lorexxar / kunlun-m Goto Github PK
View Code? Open in Web Editor NEWKunLun-M是一个完全开源的静态白盒扫描工具,支持PHP、JavaScript的语义扫描,基础安全、组件安全扫描,Chrome Ext\Solidity的基础扫描。
License: MIT License
kunlun-m's Issues
当污点传播到数组时没有正确的进入子作用域递归
Windows 10 x64 python3.8
Traceback (most recent call last):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\cast.py", line 245, in is_controllable_param
_is_co, _cp, expr_lineno, chain = php_anlysis_params(param_name, self.file_path, self.line, self.sr.vul_function, self.repair_functions, self.controlled_list, isexternal=True)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1368, in anlysis_params
is_co, cp, expr_lineno = deep_parameters_back(param, vul_nodes, function_params, count, file_path, vul_lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1200, in deep_parameters_back
is_co, cp, expr_lineno = parameters_back(param, back_node, function_params, lineno, vul_function=vul_function,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 950, in parameters_back
is_co, cp, expr_lineno = class_back(param, node, lineno, vul_function=vul_function, file_path=file_path,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 566, in class_back
is_co, cp, expr_lineno = parameters_back(param, vul_nodes, lineno=lineno, function_flag=1,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 898, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, vul_nodes, function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 699, in parameters_back
return parameters_back(param, nodes[:-1], function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1168, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1168, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1168, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno,
[Previous line repeated 11 more times]
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 680, in parameters_back
is_co, cp, expr_lineno = array_back(param, nodes, file_path=file_path, isback=isback)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 536, in array_back
n_node = php.Variable(param_node_expr.node.value)
AttributeError: 'MethodCall' object has no attribute 'value'
新生成的漏洞函数应当有相应的作用域,而不是全局搜索
新生成的漏洞函数应当有相应的作用域,而不是全局搜索
变量赋值时右值为变量拼接时存在问题
function add_func($did){
$did=$_GET['maple'];
$pid="random";
$pid=$pid.$did;
$a = $pid ^ 'randow';
$b = $a.'aaaaaaaaaaaaaaaaaaaaaaaaaaa';
mysql_query($b);
}为什么这里会选择略过呢? 考虑了什么逻辑?
[DEBUG] [MainThread] [17:50:53] [parser.py:1314] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [17:50:53] [parser.py:1121] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [17:50:53] [parser.py:791] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [17:50:53] [parser.py:741] [AST] param $pid in list ['$pid', '$did'], continue...
[DEBUG] [MainThread] [17:50:53] [parser.py:640] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [17:50:53] [engine.py:809] [AST] [RET] []
消除来自cobra的历史遗留问题
下个大版本中删除修复来自cobra的历史遗留问题。
1、来自cobra的mac特殊处理
2、不同format的结束输出在迭代过程中坏了
3、output的对接问题
4、来自自定义匹配模式无限多的bug -> 把这部分尽量重构掉
5、统一AST分析中进入递归的逻辑,将return逻辑尽量统一。
6、来自git的输入模式修复
7、逐渐去除在tmp目录下无意义的输出
请问支持php7吗?
RT,另外想主要对php代码做分析,和rips0.55比较,哪个在php上面的表现性能比较好呢?
回溯变量到global时,没有做相应的处理
回溯变量到global时,没有做相应的处理
function a(){
global $b;
eval($b);
}
没有做好处理
javascript灵活语法中出现eval伪语法代码
javascript灵活语法中出现eval伪语法代码无法解决...
