search

LoRexxar / Kunlun-M

KunLun-M是一个完全开源的静态白盒扫描工具,支持PHP、JavaScript的语义扫描,基础安全、组件安全扫描,Chrome Ext\Solidity的基础扫描。
MIT License
2.25k stars 311 forks source link

看起来rce的审计有些问题? #118

Closed lightning-zb closed 3 years ago

lightning-zb commented 3 years ago

root@kali:~/tools/Kunlun-M# python3 kunlun.py scan -t ../../2020/findvul/pikachu-master/vul/rce/ -r 1009,1011 -d [09:53:41] [INIT] set logging level: debug [09:53:41] [INIT] start Scan Task... [09:53:41] [INIT] New Log file ScanTask_8.log . [09:53:41] [INIT] set logging level: debug [09:53:41] [PARSE-ARGS] Target Mode: folder [09:53:41] [PARSE-ARGS] Output Mode: stream [09:53:41] [PARSE-ARGS] target directory: ../../2020/findvul/pikachu-master/vul/rce/ [09:53:41] [CLI] Target : /root/2020/findvul/pikachu-master/vul/rce/ [09:53:41] [PICKUP] /root/2020/findvul/pikachu-master/vul/rce/ [09:53:41] [PICKUP] [FILES] |--rce.php [09:53:41] [PICKUP] [FILES] |--rce_eval.php [09:53:41] [PICKUP] [FILES] |--rce_ping.php [09:53:41] [PICKUP] [EXTENSION-COUNT] .php : 3 [09:53:41] [DETECTION] [LANGUAGE] .php 3 [09:53:41] [DETECTION] [LANGUAGE] found the chiefly language(php), maybe have largest, continue... [09:53:41] [DETECTION] [LANGUAGE] main languages (php), tmp language(None) [09:53:41] Dependency analysis cannot be done without finding dependency files [09:53:41] [DETECTION] [FRAMEWORK] Unknown Framework [09:53:41] [CLI] [STATISTIC] Language: php Framework: Unknown Framework [09:53:41] [CLI] [STATISTIC] Files: 3, Extensions:1, Consume: 0.0005426406860351562 [09:53:41] [CLI] [SPECIAL-RULE] only scan used by CVI_1009.py,CVI_1011.py [09:53:41] [PUSH] 2 Rules [09:53:41] [PUSH] [CVI_1009] 0.RCE(php) [09:53:41] [PUSH] [CVI_1011] 1.RCE(php) [09:53:41] [!] Start scan [CVI-1009] [09:53:41] [ENGINE] [ORIGIN] match-mode function-param-regex [09:53:41] [CVI-1009] [ORIGIN] /root/2020/findvul/pikachu-master/vul/rce/rce_eval.php: 19: eval($_POST['txt'])) [09:53:41] [CVI-1009] [VERIFY-VULNERABILITY] (0)

File: /root/2020/findvul/pikachu-master/vul/rce/rce_eval.php:19
Code: eval($_POST['txt']))
[09:53:41] [CVI-1009] match-mode function-param-regex [09:53:41] [AST] [LANGUAGE] php [09:53:41] [RULE_MATCH] ['array_map', 'create_function', 'call_user_func', 'call_user_func_array', 'assert', 'eval', 'dl', 'register_tick_function', 'register_shutdown_function'] [09:53:41] [AST] [RET] [] [09:53:41] [AST] Parser failed / vulnerability parameter is not controllable [] [09:53:41] Not vulnerability: Can't parser [09:53:41] [CVI-1009] [ORIGIN] /root/2020/findvul/pikachu-master/vul/rce/rce_eval.php: 41: eval() [09:53:41] [CVI-1009] [VERIFY-VULNERABILITY] (1) File: /root/2020/findvul/pikachu-master/vul/rce/rce_eval.php:41
Code: eval()
[09:53:41] [CVI-1009] match-mode function-param-regex [09:53:41] [AST] [LANGUAGE] php [09:53:41] [RULE_MATCH] ['array_map', 'create_function', 'call_user_func', 'call_user_func_array', 'assert', 'eval', 'dl', 'register_tick_function', 'register_shutdown_function'] [09:53:41] [AST] [RET] [] [09:53:41] [AST] Parser failed / vulnerability parameter is not controllable [] [09:53:41] Not vulnerability: Can't parser [09:53:41] [CVI-1009] RCE Vulnerabilities: 0 [09:53:41] [!] Start scan [CVI-1011] [09:53:41] [ENGINE] [ORIGIN] match-mode function-param-regex [09:53:41] [CVI-1011] [ORIGIN] /root/2020/findvul/pikachu-master/vul/rce/rce_ping.php: 26: shell_exec('ping '.$ip) [09:53:41] [CVI-1011] [VERIFY-VULNERABILITY] (0) File: /root/2020/findvul/pikachu-master/vul/rce/rce_ping.php:26
Code: shell_exec('ping '.$ip)
[09:53:41] [CVI-1011] match-mode function-param-regex [09:53:41] [AST] [LANGUAGE] php [09:53:41] [RULE_MATCH] ['system', 'passthru', 'exec', 'pcntl_exec', 'shell_exec', 'popen', 'proc_open', 'ob_start', 'expect_popen', 'mb_send_mail', 'w32api_register_function', 'w32api_invoke_function', 'ssh2_exec']
[09:53:41] [AST] [RET] [] [09:53:41] [AST] Parser failed / vulnerability parameter is not controllable [] [09:53:41] Not vulnerability: Can't parser [09:53:41] [CVI-1011] [ORIGIN] /root/2020/findvul/pikachu-master/vul/rce/rce_ping.php: 28: shell_exec('ping -c 4 '.$ip) [09:53:41] [CVI-1011] [VERIFY-VULNERABILITY] (1) File: /root/2020/findvul/pikachu-master/vul/rce/rce_ping.php:28
Code: shell_exec('ping -c 4 '.$ip)
[09:53:41] [CVI-1011] match-mode function-param-regex [09:53:41] [AST] [LANGUAGE] php [09:53:41] [RULE_MATCH] ['system', 'passthru', 'exec', 'pcntl_exec', 'shell_exec', 'popen', 'proc_open', 'ob_start', 'expect_popen', 'mb_send_mail', 'w32api_register_function', 'w32api_invoke_function', 'ssh2_exec']
[09:53:41] [AST] [RET] [] [09:53:41] [AST] Parser failed / vulnerability parameter is not controllable [] [09:53:41] Not vulnerability: Can't parser [09:53:41] [CVI-1011] RCE Vulnerabilities: 0 [09:53:41] [SCAN] Not found vulnerability! [09:53:41] [EXPORT] No filename given, save into default path(result/). [09:53:41] [EXPORT] Not found vulnerability, break export... [09:53:41] [INIT] Done! Consume Time:0.16021132469177246s

LoRexxar commented 3 years ago

这是一个设计底层的问题,有点儿像#105 ,主要是我觉得强行修复不解决问题

LoRexxar commented 3 years ago

我探索一下有没有别的办法先解决一下

LoRexxar commented 3 years ago

本地测试是修复这个bug了,但是有点儿亡羊补牢的感觉,这涉及到底层对标签的分类问题,目前这个引擎只能是遇到一点儿补一点儿,我看看新的引擎能不能解决吧