach ($sw as $row) { $ret[] = [ 'sw_id' => $row['id'], 'cpe' => $row['cpe'], 'sw_string' => $row['sw_string'] ]; } } return header(JSON) . json_encode($ret); } function update_proc_status() { global $conn, $ste; $control_id = str_replace("_", "-", substr(param('control'), 0, -7)); if (preg_match("/[A-Z]{4}\-\d\-\d/", $control_id)) { $proc_id = $control_id; $sql = "SELECT `ctrl_id` " . "FROM `sagacity`.`proc_findings` " . "WHERE " . "`ste_id`=" . $conn->real_escape_string($ste) . " AND " . "`proc_id`='" . $conn->real_escape_string($control_id) . "'"; if ($res = $conn->query($sql)) { if ($res->num_rows) { $row = $res->fetch_array(MYSQLI_ASSOC); $sql = "UPDATE `sagacity`.`proc_findings` " . "SET `status`='" . $conn->real_escape_string($_REQUEST['status']) . " " . "WHERE `ste_id`=" . $conn->real_escape_string($ste) . " AND " . "`proc_id`='" . $conn->real_escape_string($row['ctrl_id']) . "'"; } else { $sql = "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`) VALUES (" . $_REQUEST['ste'] . "," . "'" . $conn->real_escape_string(substr($proc_id, 0, 6)) . "'" . "'" . $conn->real_escape_string($proc_id) . "'" . "'" . $conn->real_escape_string($_REQUEST['status']) . "')"; } if (!$conn->real_query($sql)) { error_log($conn->error); Sagacity_Error::sql_handler($sql); } } } else { $sql = "SELECT `sub_control_id` FROM `sagacity`.`proc_ia_sub_controls` WHERE `parent_control_id`=?"; $sub_ctrls = db_helper::selectrow_array($conn, db_helper::mysql_escape_string($conn, $sql, $control_id)); foreach ($sub_ctrl as $proc_id) { $sql = "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=? AND `proc_id`=?"; $sql = db_helper::mysql_escape_string($conn, $sql, $_REQUEST['ste'], $proc_id); list($cnt) = db_helper::selectrow_array($conn, $sql); if ($cnt) { db_helper::run($conn, "UPDATE `sagacity`.`proc_findings` SET `status`=? WHERE `ste_id`=? AND `proc_id`=?", $_REQUEST['status'], $_REQUEST['ste'], $proc_id); } else { db_helper::run($conn, "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`) VALUES (?,?,?,?)", $_REQUEST['ste'], $control_id, $proc_id, $_REQUEST['status']); } } } } function update_proc_notes() { $control_id = $field = $_REQUEST['control']; $match = array(); if (preg_match("/([A-Z]{4}\_\d\_\d)/", $control_id, $match)) { $control_id = str_replace("_", "-", $match[1]); $sql = "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=? AND `proc_id`=?"; switch ($field) { case (preg_match("/_test_result/", $field) ? true : false): $field = "`test_results`"; break; case (preg_match("/_mit/", $field) ? true : false): $field = "`mitigations`"; break; case (preg_match("/_milestone/", $field) ? true : false): $field = "`milestones`"; break; case (preg_match("/_ref/", $field) ? true : false): $field = "`ref`"; break; case (preg_match("/_notes/", $field) ? true : false): $field = "`notes`"; break; default: $field = ""; } list($cnt) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste'], $control_id); if ($cnt) { $sql = "UPDATE `sagacity`.`proc_findings` SET=? WHERE `ste_id`=? AND `proc_id`=?"; db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['ste'], $control_id); } else { $sql = "INSERT INTO `sagacity`.`proc_findings` (`ste_id`,`ctrl_id`,`proc_id`,`status`,$field) VALUES (?,?,?,?,?)"; db_helper::run($conn, $sql, $_REQUEST['ste'], substr($control_id, 0, 6), $control_id, "Not Reviewed", $_REQUEST['notes']); } } elseif (preg_match("/([A-Z]{4}\_\d)/", $control_id, $match)) { $control_id = str_replace("_", "-", $match[1]); $sql = "SELECT COUNT(1) FROM `sagacity`.`control_findings` WHERE `ste_id`=? AND `control_id`=?"; list($cnt) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste'], $control_id); switch ($field) { case (preg_match("/_vul_desc/", $field) ? true : false): $field = "`vul_desc`"; break; case (preg_match("/_mit/", $field) ? true : false): $field = "`mitigations`"; break; case (preg_match("/_ref/", $field) ? true : false): $field = "`ref`"; break; case (preg_match("/_notes/", $field) ? true : false): $field = "`notes`"; break; default: $field = ""; } if ($cnt) { $sql = "UPDATE `sagacity`.`control_findings` SET $field=? WHERE `ste_id`=? AND `control_id`=?"; db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['ste'], $control_id); } else { $sql = "INSERT INTO `sagacity`.`control_findings` (`control_id`,`ste_id`,$field,`risk_status`) " . "VALUES (?,?,?,(SELECT LOWER(`impact`) FROM `sagacity`.`proc_ia_controls` WHERE `control_id`=?))"; db_helper::run($conn, $sql, $control_id, $_REQUEST['ste'], $_REQUEST['notes'], $control_id); } } return true; } function refresh_counts() { $ret = ''; $sql = "SELECT `id`,`name` FROM `ste_cat` WHERE `ste_id`=?"; $cats = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id']); foreach ($cats as $key => $cat) { $sql2 = "SELECT (SELECT COUNT(1) " . "FROM `sagacity`.`target` t " . "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " . "WHERE t.`cat_id`=? AND " . "fs.`status`='Open' AND " . "f.`cat`=?) + " . "(SELECT COUNT(1) AS 'total' " . "FROM `checklist` c " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " . "JOIN `target` t ON t.`id`=f.`tgt_id` " . "WHERE t.`cat_id`=? AND " . "c.`name`='Orphan' AND " . "fs.`status`='Open' AND " . "f.