···
function timedMsg(abc,callback){
if(callback){
var t=setTimeout(eval('callback'),3000);
return 0;
}}
function fire(){
var call = location.hash.split("#")[1];
timedMsg(12,"call");
}
···
CVI-1004部分语句支持误差
$query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;";
if ($getInfo['expire']>time()) {$plan = $odb -> query("SELECT `plans`.`name` FROM `users`, `plans` WHERE `plans`.`ID` = `users`.`membership` AND `users`.`ID` = '$id'") -> fetchColumn(0);} else {$plan='No membership';}
在面对上面两种情况的时候,没办法有效的区分
为Cobra-W添加console模式
为Cobra-W添加console模式
可以方便的管理和控制扫描结果,包括查看结果,查看未确认漏洞,管理新敏感函数,管理结果,生成html结果报告。
展示更详细的信息等
auto rule的重复生成问题
假设
function a($a){
敏感函数1($a);
敏感函数2($a);
}
那么这个a函数就会被重复扫描2次
参数回溯到数组、字典后不能正确继续回溯
$show = array ('ip'=> '1', 'country' => $_GET['a']);
$ip = $show['ip'];
$country = $show['country'];
$date = date("m-d-Y, h:i:s a" ,$show['date']);
echo '<tr><td><strong>'.htmlentities($ip).'</strong></td><td>'.htmlentities($country).'</td><td>'.htmlentities($date).'</td></tr>';
eval中伪语法在AST中解释错误
eval('if(' . $matches[1][$i] . '){$flag="if";}else{$flag="else";}');
向上述eval中的伪语法做难以做ast分析。
eval中变量整体作为字符串拼接语句,被解释为多个变量拼接
应对多个拼接变量都判断,回溯其中变量
javascript中常出现的对象传递语法
//---------------TEST CASE 28------------- // PASS
function apple(fruit){
if(fruit.hasOwnProperty('innerHTML'))
return fruit.innerHTML;
}
yahoo=document.getElementsByTagName('div')[0];
mango=apple(yahoo);
mango=location.hash.split('#')[1]
//---------------TEST CASE 29------------ // PASS
function apple(fruit){
if(fruit.hasOwnProperty('innerHTML'))
return fruit.innerHTML;
}
yahoo=document.getElementsByTagName('div');
mango=apple(yahoo[0]);
url = location.hash.split('#')[1]
mango = "Hello" + url + "!";
//---------------TEST CASE 30------------ // PASS
function apple(fruit,cake){
fruit+="";
if(cake.hasOwnProperty('innerHTML'))
return cake.innerHTML;
}
yahoo=document.getElementsByTagName('div')[0];
berry="123";
mango=apple(berry,yahoo);
mango=location.hash.split('#')[1]
//---------------TEST CASE 32------------ (KFP)
function apple(fruit){
if(fruit.hasOwnProperty('innerHTML'))
return fruit.innerText;
else
return fruit.innerHTML;
}
yahoo=document.getElementsByTagName('div')[0];
mango=apple(yahoo);
mango=location.hash.split('#')[1]
这4个例子都涉及到了同一个问题,就是对象传递,其关键对象传递的逻辑不符合我们常见的参数传递逻辑。
如果想要保证分析的流上下文相关性,那就必须保证是以对象传递为中心,但是自定义匹配目前是参数传递为中心,如果适配对象传递不知道会不会出现新的问题
function扫描方式下寻找目标函数无法准确解析所有语法
<?php
function read_file($li){
return @file_get_contents($li);
}
function read_file2($li){
return file_get_contents($li);
}
read_file(aaa($_GET['a']));
read_file2(aaa($_GET['a']));
因为敏感函数调用在return中,所以要找到漏洞函数,则需要分析当前行语句,然后解析寻找
xss demo
test.jsp
<% out.println(request.getParameter("id")); %>
define变量检测读取警告
System and Python Environment
centos7腾讯云服务器
| Item | Tooltip | Value |
|---|---|---|
| System | uname -a |
|
| Python | python -V |
|
| Cobra | python cobra.py |
Description
[Description of the bug or feature]
运行报错
Steps to Reproduce
- [First Step]
- [Second Step]
- [and so on...]
