Comments (21)
grayguest
commented on August 18, 2024
猜测应该是常量拼接
话说LoRexxar大佬的数据流分析日志这么详细呀。
from kunlun-m.
LoRexxar
commented on August 18, 2024
之前遇到过这个问题...主要是我在测试中遇到过一个问题,就是变量如果来自拼接,就会来自一个列表,如果这个列表中部分可控部分不可控,这个变量是不一定可控的,之前误报太多,所以后来暂时把这部分改为只要有一个变量为确认的可控或者不可控,就确定了
from kunlun-m.
LoRexxar
commented on August 18, 2024
还有一个问题就是遇到大型的代码,这种分支会无限的递归下去,比较难处理
from kunlun-m.
m4p1e
commented on August 18, 2024
但是实际上有很多,外部变量都不是直接引用的,都是或多或少拼接的。
from kunlun-m.
m4p1e
commented on August 18, 2024
我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。
from kunlun-m.
grayguest
commented on August 18, 2024
我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。
哪个地方递归了?
from kunlun-m.
grayguest
commented on August 18, 2024
我感觉如果拼接,可以视为一种净化,减少误报,真正运用在sdl中如果误报过多会崩溃的,让sast解决它能解决的问题。
from kunlun-m.
LoRexxar
commented on August 18, 2024
我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。
哪个地方递归了?
现在的方案是,逐个处理,如果遇到其中一个为确认的可控或者确认的不可控,就不继续下去了,还是算递归的。
from kunlun-m.
m4p1e
commented on August 18, 2024
我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。
哪个地方递归了?
例如$a = $pid ^ 'randow';
其中的字面量'randow'做了一次
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
这是在parameters_back最前面的一个logger
from kunlun-m.
LoRexxar
commented on August 18, 2024
我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。
哪个地方递归了?
例如
$a = $pid ^ 'randow';
其中的字面量'randow'做了一次[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None这是在parameters_back最前面的一个logger
这里的random应该是来自$pid="random";,不是那个异或
from kunlun-m.
m4p1e
commented on August 18, 2024
师傅我完整的递归给你看看,这个地方是'randow' 最后一个是w
[DEBUG] [MainThread] [09:43:03] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [09:43:03] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = None,expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = None,expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0
[DEBUG] [MainThread] [09:43:03] [engine.py:809] [AST] [RET] []
师傅我注释掉了 最前面的略过的逻辑就是下面这句
# 如果目标参数就在列表中,就会有新的问题,这里选择,如果存在,则跳过
#if param_name in param_expr:
# logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr))from kunlun-m.
m4p1e
commented on August 18, 2024
其中的test输出 可以忽略
from kunlun-m.
m4p1e
commented on August 18, 2024
[DEBUG] [MainThread] [10:55:28] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [10:55:28] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [10:55:28] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [10:55:28] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [10:55:28] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [engine.py:809] [AST] [RET] []
from kunlun-m.
LoRexxar
commented on August 18, 2024
师傅我完整的递归给你看看,这个地方是
'randow'最后一个是w[DEBUG] [MainThread] [09:43:03] [parser.py:1315] [AST] vul_function:mysql_query [DEBUG] [MainThread] [09:43:03] [parser.py:1122] [AST] AST to find param Variable('$b') [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0 [DEBUG] [MainThread] [09:43:03] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None [DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None [DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow'] [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None [DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did'] [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None [DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = None,expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = None,expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0 [DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET [DEBUG] [MainThread] [09:43:03] [parser.py:339] [AST] is_controllable --> $_GET [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 [DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 [DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 [DEBUG] [MainThread] [09:43:03] [engine.py:809] [AST] [RET] []师傅我注释掉了 最前面的略过的逻辑就是下面这句
# 如果目标参数就在列表中,就会有新的问题,这里选择,如果存在,则跳过 #if param_name in param_expr: # logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr))
我知道怎么回事了,我看看怎么修
from kunlun-m.
m4p1e
commented on August 18, 2024
师傅理论上如果我把上面那个地方注释掉了,就可以检测出来, 但是结果是没有,我还在找递归逻辑哪里不对 -。-
from kunlun-m.
LoRexxar
commented on August 18, 2024
师傅理论上如果我把上面那个地方注释掉了,就可以检测出来, 但是结果是没有,我还在找递归逻辑哪里不对 -。-
我具体不太记得了,只是模糊记得,因为这个list会出现在很多地方,还有函数参数,所以很容易遇到问题,调整了很多次...
我想我可能需要一个看板,把每次修复时候遇到的范例代码记下来...完全不记得了
from kunlun-m.
m4p1e
commented on August 18, 2024
我想我找到了
https://github.com/LoRexxar/Cobra-W/blob/master/cobra/core_engine/php/parser.py#L757
这里当发现一个可控是不是就可以返回了呢?没有必要再继续遍历了?
后面加一行
if _is_co != -1: # 当参数可控时,值赋给is_co 和 cp,有一个参数可控,则认定这个函数可能可控
is_co = _is_co
cp = _cp
+ return is_co,cp,expr_lineno
这里我加了之后 检测出来了
from kunlun-m.
LoRexxar
commented on August 18, 2024
我想我找到了
https://github.com/LoRexxar/Cobra-W/blob/master/cobra/core_engine/php/parser.py#L757这里当发现一个可控是不是就可以返回了呢?
后面加一行if _is_co != -1: # 当参数可控时,值赋给is_co 和 cp,有一个参数可控,则认定这个函数可能可控 is_co = _is_co cp = _cp + return is_co,cp,expr_lineno这里我加了之后 检测出来了
如果你在这里return就会遇到我说的那个...你遇到一个可控就判定为可控了,但是并不是所有的拼接都有问题...
from kunlun-m.
LoRexxar
commented on August 18, 2024
这个问题暂时先放一下,我有空细跟下吧
from kunlun-m.
m4p1e
commented on August 18, 2024
师傅邮箱多少? 有时间我想请教一下师傅!
from kunlun-m.
LoRexxar
commented on August 18, 2024
师傅邮箱多少? 有时间我想请教一下师傅!
from kunlun-m.
Related Issues (20)
- 使用 scan -t 会报错,console 模式下也会报错,无法正常扫描web源码。
- When dealing with php variable declaration, `.=` format is not recoginzed correctly. HOT 1
- Rules in files and in the database are different HOT 1
- python3.9兼容问题 HOT 3
- 安装依赖时候出现这种错误 HOT 1
- 用的是inight1997/kunlun-mirror的镜像,输出结果报错了。 HOT 15
- 对于source敏感函数的定义应该将类中方法和函数区分开来打标记
- php 奇怪的语句执行优先级问题
- 修改web IP端口 HOT 3
- TypeError: unhashable type: 'BinaryOp' HOT 1
- php_unserialize_chain_tools 不支持参数中的类变量 HOT 2
- AttributeError: 'NoneType' object has no attribute 'rule_name' HOT 1
- 执行一半卡住 HOT 2
- [AST] [ERROR] parser /app/Bus/AuthBus.php SyntaxError HOT 1
- 提问:二次注入问题 HOT 5
- 扫描问题:请问这个样例为什么扫不出来呀 HOT 1
- settings.py.public HOT 1
- 扫描报错 AttributeError: 'NoneType' object has no attribute 'rule_name' HOT 1
- source在类私有函数中无法准确的回溯跟踪 HOT 1
- php反序列化无法出结果 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kunlun-m.