`cat`=?) AS 'sum_total'"; list($open_cat_1) = db_helper::selectrow_array($conn, $sql2, $row['id'], '1', $row['id'], '1'); list($open_cat_2) = db_helper::selectrow_array($conn, $sql2, $row['id'], '2', $row['id'], '2'); list($open_cat_3) = db_helper::selectrow_array($conn, $sql2, $row['id'], '3', $row['id'], '3'); $sql2 = "SELECT (SELECT COUNT(1) " . "FROM `target` t " . "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " . "WHERE t.`cat_id`=? AND " . "(fs.`status`='Not Reviewed' OR fs.`status` IS NULL)) + " . "(SELECT COUNT(1) AS 'total' " . "FROM `checklist` c " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " . "JOIN `target` t ON t.`id`=f.`tgt_id` " . "WHERE t.`cat_id`=? AND " . "c.`name`='Orphan' AND " . "(fs.`status`='Not Reviewed' OR fs.`status` IS NULL)) AS 'sum_total'"; list($not_reviewed) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']); $sql2 = "SELECT (SELECT COUNT(1) " . "FROM `target` t " . "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " . "WHERE t.`cat_id`=? AND " . "fs.`status`='Exception') + " . "(SELECT COUNT(1) AS 'total' " . "FROM `checklist` c " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " . "JOIN `target` t ON t.`id`=f.`tgt_id` " . "WHERE t.`cat_id`=? AND " . "c.`name`='Orphan' AND " . "fs.`status`='Exception') AS 'sum_total'"; list($exception) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']); $sql2 = "SELECT (SELECT COUNT(1) " . "FROM `target` t " . "LEFT JOIN `target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `findings_status` fs ON fs.`id`=f.`findings_status_id` " . "WHERE t.`cat_id`=? AND " . "fs.`status`='False Positive') + " . "(SELECT COUNT(1) AS 'total' " . "FROM `checklist` c " . "LEFT JOIN `pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `findings_status` fs ON f.`findings_status_id`=fs.`id` " . "JOIN `target` t ON t.`id`=f.`tgt_id` " . "WHERE t.`cat_id`=? AND " . "c.`name`='Orphan' AND " . "fs.`status`='False Positive') AS 'sum_total'"; list($false_positive) = db_helper::selectrow_array($conn, $sql2, $row['id'], $row['id']); $row['name'] = str_replace(array(".", "-", " "), "", $row['name']); $ret .= ""; } return $ret; } function update_finding_status() { global $conn; $sql = "UPDATE `findings` SET " . "`findings_status_id`=? " . "WHERE " . "`tgt_id`=? AND `pdi_id`=?"; db_helper::run($conn, $sql, $_REQUEST['status'], $_REQUEST['host_id'], $_REQUEST['pdi_id']); return true; } function update_finding_ia_controls() { $controls = explode(" ", $_REQUEST['ia_controls']); $host_ids = explode(",", $_REQUEST['host_id']); return true; } function update_finding_notes() { global $conn; $host_ids = explode(",", $_REQUEST['host_id']); $sql = "UPDATE `sagacity`.`findings` SET " . "`notes`=? " . "WHERE " . "`tgt_id` IN (" . implode(",", $host_ids) . ") AND `pdi_id`=?"; db_helper::run($conn, $sql, $_REQUEST['notes'], $_REQUEST['pdi_id']); return true; } /** * Function to update the result script parsing status * * @global db $db * @global int $ste * * @return array */ function update_script_status() { global $db, $ste; $ret = []; $type = filter_input(INPUT_POST, 'type', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE); $status = filter_input(INPUT_POST, 'status', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE); if (!empty($type) && !empty($status)) { $scans = $db->get_ScanData($ste, null, $status, $type); } elseif (!empty($type)) { $scans = $db->get_ScanData($ste, null, null, $type); } elseif (!empty($status)) { $scans = $db->get_ScanData($ste, null, $status); } else { $scans = $db->get_ScanData($ste); } foreach ($scans as $scan) { $file_name = str_replace(["(", ")"], "", str_replace(" ", "_", $scan->get_File_Name())); $diff = $scan->get_Last_Update()->diff($scan->get_Start_Time()); $ret[] = [ "scan_id" => $scan->get_ID(), "file_name" => $scan->get_File_Name(), "id" => $file_name, "file_date" => $scan->get_File_DateTime()->format("Y-m-d"), "pid" => $scan->get_PID(), "source" => $scan->get_Source()->get_Name(), 'source_img' => $scan->get_Source()->get_Icon(), "status" => $scan->get_Status(), "perc_comp" => $scan->get_Percentage_Complete(), "last_host" => $scan->get_Last_Host(), "start_time" => $scan->get_Start_Time()->format("Y-m-d H:i:s"), "update" => $scan->get_Last_Update()->format("Y-m-d H:i:s"), "host_count" => $scan->get_Total_Host_Count(), "error" => $scan->isScanError(), "run_time" => $diff->format("%H:%I:%S") ]; } return json_encode(['success' => 1, 'results' => $ret]); } /** * * @global mysqli $conn * @global db $db */ function get_STE_details() { global $conn, $db; $ret = ''; $open_high = $open_med = $open_low = $proc_na = $proc_c = $proc_total = $open_cat_1 = $open_cat_2 = $open_cat_3 = $tech_na = $tech_nf = $tech_total = 0; list($tech_total) = db_helper::selectrow_array($conn, "SELECT COUNT(1) FROM `sagacity`.`findings` f JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` WHERE t.`ste_id`=?", $_REQUEST['ste_id']); list($proc_total) = db_helper::selectrow_array($conn, "SELECT COUNT(1) FROM `sagacity`.`proc_findings` WHERE `ste_id`=?", $_REQUEST['ste_id']); $sql = "SELECT COUNT(1) " . "FROM `sagacity`.`proc_findings` pf " . "JOIN `sagacity`.`control_findings` cf ON pf.`ctrl_id`=cf.`control_id` " . "WHERE pf.`ste_id`=? " . "AND pf.`status`=? " . "AND cf.`risk_status`=? " ; list($open_high) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'high'); list($open_med) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'medium'); list($open_low) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Non-Compliant', 'low'); $sql = "SELECT COUNT(1) " . "FROM `sagacity`.