Expected behavior: [What you expected to happen]
Actual behavior: [What actually happened]
如何把所有的hash函数加入修复函数问题
对于hash函数来说,尤其是在注入中,会起到和修复函数相同的效果,但php中的hash函数众多,怎么把它们加入的修复函数列表中
没有标记内置函数导致的深度递归搜索问题
没有标记内置函数导致的深度递归搜索问题
范例如下
protected function parse($str)
{
$str = $this->removeComments($str);
$str = $this->parseIncludeComponent($str);
// 回车 换行
$str = str_replace("{CR}", "<?php echo \"\\r\";?>", $str);
$str = str_replace("{LF}", "<?php echo \"\\n\";?>", $str);
// if else elseif
$str = preg_replace("/\{if\s+(.+?)\}/", "<?php if(\\1) { ?>", $str);
$str = preg_replace("/\{else\}/", "<?php } else { ?>", $str);
$str = preg_replace("/\{elseif\s+(.+?)\}/", "<?php } elseif (\\1) { ?>", $str);
$str = preg_replace("/\{\/if\}/", "<?php } ?>", $str);
// loop
$str = preg_replace("/\{loop\s+(\S+)\s+(\S+)\}/e", "\$this->addquote('<?php if(isset(\\1) && is_array(\\1)) foreach(\\1 as \\2) { ?>')", $str);
$str = preg_replace("/\{loop\s+(\S+)\s+(\S+)\s+(\S+)\}/e", "\$this->addquote('<?php if(isset(\\1) && is_array(\\1)) foreach(\\1 as \\2=>\\3) { ?>')", $str);
$str = preg_replace("/\{\/loop\}/", "<?php } ?>", $str);
// url生成
$str = preg_replace("/\{url\(([^}]+)\)\}/", "<?php echo LtObjectUtil::singleton('LtUrl')->generate(\\1);?>", $str);
// 函数
$str = preg_replace("/\{([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\s*\(([^{}]*)\))\}/", "<?php echo \\1;?>", $str);
$str = preg_replace("/\{\\$([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\(([^{}]*)\))\}/", "<?php echo \$\\1;?>", $str);
// 变量
/**
* 放弃支持$name.name.name
在处理分析$str,如果右值为functioncall,那么就会将右值的函数名作为新的搜索目标进入一个子递归分析中。
由于这是内置函数,所以这里产生了大量的分析代价。甚至导致严重的递归问题
无法解决敏感函数从变量输入的问题
简单举例子来说就是
$_GET['a']($_POST['b']);
secret 修复函数逻辑有问题
echo htmlentities($_GET['a']);
这句语句会被错误的判定为未修复
因为在判断修复函数逻辑之前,先进行了$_GET的基本判断。
判断为可控参数,则直接跳出逻辑
parser.py
is_co, cp = is_controllable(param_name)
if len(nodes) != 0 and is_co != 1:
node = nodes[len(nodes) - 1]
if isinstance(node, php.Assignment): # 回溯的过程中,对出现赋值情况的节点进行跟踪
param_node = get_node_name(node.node) # param_node为被赋值的变量
param_expr, expr_lineno, is_re = get_expr_name(node.expr) # param_expr为赋值表达式,param_expr为变量或者列表
[ BUG ] analysis函数两种报错
[WARNING] [MainThread] [10:26:52] [engine.py:582] Traceback (most recent call last):
File "/Users/litiezhu/Cobra-W/cobra/engine.py", line 560, in scan
result = scan_parser(code_contents, rule_match, self.line_number, self.file_path)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 778, in scan_parser
analysis(all_nodes, func, back_node, int(vul_lineno), file_path, function_params=None)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 756, in analysis
analysis(node.nodes, vul_function, back_node, vul_lineo, function_params)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 753, in analysis
analysis(node.nodes, vul_function, function_body, vul_lineo, function_params=function_params, file_path=file_path)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 744, in analysis
analysis_if_else(node, back_node, vul_function, vul_lineo, function_params, file_path=file_path)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 564, in analysis_if_else
analysis(node.else_.node.nodes, vul_function, back_node, vul_lineno, function_params, file_path=file_path)
TypeError: analysis() got multiple values for keyword argument 'file_path'
主要是analysis函数的file_path参数位置错误,修改完后还有TypeError: analysis() takes at least 5 arguments (4 given)的错误,详情:
[WARNING] [MainThread] [10:28:06] [engine.py:582] Traceback (most recent call last):
File "/Users/litiezhu/Cobra-W/cobra/engine.py", line 560, in scan
result = scan_parser(code_contents, rule_match, self.line_number, self.file_path)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 778, in scan_parser
analysis(all_nodes, func, back_node, int(vul_lineno), file_path, function_params=None)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 756, in analysis
analysis(node.nodes, vul_function, back_node, vul_lineo, function_params)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 753, in analysis
analysis(node.nodes, vul_function, function_body, vul_lineo, function_params=function_params, file_path=file_path)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 728, in analysis
analysis(buffer_, vul_function, back_node, vul_lineo, function_params)
File "/Users/litiezhu/Cobra-W/cobra/parser.py", line 735, in analysis
analysis(nodes, vul_function, back_node, vul_lineo)
