search

LoRexxar / Kunlun-M

KunLun-M是一个完全开源的静态白盒扫描工具,支持PHP、JavaScript的语义扫描,基础安全、组件安全扫描,Chrome Ext\Solidity的基础扫描。
MIT License
2.21k stars 309 forks source link

php_unserialize_chain_tools 不支持参数中的类变量 #215

Open AirSkye opened 2 years ago

AirSkye commented 2 years ago

System and Python Environment

Item Tooltip Value
System uname -a Linux airsky 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2 (2017-06-12) x86_64 GNU/Linux
Python python -V Python 3.8.0
Cobra python kunlun.py v2.6.4.2

Description

使用php_unserialize_chain_tools查找shopwind反序列化利用链时爆错

Steps to Reproduce

  1. python3.8 kunlun.py plugin php_unserialize_chain_tools -t ./yii2-shopwind/

Expected behavior: 完成

Actual behavior:

 [10:13:40] [PhpUnSerChain] call new method Variable-$this->normalizeFormat('Variable-$format',)
 [10:13:40] [PhpUnSerChain] Too much deepth. return.
 [10:13:40] Traceback (most recent call last):
  File "/root/Kunlun-M/core/__init__.py", line 155, in main
    plugins.PLUGIN_DICT[args.plugin_name](parser, parser_group_plugin)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 78, in __init__
    self.main()
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 82, in main
    self.get_destruct()
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 101, in get_destruct
    status = self.deep_search_chain(method_nodes, class_locate, unserchain)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 748, in deep_search_chain
    status = self.deep_search_chain(nmnodes, class_locate, unserchain, define_param=define_param, deepth=deepth, parent_method=new_source_node)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 748, in deep_search_chain
    status = self.deep_search_chain(nmnodes, class_locate, unserchain, define_param=define_param, deepth=deepth, parent_method=new_source_node)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 820, in deep_search_chain
    if self.check_dynamic_class_var_exist(node_right, node):
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 657, in check_dynamic_class_var_exist
    return self.check_param_controllable(var_node_left, now_node)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 574, in check_param_controllable
    arraylist = ast.literal_eval(param_name[6:])
  File "/usr/local/lib/python3.8/ast.py", line 59, in literal_eval
    node_or_string = parse(node_or_string, mode='eval')
  File "/usr/local/lib/python3.8/ast.py", line 47, in parse
    return compile(source, filename, mode, flags,
  File "<unknown>", line 1
    ['Variable-$this
                   ^
SyntaxError: EOL while scanning string literal
LoRexxar commented 2 years ago

看上去是有不支持的语法啊,很怪

MyPuppet commented 2 years ago

看上去是有不支持的语法啊,很怪

这个插件能不能搞个多线程,从前天晚上跑到现在,一直Found New Method... 这一个项目目测要跑至少一周还多啊