`proc_findings` pf " . "JOIN `sagacity`.`control_findings` cf ON pf.`ctrl_id`=cf.`control_id` " . "WHERE pf.`ste_id`=? " . "AND pf.`status`=? " ; list($proc_na) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Not Applicable'); list($proc_c) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id'], 'Compliant'); $sql = "SELECT `ste`.`deviations`,`ste`.`recommendations`,`ste`.`residual_risk`," . "`ste`.`conclusion`,`ste`.`risk_status`,sys.`mitigations`,sys.`executive_summary` " . "FROM `sagacity`.`ste`,`sagacity`.`system` sys " . "WHERE `ste`.`system_id`=sys.`id` AND " . "`ste`.`id`=?"; list($dev, $rec, $res, $con, $status, $mit, $exec) = db_helper::selectrow_array($conn, $sql, $_REQUEST['ste_id']); $sql = "SELECT `id`,`name` FROM `sagacity`.`ste_cat` WHERE `ste_id`=?"; $cats = $db->get_STE_Cat_List($_REQUEST['ste_id']); foreach ($cats as $cat) { $sql2 = "SELECT (SELECT COUNT(1) " . "FROM `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " . "WHERE t.`cat_id`=? AND " . "(fs.`status`='Open' OR fs.`status`='Exception') AND " . "f.`cat`=?) + " . "(SELECT COUNT(1) AS 'total' " . "FROM `sagacity`.`checklist` c " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " . "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " . "WHERE t.`cat_id`=? AND " . "c.`name`='Orphan' AND " . "(fs.`status`='Open' OR fs.`status`='Exception') AND " . "f.`cat`=?) AS 'sum_total'"; list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '1', $cat->get_ID(), '1'); $open_cat_1 += $tmp; list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '2', $cat->get_ID(), '2'); $open_cat_2 += $tmp; list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), '3', $cat->get_ID(), '3'); $open_cat_3 += $tmp; $sql2 = "SELECT (SELECT COUNT(1) " . "FROM `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " . "WHERE t.`cat_id`=? AND " . "fs.`status`='Not Applicable') + " . "(SELECT COUNT(1) AS 'total' " . "FROM `sagacity`.`checklist` c " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " . "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " . "WHERE t.`cat_id`=? AND " . "c.`name`='Orphan' AND " . "fs.`status`='Not Applicable') AS 'sum_total'"; list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), $cat->get_ID()); $tech_na += $tmp; $sql2 = "SELECT (SELECT COUNT(1) " . "FROM `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " . "WHERE t.`cat_id`=? AND " . "fs.`status`='Not a Finding') + " . "(SELECT COUNT(1) AS 'total' " . "FROM `sagacity`.`checklist` c " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " . "JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " . "WHERE t.`cat_id`=? AND " . "c.`name`='Orphan' AND " . "fs.`status`='Not a Finding') AS 'sum_total'"; list($tmp) = db_helper::selectrow_array($conn, $sql2, $cat->get_ID(), $cat->get_ID()); $tech_nf += $tmp; } #'overall_mitigations,deviations,recommendations,residual_risk,conclusion,executive_summary' $ret .= "
" . "

Overall Mitigations

" . "" . "

Deviations

" . "" . "

Recommendations

" . "" . "Residual Risk Analysis  " . "
" . "" . "

Conclusion

" . "" . "

Executive Summary

" . "" . "
" . "
" . "

Procedural ($proc_total)

" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "
HMLNAC
$open_high$open_med$open_low$proc_na$proc_c
" . sprintf("%i%%", ($open_high / $proc_total) * 100) . "" . sprintf("%i%%", ($open_med / $proc_total) * 100) . "" . sprintf("%i%%", ($open_low / $proc_total) * 100) . "" . sprintf("%i%%", ($proc_na / $proc_total) * 100) . "" . sprintf("%i%%", ($proc_c / $proc_total) * 100) . "
" . "

Technical ($tech_total)

" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "
IIIIIINANF
$open_cat_1$open_cat_2$open_cat_3$tech_na$tech_nf
" . sprintf("%i%%", ($open_cat_1 / $tech_total) * 100) . "" . sprintf("%i%%", ($open_cat_2 / $tech_total) * 100) . "" . sprintf("%i%%", ($open_cat_3 / $tech_total) * 100) . "" . sprintf("%i%%", ($tech_na / $tech_total) * 100) . "" . sprintf("%i%%", ($tech_nf / $tech_total) * 100) . "
" . "
"; } function update_STE_details() { global $conn; if ($_REQUEST['id'] == 'deviations') { $sql = "UPDATE `sagacity`.`ste` SET `deviations`=? WHERE `id`=?"; } elseif ($_REQUEST['id'] == 'recommendations') { $sql = "UPDATE `sagacity`.`ste` SET `recommendations`=? WHERE `id`=?"; } elseif ($_REQUEST['id'] == 'residual_risk') { $sql = "UPDATE `sagacity`.`ste` SET `residual_risk`=? WHERE `id`=?"; } elseif ($_REQUEST['id'] == 'conclusion') { $sql = "UPDATE `sagacity`.`ste` SET `conclusion`=? WHERE `id`=?"; } elseif ($_REQUEST['id'] == 'overall_mitigations') { $sql = "UPDATE `sagacity`.`system` JOIN `sagacity`.`ste` ON `ste`.`system_id`=`system`.`id` SET `mitigations`=? WHERE `ste`.`id`=?"; } elseif ($_REQUEST['id'] == 'executive_summary') { $sql = "UPDATE `sagacity`.`system` JOIN `sagacity`.`ste` ON `ste`.`system_id`=`system`.`id` SET `executive_summary`=? WHERE `ste`.`id`=?"; } db_helper::run($conn, $sql, $_REQUEST['text'], $_REQUEST['ste_id']); } function get_control_details() { global $conn, $db; $ret = ''; $sql = "SELECT " . "pc.`control_id`,pc.`name`,pc.`description`,pc.`impact`," . "cf.`vul_desc`,cf.`mitigations`,cf.`risk_analysis`,cf.`risk_status`,cf.`done` " . "FROM `sagacity`.`proc_ia_controls` pc " . "LEFT JOIN `sagacity`.`control_findings` cf ON cf.`control_id`=pc.`control_id` " . "WHERE pc.`control_id`=? AND cf.`ste_id`=?"; $ste = $db->get_STE($_REQUEST['ste'])[0]; $controls = $db->get_Proc_IA_Controls($ste, $_REQUEST['id'])[0]; $risk_analysis = $controls->finding->risk_analysis; $ctrl_id = $controls->get_Control_ID(); $impact = $controls->get_Impact(); $ret .= "