TypeError: analysis() takes at least 5 arguments (4 given)
TypeError: can only concatenate str (not "int") to str
[12:02:07][engine.py:1001] Traceback (most recent call last):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\engine.py", line 970, in scan
result = js_scan_parser(rule_match, self.line_number, self.file_path,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1668, in scan_parser
analysis(all_nodes, func, back_node, int(vul_lineno), file_path, function_params=None)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1607, in analysis
analysis_expression(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1548, in analysis_expression
expression_node = get_member_data(expression.right)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 107, in get_member_data
value += get_member_data(i.key, isclean_prototype=isclean_prototype)
TypeError: can only concatenate str (not "int") to str
如果出现AB互相生成函数,出现不可解的递归问题
如果出现AB互相生成函数,出现不可解的递归问题
大概代码如下
function A(){
B();
}
function B(){
A();
}
尽管这两个函数生成可能会有诸多的限制条件,但是在静态分析中不考虑这么多的条件,则会出现难以避免的递归问题
AttributeError: 'NoneType' object has no attribute 'split'
[12:02:20][engine.py:1001] Traceback (most recent call last):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\engine.py", line 970, in scan
result = js_scan_parser(rule_match, self.line_number, self.file_path,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1668, in scan_parser
analysis(all_nodes, func, back_node, int(vul_lineno), file_path, function_params=None)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1607, in analysis
analysis_expression(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1545, in analysis_expression
analysis_callexpression(expression, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1500, in analysis_callexpression
analysis(nodes, vul_function, back_node, int(vul_lineno), file_path, function_params=function_params,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1607, in analysis
analysis_expression(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1545, in analysis_expression
analysis_callexpression(expression, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1493, in analysis_callexpression
analysis_params(node, back_node, vul_function, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1425, in analysis_params
is_co, cp, expr_lineno = deep_parameters_back(param, back_node, function_params, count, file_path, vul_lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1365, in deep_parameters_back
is_co, cp, expr_lineno = parameters_back(param, back_node, function_params, lineno, vul_function=vul_function,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1186, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, vul_nodes, function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1226, in parameters_back
is_co, cp, expr_lineno = function_back(node, function_params, back_nodes=nodes, file_path=file_path,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 409, in function_back
is_co, cp, expr_lineno = parameters_back(param, nodes, function_params, file_path=file_path, isback=isback,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1313, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, if_body, function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1313, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, if_body, function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1313, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, if_body, function_params, lineno,
[Previous line repeated 1 more time]
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1138, in parameters_back
if callee_name == vul_function or callee_name == "this." + vul_function.split(".")[-1]:
if else中有严重的重复分析代码的递归
因为if else属于不同的代码块,其中变量互不影响,在完成时,是通过每一部分都进入新的递归逻辑。
但是debug发现,因为递归返回后,node没有改变,那么这部分递归仍然会重复,严重就会导致死循环,如果跳出if else的条件判断。
敏感语句在敏感函数中时,敏感函数会错误的回溯变量
function a($a, $b, $c){
echo $a;
eval($b);
}
当扫描规则为针对eval的扫描时,会重新建立对a函数的扫描。
当发现
a($_GET['a'],"echo 2333","1");
这段代码会被错误的识别为漏洞
回溯类中的私有函数存在问题
类中的很多函数是私有的,可能存在多个类中都有私有函数,但是现在没有针对类专门的定制回溯。
ps: 因为私有函数不是可共享的,所以在回溯的时候会发生一些问题,但是想不到有效的办法区分这些不同的函数。
新生成的函数如果是类的魔术方法,那么他就会把所有的都遍历一遍,互相之间有严重的影响。
get函数已经出现了这个问题。
需要想办法对不同的类做区分。
关于适配框架的思考
作者师傅好,最近在看cobra.py的代码,特别是核心代码parser.py,发现你对这个文件改动最多,修复了不少问题,但是对于静态扫描框架一筹莫展,不知能否给一些提示,如何适配php的框架,比如laravel、symfony、yii等,以及可能会取得什么样的效果。或者采用php运行时检测hook的那种方式能取得比较好的效果?
