search

LoRexxar / Kunlun-M

KunLun-M是一个完全开源的静态白盒扫描工具,支持PHP、JavaScript的语义扫描,基础安全、组件安全扫描,Chrome Ext\Solidity的基础扫描。
MIT License
2.25k stars 311 forks source link

变量赋值时右值为变量拼接时存在问题 #62

Open m4p1e opened 4 years ago

m4p1e commented 4 years ago 
function add_func($did){
    $did=$_GET['maple'];
    $pid="random";
    $pid=$pid.$did;
    $a = $pid ^ 'randow';
    $b = $a.'aaaaaaaaaaaaaaaaaaaaaaaaaaa';
    mysql_query($b);
}

为什么这里会选择略过呢? 考虑了什么逻辑?

[DEBUG] [MainThread] [17:50:53] [parser.py:1314] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [17:50:53] [parser.py:1121] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [17:50:53] [parser.py:791] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [17:50:53] [parser.py:741] [AST] param $pid in list ['$pid', '$did'], continue...
[DEBUG] [MainThread] [17:50:53] [parser.py:640] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [17:50:53] [engine.py:809] [AST] [RET] []
grayguest commented 4 years ago

猜测应该是常量拼接 话说LoRexxar大佬的数据流分析日志这么详细呀。

LoRexxar commented 4 years ago

之前遇到过这个问题...主要是我在测试中遇到过一个问题,就是变量如果来自拼接,就会来自一个列表,如果这个列表中部分可控部分不可控,这个变量是不一定可控的,之前误报太多,所以后来暂时把这部分改为只要有一个变量为确认的可控或者不可控,就确定了

LoRexxar commented 4 years ago

还有一个问题就是遇到大型的代码,这种分支会无限的递归下去,比较难处理

m4p1e commented 4 years ago

但是实际上有很多,外部变量都不是直接引用的,都是或多或少拼接的。

m4p1e commented 4 years ago

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

grayguest commented 4 years ago

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

grayguest commented 4 years ago

我感觉如果拼接,可以视为一种净化,减少误报,真正运用在sdl中如果误报过多会崩溃的,让sast解决它能解决的问题。

LoRexxar commented 4 years ago

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

现在的方案是,逐个处理,如果遇到其中一个为确认的可控或者确认的不可控,就不继续下去了,还是算递归的。

m4p1e commented 4 years ago

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

例如$a = $pid ^ 'randow'; 其中的字面量'randow'做了一次

[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None

这是在parameters_back最前面的一个logger

LoRexxar commented 4 years ago

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

例如$a = $pid ^ 'randow'; 其中的字面量'randow'做了一次

[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None

这是在parameters_back最前面的一个logger

这里的random应该是来自$pid="random";,不是那个异或

m4p1e commented 4 years ago

师傅我完整的递归给你看看,这个地方是'randow' 最后一个是w

[DEBUG] [MainThread] [09:43:03] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [09:43:03] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [engine.py:809] [AST] [RET] []

师傅我注释掉了 最前面的略过的逻辑就是下面这句

 # 如果目标参数就在列表中,就会有新的问题,这里选择,如果存在,则跳过
 #if param_name in param_expr:
 #   logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr))
m4p1e commented 4 years ago

其中的test输出 可以忽略

m4p1e commented 4 years ago 
[DEBUG] [MainThread] [10:55:28] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [10:55:28] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [10:55:28] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [10:55:28] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [10:55:28] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [engine.py:809] [AST] [RET] []
LoRexxar commented 4 years ago

师傅我完整的递归给你看看,这个地方是'randow' 最后一个是w

[DEBUG] [MainThread] [09:43:03] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [09:43:03] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [engine.py:809] [AST] [RET] []

师傅我注释掉了 最前面的略过的逻辑就是下面这句

 # 如果目标参数就在列表中,就会有新的问题,这里选择,如果存在,则跳过
 #if param_name in param_expr:
 #   logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr))

我知道怎么回事了,我看看怎么修

m4p1e commented 4 years ago

师傅理论上如果我把上面那个地方注释掉了,就可以检测出来, 但是结果是没有,我还在找递归逻辑哪里不对 -。-

LoRexxar commented 4 years ago

师傅理论上如果我把上面那个地方注释掉了,就可以检测出来, 但是结果是没有,我还在找递归逻辑哪里不对 -。-

我具体不太记得了,只是模糊记得,因为这个list会出现在很多地方,还有函数参数,所以很容易遇到问题,调整了很多次...

我想我可能需要一个看板,把每次修复时候遇到的范例代码记下来...完全不记得了

m4p1e commented 4 years ago

我想我找到了 https://github.com/LoRexxar/Cobra-W/blob/master/cobra/core_engine/php/parser.py#L757

这里当发现一个可控是不是就可以返回了呢?没有必要再继续遍历了? 后面加一行

if _is_co != -1:  # 当参数可控时,值赋给is_co 和 cp,有一个参数可控,则认定这个函数可能可控
                            is_co = _is_co
                            cp = _cp
+                           return is_co,cp,expr_lineno

这里我加了之后 检测出来了

LoRexxar commented 4 years ago

我想我找到了 https://github.com/LoRexxar/Cobra-W/blob/master/cobra/core_engine/php/parser.py#L757

这里当发现一个可控是不是就可以返回了呢? 后面加一行

if _is_co != -1:  # 当参数可控时,值赋给is_co 和 cp,有一个参数可控,则认定这个函数可能可控
                            is_co = _is_co
                            cp = _cp
+                           return is_co,cp,expr_lineno

这里我加了之后 检测出来了

如果你在这里return就会遇到我说的那个...你遇到一个可控就判定为可控了,但是并不是所有的拼接都有问题...

LoRexxar commented 4 years ago

这个问题暂时先放一下,我有空细跟下吧

m4p1e commented 4 years ago

师傅邮箱多少? 有时间我想请教一下师傅!

LoRexxar commented 4 years ago

师傅邮箱多少? 有时间我想请教一下师傅!

lorexxar@gmail.com