" . $controls->get_Control_ID() . " - " . $controls->get_Name() . "" . "" . " " . "finding->done ? " checked" : "") . " id='done' value='1' onclick='javascript:toggle_control_completion();' />" . "" . "" . ucfirst($controls->get_Worst_Status_String()) . "" . "" . "
" . "
" . $controls->get_Description() . "
" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" ; $sql = "SELECT " . "psc.`sub_control_id`,psc.`name`,pf.`test_results`,pf.`mitigations`,pf.`status` " . "FROM `sagacity`.`proc_ia_sub_controls` psc " . "LEFT JOIN `sagacity`.`proc_findings` pf ON psc.`sub_control_id`=pf.`proc_id` " . "WHERE pf.`ste_id`=? AND " . "psc.`parent_control_id`=? AND " . "(pf.`status`='Non-Compliant' OR pf.`status`='Not Applicable')" ; if ($res = $conn->query($sql)) { while ($row = $res->fetch_array(MYSQLI_ASSOC)) { $status = str_replace(" ", "_", $row['status']); $ret .= "" . "" . "" . "" . "" ; } } $ret .= "
Procedure /
Validation Step
FindingsMitigations
" . $controls->get_Control_ID() . "
" . $controls->get_Name() . "
" . $controls->finding->vul_desc . "" . $controls->finding->mitigations . "
" . $row['sub_control_id'] . "  " . $row['status'] . "
" . $row['name'] . "
" . $row['test_results'] . "" . $row['mitigations'] . "
" . "
" . "" . $controls->get_Control_ID() . " - Risk Analysis  " . "" . "" . "" . "
" . "
" . "$ctrl_id - Technical Findings" . "" . "" . "" . "" . "" . "" . "" . "" . "" . "" . ""; $cat_1 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 1); $cat_2 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 2); $cat_3 = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Open", 3); /* $sql = "SELECT ". "IFNULL((SELECT COUNT(1) ". "FROM `sagacity`.`target` t ". "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` ". "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` ". "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` ". "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` ". "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ". "WHERE ". "(fs.`status`='Open' OR fs.`status`='Exception') AND ". "f.`cat`=? AND ". "fc.`ia_control`=? AND ". "t.`ste_id`=? ". "GROUP BY f.`pdi_id`". "), 0)". " + ". "IFNULL((SELECT COUNT(1) ". "FROM `sagacity`.`checklist` c ". "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` ". "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` ". "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` ". "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` ". "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ". "WHERE ". "c.`name`='Orphan' AND ". "(fs.`status`='Open' OR fs.`status`='Exception') AND ". "f.`cat`=? AND ". "fc.`ia_control`=? AND ". "t.`ste_id`=? ". "GROUP BY f.`pdi_id`". "), 0) AS 'sum_count'"; ($cat_1) = $dbh->selectrow_array($sql, undef, 1, param('id'), param('ste_id'), 1, param('id'), param('ste_id')); ($cat_2) = $dbh->selectrow_array($sql, undef, 2, param('id'), param('ste_id'), 2, param('id'), param('ste_id')); ($cat_3) = $dbh->selectrow_array($sql, undef, 3, param('id'), param('ste_id'), 3, param('id'), param('ste_id')); */ $sql = "SELECT " . "IFNULL((SELECT COUNT(1) " . "FROM `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " . "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " . "WHERE " . "(fs.`status`='Open' OR fs.`status`='Exception') AND " . "fc.`ia_control`=? AND " . "t.`ste_id`=? " . "), 0)" . " + " . "IFNULL((SELECT COUNT(1) " . "FROM `sagacity`.`checklist` c " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " . "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " . "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " . "WHERE " . "c.`name`='Orphan' AND " . "(fs.`status`='Open' OR fs.`status`='Exception') AND " . "fc.`ia_control`=? AND " . "t.`ste_id`=? " . "), 0) AS 'sum_count'"; $unique = db_helper::selectrow_array($conn, $sql, $controls->get_Control_ID(), $_REQUEST['ste_id'], $controls->get_Control_ID(), $_REQUEST['ste_id']); /* $sql = "SELECT ". "IFNULL((SELECT COUNT(1) ". "FROM `sagacity`.`target` t ". "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` ". "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` ". "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` ". "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` ". "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ". "WHERE ". "fs.`status`=? AND ". "fc.`ia_control`=? AND ". "t.`ste_id`=? ". "GROUP BY f.`pdi_id`". "), 0)". " + ". "IFNULL((SELECT COUNT(1) ". "FROM `sagacity`.`checklist` c ". "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` ". "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` ". "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` ". "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` ". "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` ". "WHERE ". "c.`name`='Orphan' AND ". "fs.`status`=? AND ". "fc.`ia_control`=? AND ". "t.`ste_id`=? ". "GROUP BY f.