赋值语句右边常量拼接存在递归冗余
这个问题我帮你单独提出来
function add_func($di){
$pid="random"+"goood";
mysql_query($pid);
}回溯如下
[DEBUG] [MainThread] [18:42:42] [parser.py:1320] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [18:42:42] [parser.py:1127] [AST] AST to find param Variable('$pid')
[DEBUG] [MainThread] [18:42:42] [parser.py:602] [BT] param=Variable('$pid'),nodes=[Function('add_func', [FormalParameter('$di', None, False, None)], [Assignment(Variable('$pid'), BinaryOp('+', 'random', 'goood'), False), FunctionCall('mysql_query', [Parameter(Variable('$pid'), False)])], False)],function_params=None, lineno=5,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [18:42:42] [parser.py:797] [AST] param $pid line 5 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [18:42:42] [parser.py:602] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$pid'), BinaryOp('+', 'random', 'goood'), False)],function_params=[FormalParameter('$di', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [18:42:42] [parser.py:732] [AST] Find $pid from list for ['random', 'goood'] in line 4, start ast for list ['random', 'goood']
[DEBUG] [MainThread] [18:42:42] [parser.py:602] [BT] param=Variable('random'),nodes=[],function_params=[FormalParameter('$di', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [18:42:42] [parser.py:602] [BT] param=Variable('goood'),nodes=[],function_params=[FormalParameter('$di', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [18:42:42] [engine.py:809] [AST] [RET] []
AttributeError: 'NoneType' object has no attribute 'loc'
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1340, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 903, in parameters_back
expr_lineno = node.init.loc.start.line
AttributeError: 'NoneType' object has no attribute 'loc'
尝试在寻找到反序列化漏洞之后,展示pop chain
尝试在寻找到反序列化漏洞之后,展示pop chain
define list变量处理错误问题
在实际的扫描过程中发现,define仍然会有各式各样的结构,还不能有效的解决这个问题
define SITELIST_TABLE=BinaryOp('.', Variable('$table_prefix'), 'sitelist')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define SMILIES_TABLE=BinaryOp('.', Variable('$table_prefix'), 'smilies')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define SPHINX_TABLE=BinaryOp('.', Variable('$table_prefix'), 'sphinx')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define STYLES_TABLE=BinaryOp('.', Variable('$table_prefix'), 'styles')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define STYLES_TEMPLATE_TABLE=BinaryOp('.', Variable('$table_prefix'), 'styles_template')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define STYLES_TEMPLATE_DATA_TABLE=BinaryOp('.', Variable('$table_prefix'), 'styles_template_data')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define STYLES_THEME_TABLE=BinaryOp('.', Variable('$table_prefix'), 'styles_theme')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define STYLES_IMAGESET_TABLE=BinaryOp('.', Variable('$table_prefix'), 'styles_imageset')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define STYLES_IMAGESET_DATA_TABLE=BinaryOp('.', Variable('$table_prefix'), 'styles_imageset_data')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define TEAMPAGE_TABLE=BinaryOp('.', Variable('$table_prefix'), 'teampage')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define TOPICS_TABLE=BinaryOp('.', Variable('$table_prefix'), 'topics')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define TOPICS_POSTED_TABLE=BinaryOp('.', Variable('$table_prefix'), 'topics_posted')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define TOPICS_TRACK_TABLE=BinaryOp('.', Variable('$table_prefix'), 'topics_track')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define TOPICS_WATCH_TABLE=BinaryOp('.', Variable('$table_prefix'), 'topics_watch')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define USER_GROUP_TABLE=BinaryOp('.', Variable('$table_prefix'), 'user_group')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define USER_NOTIFICATIONS_TABLE=BinaryOp('.', Variable('$table_prefix'), 'user_notifications')