`pdi_id`". "), 0) AS 'sum_count'"; ($na) = $dbh->selectrow_array($sql, undef, "Not Applicable", param('id'), param('ste_id'), "Not Applicable", param('id'), param('ste_id')); ($nf) = $dbh->selectrow_array($sql, undef, "Not a Finding", param('id'), param('ste_id'), "Not a Finding", param('id'), param('ste_id')); */ $na = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Not Applicable"); $nf = $db->get_Control_Finding_Count($controls, $_REQUEST['ste_id'], "Not a Finding"); $sql = "SELECT " . "IFNULL((SELECT COUNT(1) " . "FROM `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=tc.`chk_id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` AND t.`id` = f.`tgt_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " . "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " . "WHERE " . "(fs.`status`='Open' OR fs.`status`='Exception') AND " . "fc.`ia_control`=? AND " . "t.`ste_id`=? " . "GROUP BY f.`tgt_id`" . "), 0)" . " + " . "IFNULL((SELECT COUNT(1) " . "FROM `sagacity`.`checklist` c " . "LEFT JOIN `sagacity`.`pdi_checklist_lookup` pcl ON pcl.`checklist_id`=c.`id` " . "LEFT JOIN `sagacity`.`findings` f ON f.`pdi_id`=pcl.`pdi_id` " . "LEFT JOIN `sagacity`.`findings_status` fs ON f.`findings_status_id`=fs.`id` " . "LEFT JOIN `sagacity`.`target` t ON t.`id`=f.`tgt_id` " . "LEFT JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " . "WHERE " . "c.`name`='Orphan' AND " . "(fs.`status`='Open' OR fs.`status`='Exception') AND " . "fc.`ia_control`=? AND " . "t.`ste_id`=? " . "GROUP BY f.`tgt_id`" . "), 0) AS 'sum_count'"; $host_count = db_helper::selectrow_array($conn, $sql, $controls->get_Control_ID(), $_REQUEST['ste_id'], $controls->get_Control_ID(), $_REQUEST['ste_id']); $ret .= "" . "" . "" . "" . "" . "" . "" . "" . "" . ""; $ret .= "
IIIIIINANFUniqueHostsTotal
$cat_1$cat_2$cat_3$na$nf" . $unique['sum_count'] . "" . $host_count['sum_count'] . "" . ($cat_1 + $cat_2 + $cat_3) . "
" . "
" . "
" . "" . "" . "" . "" . "" . "" ; $sql = "SELECT " . "f.`pdi_id`,s.`stig_id`,f.`cat`,pdi.`short_title`," . "(SELECT GROUP_CONCAT(fc.`ia_control` SEPARATOR ' ') " . "FROM `sagacity`.`finding_controls` fc " . "WHERE " . "fc.`finding_id`=f.`id` " . ") AS ia_controls " . "FROM `sagacity`.`findings` f " . "JOIN `sagacity`.`findings_status` fs ON fs.`id`=f.`findings_status_id` " . "JOIN `sagacity`.`stigs` s ON s.`pdi_id`=f.`pdi_id` " . "JOIN `sagacity`.`pdi_catalog` pdi ON pdi.`id`=f.`pdi_id` " . "WHERE (fs.`status`='Open' OR fs.`status`='Exception') " . "GROUP BY f.`pdi_id` " . "HAVING ia_controls LIKE '%" . $_REQUEST['id'] . "%' " . "ORDER BY s.`stig_id`" ; if ($res = $conn->query($sql)) { while ($row = $res->fetch_assoc()) { $cat = str_repeat("I", $row['cat']); $ias = explode(" ", $row['ia_controls']); $ia_cnt = (is_array($ias) ? count($ias) : 0); $stig = str_replace(".", "", $row['stig_id']); $sql2 = "SELECT " . "GROUP_CONCAT(DISTINCT f.`id` SEPARATOR ',') AS 'finding_ids'," . "GROUP_CONCAT(DISTINCT t.`name` SEPARATOR ', ') AS 'affected_hosts',f.`notes` " . "FROM `sagacity`.`target` t " . "JOIN `sagacity`.`findings` f ON f.`tgt_id`=t.`id` " . "JOIN `sagacity`.`finding_controls` fc ON fc.`finding_id`=f.`id` " . "WHERE t.`ste_id`=? AND f.`pdi_id`=?"; $row = db_helper::selectrow_array($conn, $sql2, $_REQUEST['ste_id'], $row['pdi_id'])[0]; $ids = $row['finding_ids']; $hosts = $row['affected_hosts']; $notes = $row['notes']; $ret .= "" . "" . "" . "" . "" . "" . "" . ""; } } $ret .= "
STIG ID" . "Cat" . "M" . "Vulnerability Title" . "Affected Hosts" . "Notes
(inc.)" . "
" . $row['stig_id'] . "$cat" . ($ia_cnt > 1 ? "" : "") . "" . "" . $row['short_title'] . "$hosts$notes
"; return $ret; } function update_risk_status() { global $conn; $sql = "UPDATE `sagacity`.`control_findings` SET `risk_status`=? WHERE `ste_id`=? AND `control_id`=?"; db_helper::run($conn, $sql, strtolower($_REQUEST['status']), $_REQUEST['ste_id'], $_REQUEST['ctrl_id']); } function update_risk_analysis() { global $conn; $sql = "UPDATE `sagacity`.`control_findings` SET `risk_analysis`=? WHERE `control_id`=? AND `ste_id`=?"; db_helper::run($conn, $sql, $_REQUEST['text'], $_REQUEST['ctrl_id'], $_REQUEST['ste_id']); } function update_control_completion() { global $conn; $sql = "UPDATE `sagacity`.`control_findings` SET `done`=IF(`done`=1,0,1) WHERE `control_id`=? AND `ste_id`=?"; db_helper::run($conn, $sql, $_REQUEST['ctrl_id'], $_REQUEST['ste_id']); } function update_stig_control() { global $conn; $sql = "DELETE FROM `sagacity`.`finding_controls` WHERE `finding_id` IN (" . $_REQUEST['ids'] . ")"; $conn->real_query($sql); $sql = "INSERT INTO `sagacity`.`finding_controls` (`finding_id`,`ia_control`) VALUES "; $ids = explode(",", $_REQUEST['ids']); for ($x = 0; $x < count($ids); $x++) { $sql .= "(" . $ids[$x] . ",'" . $_REQUEST['ctrl_id'] . "'),"; } $sql = substr($sql, 0, -1); $conn->real_query($sql); } /** * Function to get targets from the category * * @global db $db * * @param int $cat_id * * @return mixed */ function get_hosts($cat_id = null) { global $db; $ret = ['cat_id' => $cat_id]; $ste_id = filter_input(INPUT_COOKIE, 'ste', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE); $tgts = []; $exp_scan_srcs = null; if ($cat_id) { $ste_cat = $db->get_Category($cat_id)[0]; $tgts = $db->get_Target_By_Category($cat_id); $exp_scan_srcs = $db->get_Expected_Category_Sources($ste_cat); } elseif (is_numeric($ste_id)) { $tgts = $db->get_Unassigned_Targets($ste_id); } else { return json_encode(['error' => "Invalid info"]); } foreach ($tgts as $tgt) { /** @var target $tgt */ $chks = $db->get_Target_Checklists($tgt->get_ID()); $scan_srcs = $db->get_Target_Scan_Sources($tgt, $exp_scan_srcs); $icons = []; $icon_str = ''; $src_str = ''; sort($chks); foreach ($chks as $chk) { if (!in_array($chk->get_Icon(), array_keys($icons))) { $icons[$chk->get_Icon()]['icon'] = $chk->get_Icon(); $icons[$chk->get_Icon()]['name'] = ''; } $icons[$chk->get_Icon()]['name'] .= "{$chk->get_Name()} V{$chk->get_Version()}R{$chk->get_Release()} ({$chk->get_type()})" . PHP_EOL; } foreach ($icons as $icon => $data) { $icon_str .= ""; } foreach ($scan_srcs as $src) { if(isset($src['src']) && is_a($src['src'], 'source')) { $icon = $src['src']->get_Icon(); if(isset($src['scan_error']) && $src['scan_error']) { $icon = strtolower($src['src']->get_Name()) . "-failed.png"; } $src_str .= "get_Name()}"; if (isset($src['file_name']) && $src['file_name']) { $src_str .= "\n{$src['file_name']}"; } $src_str .= "' class='checklist_image' />"; } } $ret['targets'][] = array_merge([ 'id' => $tgt->get_ID(), 'ste_id' => $tgt->get_STE_ID(), 'name' => $tgt->get_Name(), 'os' => $tgt->get_OS_String(), 'location' => $tgt->get_Location(), 'auto' => $tgt->get_Task_Status($tgt->get_Auto_Status_ID()), 'man' => $tgt->get_Task_Status($tgt->get_Man_Status_ID()), 'data' => $tgt->get_Task_Status($tgt->get_Data_Status_ID()), 'fp' => $tgt->get_Task_Status($tgt->get_FP_Cat1_Status_ID()), 'ip' => (count($tgt->interfaces) ? array_keys($tgt->interfaces)[0] : ''), 'notes' => $tgt->getDisplayNotes(), 'scans' => $src_str, 'chk' => $icon_str, 'nr' => $tgt->getNotReviewedCount(), 'na' => $tgt->getNotApplicableCount(), 'nf' => $tgt->getNotAFindingCount(), 'cat_1' => $tgt->getCat1Count(), 'cat_2' => $tgt->getCat2Count(), 'cat_3' => $tgt->getCat3Count(), 'comp' => floatval(number_format($tgt->getCompliantPercent(), 6)), 'assessed' => floatval(number_format($tgt->getAssessedPercent(), 6)) ]); } return json_encode($ret); } function get_target_data() { global $db; $tgt = $db->get_Target_Details($_REQUEST['ste_id'], $_REQUEST['tgt_id'])[0]; switch ($_REQUEST['type']) { case 'netstat': return $tgt->get_Netstat_Connections(); case 'routes': return $tgt->get_Routes(); case 'firewall': return $tgt->get_Firewall_Config(); case 'shares': return $tgt->get_Shares(); case 'mounted': return $tgt->get_Mounted(); case 'process_list': return $tgt->get_Process_List(); case 'autorun': return $tgt->get_Autorun(); case 'services': return $tgt->get_Services(); case 'remote_registry': return $tgt->get_Remote_Registry(); case 'system': return $tgt->get_System(); case 'bios': return $tgt->get_BIOS(); case 'copyright': return $tgt->get_Copyright(); case 'missing_patches': return $tgt->get_Missing_Patches(); case 'user_list': return $tgt->get_User_List(); case 'disabled_accts': return $tgt->get_Disabled_Accts(); case 'stag_pwds': return $tgt->get_Stag_Pwds(); case 'never_logged_in': return $tgt->get_Never_Logged_In(); case 'pwds_never_expire': return $tgt->get_Pwds_Never_Expire(); } return null; } function target_filter($ste_id, $criteria) { global $db, $conn; $where = array(); $tgts = array(); $idx = 0; $like = false; $ret = array(); $search = explode("\n", $criteria); unset($search[count($search) - 1]); foreach ($search as $str) { if (!$str) { continue; } switch ($str) { case (preg_match("/name /i", $str) ? true : false): $where[] = "t.`name`"; break; case (preg_match("/sw /i", $str) ? true : false): $where[] = "sw.`cpe`"; break; case (preg_match("/os /i", $str) ? true : false): $where[] = "os.`cpe`"; break; case (preg_match("/auto status /i", $str) ? true : false): $where[] = "`as`.`status`"; break; case (preg_match("/manual status /i", $str) ? true : false): $where[] = "ms.`status`"; break; case (preg_match("/data gathering status /i", $str) ? true : false): $where[] = "ds.`status`"; break; case (preg_match("/fp\/cat i status /i", $str) ? true : false): $where[] = "fp.`status`"; break; case (preg_match("/category /i", $str) ? true : false): $where[] = "t.`cat_id`"; break; case (preg_match("/open port /i", $str) ? true : false): $where[] = "CONCAT(pps.`proto`,'/',pps.`port`)"; break; default: continue 2; } if (($pos = strpos($str, "!~")) !== false) { $where[$idx] .= " NOT LIKE "; $like = true; } elseif (($pos = strpos($str, "~=")) !== false) { $where[$idx] .= " LIKE "; $like = true; } elseif (($pos = strpos($str, "!=")) !== false) { $where[$idx] .= " != "; } elseif (($pos = strpos($str, "=")) !== false) { $where[$idx] .= " = "; $pos--; } $where[$idx] .= "'" . ($like ? "%" : "") . $conn->real_escape_string(substr($str, $pos + 4, -1)) . ($like ? "%" : "") . "'"; $idx++; $like = false; } $where_str = implode(" AND ", $where); $sql = "SELECT COUNT(DISTINCT(t.`id`)) as 'cnt' " . "FROM `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`task_status` `as` ON t.`auto_status_id`=`as`.`id` " . "LEFT JOIN `sagacity`.`task_status` ms ON t.`man_status_id`=ms.`id` " . "LEFT JOIN `sagacity`.`task_status` ds ON t.`data_status_id`=ds.`id` " . "LEFT JOIN `sagacity`.`task_status` fp ON t.`fp_cat1_status_id`=fp.`id` " . "LEFT JOIN `sagacity`.`target_software` ts ON ts.`tgt_id`=t.`id` " . "LEFT JOIN `sagacity`.`software` sw ON ts.`sft_id`=sw.`id` " . "LEFT JOIN `sagacity`.`software` os ON t.`os_id`=os.`id` " . "LEFT JOIN `sagacity`.`interfaces` i ON t.`id`=i.`tgt_id` " . "LEFT JOIN `sagacity`.`pps_list` hp ON hp.`int_id`=i.`id` " . "LEFT JOIN `sagacity`.`ports_proto_services` pps ON pps.