[DEBUG] [MainThread] [14:10:13] [pretreatment.py:68] [AST][Pretreatment] new define USERS_TABLE=BinaryOp('.', Variable('$table_prefix'), 'users')
inlcude 回溯目录没有正确处理绝对路径
include_once(G5_ADMIN_PATH.'/admin.head.php');
对于这样的常量配合的绝对路径没有正确处理。
相关代码于parser.py line 630
由读取文件一次5行导致的扫描问题
虽然还不能完全确认问题的来源,不过可以肯定的是
从2b2ef4211c8b4f1c124129e01be62dfaf8eaeb43这个分支开始,我尝试通过一次读取5行来解决一个漏洞出现在多行种的解决办法导致了更大的问题。
现在的扫描会导致在参数匹配扫描时出现无法读取参数的严重问题,获取不到函数的参数就无法进行接下来的参数回溯
function-regex模式跳出限制不明的问题
function-regex模式起初是被设计为会跑完所有的恶意地址。
但实际上来说,只取了列表的第一个
if len(result) > 0:
if result[0]['code'] == 1: # 函数参数可控
return True, 'Function-param-controllable', result[0]['chain']
elif result[0]['code'] == 2: # 漏洞修复
return False, 'Function-param-controllable but fixed', result[0]['chain']
elif result[0]['code'] == 3: # 疑似漏洞
return True, 'Unconfirmed Function-param-controllable', result[0]['chain']
elif result[0]['code'] == -1: # 函数参数不可控
return False, 'Function-param-uncon', result[0]['chain']
elif result[0]['code'] == 4: # 新规则生成
return False, 'New Core', result[0]['source']
logger.debug('[AST] [CODE] {code}'.format(code=result[0]['code']))
else:
logger.debug(
'[AST] Parser failed / vulnerability parameter is not controllable {r}'.format(
r=result))
return False, 'Can\'t parser'
所以列表后面的就变得无意义了。
假设如果一行语句中同时存在两个敏感函数,如果第一个可控,第二个不可控,那么第二个就会被忽略,匹配到第一个之后就会直接结束。
敏感语句封装函数,没有回溯函数
类似于下面这种代码
function get_data($url)
{
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
php switch 语句分析异常
php switch 语句分析异常
试图展示每一个调用链
试图展示每一个调用链
参数回溯到$_SERVER不能正确判断是否可控
参数回溯到$_SERVER不能正确判断是否可控
目前为止是统一认为可控
UnboundLocalError: local variable 'param' referenced before assignment
[12:01:54][cast.py:323] [AST] Can't get param, check built-in rule
Traceback (most recent call last):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\cast.py", line 292, in is_controllable_param
_is_co, _cp, expr_lineno, chain = js_analysis_params(param_name, [],
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1425, in analysis_params
is_co, cp, expr_lineno = deep_parameters_back(param, back_node, function_params, count, file_path, vul_lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1365, in deep_parameters_back
is_co, cp, expr_lineno = parameters_back(param, back_node, function_params, lineno, vul_function=vul_function,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1186, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, vul_nodes, function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1114, in parameters_back
is_co, cp, expr_lineno = function_back(property_value, function_params, nodes, file_path, isback,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 409, in function_back
is_co, cp, expr_lineno = parameters_back(param, nodes, function_params, file_path=file_path, isback=isback,
UnboundLocalError: local variable 'param' referenced before assignment
当分析函数内部时调用了存在于外部的函数声明,则回溯中断
范例代码大致如下
function a(a){
return a
}
function b(b){
c = a(b);
return c;
}
b(location.hash)
由于函数内部本身会递归为子作用域,在子作用域中无法搜索外部的函数定义...这应该是一个架构问题...