`id`=hp.`pps_id` " . "WHERE " . $where_str ; $cnt = 0; if ($res = $conn->query($sql)) { $cnt = $res->fetch_array()[0]; } else { error_log($conn->error); Sagacity_Error::sql_handler($sql); } $ret['count'] = $cnt; $sql = "SELECT DISTINCT(t.`id`) " . "FROM `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`task_status` `as` ON t.`auto_status_id`=`as`.`id` " . "LEFT JOIN `sagacity`.`task_status` ms ON t.`man_status_id`=ms.`id` " . "LEFT JOIN `sagacity`.`task_status` ds ON t.`data_status_id`=ds.`id` " . "LEFT JOIN `sagacity`.`task_status` fp ON t.`fp_cat1_status_id`=fp.`id` " . "LEFT JOIN `sagacity`.`target_software` ts ON ts.`tgt_id`=t.`id` " . "LEFT JOIN `sagacity`.`software` sw ON ts.`sft_id`=sw.`id` " . "LEFT JOIN `sagacity`.`software` os ON t.`os_id`=os.`id` " . "LEFT JOIN `sagacity`.`interfaces` i ON t.`id`=i.`tgt_id` " . "LEFT JOIN `sagacity`.`pps_list` hp ON hp.`int_id`=i.`id` " . "LEFT JOIN `sagacity`.`ports_proto_services` pps ON pps.`id`=hp.`pps_id` " . "WHERE " . $where_str . " " . ($_REQUEST['count'] != 'all' ? "LIMIT " . $_REQUEST['start_count'] . "," . $_REQUEST['count'] : "") ; if ($res = $conn->query($sql)) { while ($row = $res->fetch_assoc()) { $tgts[] = $db->get_Target_Details($_REQUEST['ste'], $row['id'])[0]; } } else { error_log($conn->error); Sagacity_Error::sql_handler($sql); } foreach ($tgts as $tgt) { $cat_id = $tgt->get_Cat_ID(); $ste_cat = $db->get_Category($cat_id); $chks = $db->get_Target_Checklists($tgt->get_ID()); if (isset($cat_id)) { $exp_scan_srcs = $db->get_Expected_Category_Sources($ste_cat); } else { $exp_scan_srcs = null; } $scan_srcs = $db->get_Target_Scan_Sources($tgt, $exp_scan_srcs); $icons = array(); $icon_str = ''; $src_str = ''; foreach ($chks as $chk) { if (!in_array($chk->get_Icon(), array_keys($icons))) { $icons[$chk->get_Icon()]['icon'] = $chk->get_Icon(); $icons[$chk->get_Icon()]['name'] = ''; } $icons[$chk->get_Icon()]['name'] .= $chk->get_Name() . " V" . $chk->get_Version() . "R" . $chk->get_Release() . " (" . $chk->get_type() . ")" . PHP_EOL; } foreach ($icons as $icon => $data) { $icon_str .= ""; } foreach ($scan_srcs as $src) { $src_str .= "get_Icon() . "' title='" . $src['src']->get_Name(); if (isset($src['count']) && $src['count']) { $src_str .= " (" . $src['count'] . ")"; } $src_str .= "' class='checklist_image' />"; } $ret['targets'][] = array_merge($tgt->get_JSON(), array( 'scans' => $src_str, 'chk' => $icon_str )); } if (isset($ret['targets']) && is_array($ret['targets']) && count($ret['targets'])) { return json_encode($ret); } else { return json_encode(array('count' => 0)); } } function reference_filter($criteria) { global $db, $conn; $where = array(); $ref = array(); $idx = 0; $ret = ''; $like = false; $odd = true; $sql = "SELECT * FROM `sagacity`.`pdi_catalog` pdi "; $query = array( 'cce' => array( 'sql' => "LEFT JOIN `sagacity`.`cce` ON cce.`pdi_id`=pdi.`id` ", 'added' => false ), 'cve' => array( 'sql' => "LEFT JOIN `sagacity`.`cve` ON cve.`pdi_id`=pdi.`id` " . "LEFT JOIN `sagacity`.`cve_db` ON cve_db.`cve_id`=cve.`cve_id` " . "LEFT JOIN `sagacity`.`cve_references` ref ON ref.`cve_seq`=cve_db.`cve_id` " . "LEFT JOIN `sagacity`.`cve_web` web ON web.`cve_id`=cve_db.`cve_id` ", 'added' => false, ), 'vms' => array( 'sql' => "LEFT JOIN `sagacity`.`golddisk` gd ON gd.`pdi_id`=pdi.`id` ", 'added' => false, ), 'iavm' => array( 'sql' => "LEFT JOIN `sagacity`.`iavm_notices` iavm ON iavm.`pdi_id`=pdi.`id` ", 'added' => false, ) ); $xml = new DOMDocument(); $xml->appendChild($root = xml_helper($xml, "root")); $search = explode("\n", $criteria); unset($search[count($search) - 1]); foreach ($search as $str) { switch ($str) { case (preg_match("/cce /i", $str) ? true : false): if (!$query['cce']['added']) { $sql .= $query['cce']['sql']; } $query['cce']['added'] = true; $where[] = ""; break; case (preg_match("/cpe /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/cve /i", $str) ? true : false): if (!$query['cve']['added']) { $sql .= $query['cve']['sql']; } $query['cve']['added'] = true; $where[] = ""; break; case (preg_match("/ia control /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/iavm /i", $str) ? true : false): if (!$query['iavm']['added']) { $sql .= $query['iavm']['sql']; } $query['iavm']['added'] = true; $where[] = ""; break; case (preg_match("/nessus plugin id /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/oval /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/reference /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/stig id /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/sv rule /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/vms id /i", $str) ? true : false): if (!$query['vms']['added']) { $sql .= $query['vms']['sql']; } $query['vms']['added'] = true; $where[] = ""; break; case (preg_match("/vendor advisory /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/check contents /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/short title /i", $str) ? true : false): $where[] = ""; break; case (preg_match("/description /i", $str) ? true : false): $where[] = ""; break; default: continue 2; } if (($pos = strpos($str, "!~")) !== false) { $where[$idx] .= " NOT LIKE "; $like = true; } elseif (($pos = strpos($str, "~=")) !== false) { $where[$idx] .= " LIKE "; $like = true; } elseif (($pos = strpos($str, "!=")) !== false) { $where[$idx] .