cobra-w对比cobra
System and Python Environment
| Item | Tooltip | Value |
|---|---|---|
| System | uname -a |
CentOS7 |
| Python | python -V |
Python 3.7.0 |
| Cobra | python cobra.py |
cobra-w v1.1.0 |
Description
对比cobra v2.0.0-alpha.5,最明显的差异是cobra-w没有扫描出dvwa中的命令注入相关的漏洞,而优势是cobra-w扫描出了2处sqli,分别对应路径为sqli/ sqli_blind/
Steps to Reproduce
cobra-w
- python cobra.py -t /root/php/dvwa/vulnerabilities/ -f html -o ./cobra_w_dvwa.html
cobra
- python cobra.py -t /root/php/dvwa/vulnerabilities/ -f json -o ./cobra_dvwa.json
Expected behavior: 期望cobra-w能包含cobra的关键性漏洞
Actual behavior: 未包含最关键的高危漏洞命令注入
AttributeError: 'NoneType' object has no attribute 'type'
[12:02:21][engine.py:1001] Traceback (most recent call last):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\engine.py", line 970, in scan
result = js_scan_parser(rule_match, self.line_number, self.file_path,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1668, in scan_parser
analysis(all_nodes, func, back_node, int(vul_lineno), file_path, function_params=None)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1607, in analysis
analysis_expression(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1545, in analysis_expression
analysis_callexpression(expression, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1500, in analysis_callexpression
analysis(nodes, vul_function, back_node, int(vul_lineno), file_path, function_params=function_params,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1622, in analysis
analysis_If(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1450, in analysis_If
analysis([if_body], vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1619, in analysis
analysis(node.body, vul_function, back_node, vul_lineno, file_path, function_params=function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1629, in analysis
analysis_callexpression(child_node.init, vul_function, back_node, vul_lineno, file_path,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1500, in analysis_callexpression
analysis(nodes, vul_function, back_node, int(vul_lineno), file_path, function_params=function_params,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1615, in analysis
analysis(node.body.body, vul_function, back_node, vul_lineno, file_path,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1622, in analysis
analysis_If(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1454, in analysis_If
analysis([else_body], vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1619, in analysis
analysis(node.body, vul_function, back_node, vul_lineno, file_path, function_params=function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1622, in analysis
analysis_If(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1454, in analysis_If
analysis([else_body], vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1619, in analysis
analysis(node.body, vul_function, back_node, vul_lineno, file_path, function_params=function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1622, in analysis
analysis_If(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1450, in analysis_If
analysis([if_body], vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1619, in analysis
analysis(node.body, vul_function, back_node, vul_lineno, file_path, function_params=function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1607, in analysis
analysis_expression(node, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1545, in analysis_expression
analysis_callexpression(expression, vul_function, back_node, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1493, in analysis_callexpression
analysis_params(node, back_node, vul_function, vul_lineno, file_path, function_params)
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1425, in analysis_params
is_co, cp, expr_lineno = deep_parameters_back(param, back_node, function_params, count, file_path, vul_lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1365, in deep_parameters_back
is_co, cp, expr_lineno = parameters_back(param, back_node, function_params, lineno, vul_function=vul_function,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1340, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1340, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1324, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, else_body, function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1313, in parameters_back
is_co, cp, expr_lineno = parameters_back(param, if_body, function_params, lineno,
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1054, in parameters_back
if is_thisexp(cp):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 272, in is_thisexp
if node.object.type == "ThisExpression":
AttributeError: 'NoneType' object has no attribute 'type'
'ArrayOffset' object has no attribute 'name'
<?php
function random($val){
$b=$_GET['maple'];
$c=$b[0];
mysql_query($c);
}回溯和报错:
[DEBUG] [MainThread] [18:13:28] [engine.py:801] [RULE_MATCH] ['mysql_query', 'mysql_db_query']
[DEBUG] [MainThread] [18:13:28] [parser.py:1316] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [18:13:28] [parser.py:1123] [AST] AST to find param Variable('$c')
[DEBUG] [MainThread] [18:13:28] [parser.py:598] [BT] param=Variable('$c'),nodes=[Function('random', [FormalParameter('$val', None, False, None)], [Assignment(Variable('$b'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$c'), ArrayOffset(Variable('$b'), 0), False), FunctionCall('mysql_query', [Parameter(Variable('$c'), False)])], False)],function_params=None, lineno=6,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [18:13:28] [parser.py:793] [AST] param $c line 6 in function random line 3, start ast in function
[DEBUG] [MainThread] [18:13:28] [parser.py:598] [BT] param=Variable('$c'),nodes=[Assignment(Variable('$b'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$c'), ArrayOffset(Variable('$b'), 0), False)],function_params=[FormalParameter('$val', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [18:13:28] [parser.py:641] [AST] Find $c=$b in line 5, start ast for param $b
[DEBUG] [MainThread] [18:13:28] [parser.py:598] [BT] param=ArrayOffset(Variable('$b'), 0),nodes=[Assignment(Variable('$b'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$val', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [18:13:28] [parser.py:615] [AST] AST analysis for ArrayOffset in line 5
[DEBUG] [MainThread] [18:13:28] [parser.py:1169] Traceback (most recent call last):
File "/root/Cobra-W/cobra/core_engine/php/parser.py", line 1155, in anlysis_function
file_path=file_path)
File "/root/Cobra-W/cobra/core_engine/php/parser.py", line 1322, in analysis_variable_node
is_co, cp, expr_lineno, chain = anlysis_params(param, file_path, param_lineno, vul_function=vul_function)
File "/root/Cobra-W/cobra/core_engine/php/parser.py", line 1133, in anlysis_params
vul_function=vul_function)
File "/root/Cobra-W/cobra/core_engine/php/parser.py", line 967, in deep_parameters_back
file_path=file_path, isback=isback, parent_node=0)
File "/root/Cobra-W/cobra/core_engine/php/parser.py", line 812, in parameters_back
if node_param.name == cp.name:
AttributeError: 'ArrayOffset' object has no attribute 'name'
[DEBUG] [MainThread] [18:13:28] [engine.py:809] [AST] [RET] []
IndexError: tuple index out of range
[12:01:51][cast.py:307] [AST] New vul function Music.prototype._removeHtml()
[12:01:51][engine.py:155] [New Rule] Error to unpack function param, Something error
Traceback (most recent call last):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\engine.py", line 32, in init_match_rule
if data[2]:
IndexError: tuple index out of range
AttributeError: 'list' object has no attribute 'body'
[12:01:51][cast.py:323] [AST] Can't get param, check built-in rule
Traceback (most recent call last):
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\cast.py", line 292, in is_controllable_param
_is_co, _cp, expr_lineno, chain = js_analysis_params(param_name, [],
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\javascript\parser.py", line 1408, in analysis_params
back_node = ast_object.get_nodes(file_path, vul_lineno=vul_lineno, lan='javascript').body
File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\pretreatment.py", line 439, in get_nodes
allnodes = self.pre_result[filepath]['ast_nodes'].body
AttributeError: 'list' object has no attribute 'body'
数组变量传递过程中忽略键值
数组变量传递过程中忽略键值
<?php
$c['a'] = $_GET['a'];
$a = $c['d'];
echo $a;
这个代码会被识别为漏洞,因为数组变量传递过程中忽略了键值,这需要专门的逻辑做处理
逻辑结构回溯有问题
function add_func($any){
$did=$_GET['maple'];
$pid="random";
if(1>0){
$pid=$did;
}
mysql_query($pid);
}递归回溯
[DEBUG] [MainThread] [17:07:12] [parser.py:1317] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [17:07:12] [parser.py:1124] [AST] AST to find param Variable('$pid')
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$di', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), If(BinaryOp('>', 1, 0), Block([Assignment(Variable('$pid'), Variable('$did'), False)]), [], None), FunctionCall('mysql_query', [Parameter(Variable('$pid'), False)])], False)],function_params=None, lineno=33,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [17:07:12] [parser.py:794] [AST] param $pid line 33 in function add_func line 23, start ast in function
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), If(BinaryOp('>', 1, 0), Block([Assignment(Variable('$pid'), Variable('$did'), False)]), [], None)],function_params=[FormalParameter('$di', None, False, None)], lineno=23,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [17:07:12] [parser.py:849] [AST] param $pid line 27 in if/else, start ast in if/else
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$pid'), Variable('$did'), False)],function_params=[FormalParameter('$di', None, False, None)], lineno=27,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=If(BinaryOp('>', 1, 0), Block([Assignment(Variable('$pid'), Variable('$did'), False)]), [], None)
[DEBUG] [MainThread] [17:07:12] [parser.py:641] [AST] Find $pid=$did in line 28, start ast for param $did
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$did'),nodes=[],function_params=[FormalParameter('$di', None, False, None)], lineno=27,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [17:07:12] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$di', None, False, None)], lineno=23,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [17:07:12] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [17:07:12] [engine.py:809] [AST] [RET] []
换成while 也一样,都不能报。cobra可以报,cobra在处理逻辑结构的时候把block里面的节点拿出来放到back_nodes里面去了。
扫描java代码报无匹配规则错误
System and Python Environment
| Item | Tooltip | Value |
|---|---|---|
| System | uname -a |
|
| Python | python -V |
|
| Cobra | python cobra.py |
Description
[Description of the bug or feature]
Steps to Reproduce
- [First Step]
- [Second Step]
- [and so on...]
Expected behavior: [What you expected to happen]
Actual behavior: [What actually happened]
扫描逻辑错误
当目标文件小于5行时,不能检测出漏洞,如
<?php
eval($_GET[123]);
大于5行时正常
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.