= " != "; } elseif (($pos = strpos($str, "=")) !== false) { $where[$idx] .= " = "; $pos--; } $where[$idx] .= "'" . ($like ? "%" : "") . $conn->real_escape_string(substr($str, $pos + 4, -1)) . ($like ? "%" : "") . "'"; $idx++; $like = false; } $where_str = implode(" AND ", $where); $sql = "SELECT COUNT(t.`id`) as 'cnt' " . "WHERE " . $where_str; $cnt = 0; if ($res = $conn->query($sql)) { $cnt = $res->fetch_array()[0]; } else { error_log($conn->error); Sagacity_Error::sql_handler($sql); } $root->setAttribute('count', $cnt); $sql = "SELECT t.`id` " . " " . "WHERE " . $where_str . " " . ($_REQUEST['count'] != 'all' ? "LIMIT " . $_REQUEST['start_count'] . "," . $_REQUEST['count'] : "") ; if ($res = $conn->query($sql)) { while ($row = $res->fetch_assoc()) { } } else { error_log($conn->error); Sagacity_Error::sql_handler($sql); } return $xml->saveXML(); } function scan_filter($ste_id, $criteria) { } function finding_filter($ste_id, $criteria) { } function get_saved_filter($type, $filter_name) { global $db; $filter = $db->get_Filters($type, $filter_name); $ret = array(); if (is_array($filter) && count($filter)) { $filter = $filter[0]; foreach (explode("\n", $filter['criteria']) as $cri) { if ($cri) $ret[] = $cri; } } return json_encode($ret); } function update_target_field($field, $data) { global $db, $conn; $sql = "UPDATE `sagacity`.`target` t " . "LEFT JOIN `sagacity`.`target_software` ts ON t.`id`=ts.`tgt_id` " . "LEFT JOIN `sagacity`.`target_checklist` tc ON t.`id`=tc.`tgt_id` " . "LEFT JOIN `sagacity`.`target_net_meta` tnm ON t.`id`=tnm.`tgt_id` " . "LEFT JOIN `sagacity`.`target_sys_meta` tsm ON t.`id`=tsm.`tgt_id` " . "LEFT JOIN `sagacity`.`target_user_meta` tum ON t.`id`=tum.`tgt_id` " . "SET "; switch ($field) { case 'name': $sql .= "t.`name`='" . $conn->real_escape_string($data) . "'"; break; case 'location': $sql .= "t.`location`='" . $conn->real_escape_string($data) . "'"; break; case 'wmi_pid': $sql .= "tsm.`wmi_listening_pid`='" . $conn->real_escape_string($data) . "'"; break; case 'last_login': $sql .= "tum.`last_login`='" . $conn->real_escape_string($data) . "'"; break; case 'login': $sql .= "tum.`login`='" . $conn->real_escape_string($data) . "'"; break; case 'notes': $sql .= "t.`notes`='" . $conn->real_escape_string($data) . "'"; break; case 'auto_status': $sql .= "t.`auto_status_id`='" . $conn->real_escape_string($data) . "'"; break; case 'man_status': $sql .= "t.`man_status_id`='" . $conn->real_escape_string($data) . "'"; break; case 'data_status': $sql .= "t.`data_status_id`='" . $conn->real_escape_string($data) . "'"; break; case 'fp-cat1_status': $sql .= "t.`fp_cat1_status_id`='" . $conn->real_escape_string($data) . "'"; break; case 'vm': $sql .= "tsm.`is_vm`='" . $conn->real_escape_string($data) . "'"; break; case 'pp_on': $sql .= "t.`pp_off`=" . ($data == '1' ? '0' : '1'); break; case 'netstat_data': $sql .= "tnm.`netstat_connections`='" . $conn->real_escape_string($data) . "'"; break; case 'routes_data': $sql .= "tnm.`routes`='" . $conn->real_escape_string($data) . "'"; break; case 'shares_data': $sql .= "tnm.`shares`='" . $conn->real_escape_string($data) . "'"; break; case 'firewall_data': $sql .= "tnm.`firewall_config`='" . $conn->real_escape_string($data) . "'"; break; case 'mounted_data': $sql .= "tsm.`mounted`='" . $conn->real_escape_string($data) . "'"; break; case 'process_list_data': $sql .= "tsm.`process_list`='" . $conn->real_escape_string($data) . "'"; break; case 'autorun_data': $sql .= "tsm.`autorun`='" . $conn->real_escape_string($data) . "'"; break; case 'services_data': $sql .= "tsm.`services`='" . $conn->real_escape_string($data) . "'"; break; case 'remote_registry_data': $sql .= "tsm.`remote_registry`='" . $conn->real_escape_string($data) . "'"; break; case 'copyright_data': $sql .= "tsm.`copyrighted`='" . $conn->real_escape_string($data) . "'"; break; case 'system_data': $sql .= "tsm.`system`='" . $conn->real_escape_string($data) . "'"; break; case 'bios_data': $sql .= "tsm.`bios`='" . $conn->real_escape_string($data) . "'"; break; case 'missing_patches_data': $sql .= "t.`missing_patches`='" . $conn->real_escape_string($data) . "'"; break; case 'user_list_data': $sql .= "tum.`user_list`='" . $conn->real_escape_string($data) . "'"; break; case 'disabled_accts_data': $sql .= "tum.`disabled_accts`='" . $conn->real_escape_string($data) . "'"; break; case 'stag_pwds_data': $sql .= "tum.`stag_pwds`='" . $conn->real_escape_string($data) . "'"; break; case 'never_logged_in_data': $sql .= "tum.`never_logged_in`='" . $conn->real_escape_string($data) . "'"; break; case 'pwds_never_expire_data': $sql .= "tum.`pwd_never_expires`='" . $conn->real_escape_string($data) . "'"; break; case '': $sql .= "='" . $conn->real_escape_string($data) . "'"; break; } $sql .= " WHERE t.`id`=" . $conn->real_escape_string($_REQUEST['tgt_id']); if (!$conn->real_query($sql)) { error_log($conn->error); Sagacity_Error::sql_handler($sql); return 'false'; } return 'true'; } function get_category_details($cat_id) { global $db; $cat = $db->get_Category($cat_id); if (is_array($cat) && count($cat) && isset($cat[0]) && is_a($cat[0], 'ste_cat')) { $cat = $cat[0]; } else { return 'no category found'; } return json_encode([ 'id' => $cat->get_ID(), 'name' => $cat->get_Name(), 'analyst' => $cat->get_Analyst(), 'sources' => $cat->get_Sources() ]); }