search

LoRexxar / Kunlun-M

KunLun-M是一个完全开源的静态白盒扫描工具,支持PHP、JavaScript的语义扫描,基础安全、组件安全扫描,Chrome Ext\Solidity的基础扫描。
MIT License
2.24k stars 311 forks source link

当污点传播到数组时没有正确的进入子作用域递归 #85

Closed shmilylty closed 4 years ago

shmilylty commented 4 years ago

Windows 10 x64 python3.8

Traceback (most recent call last): File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\cast.py", line 245, in is_controllable_param _is_co, _cp, expr_lineno, chain = php_anlysis_params(param_name, self.file_path, self.line, self.sr.vul_function, self.repair_functions, self.controlled_list, isexternal=True) File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1368, in anlysis_params is_co, cp, expr_lineno = deep_parameters_back(param, vul_nodes, function_params, count, file_path, vul_lineno, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1200, in deep_parameters_back is_co, cp, expr_lineno = parameters_back(param, back_node, function_params, lineno, vul_function=vul_function, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 950, in parameters_back is_co, cp, expr_lineno = class_back(param, node, lineno, vul_function=vul_function, file_path=file_path, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 566, in class_back is_co, cp, expr_lineno = parameters_back(param, vul_nodes, lineno=lineno, function_flag=1, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 898, in parameters_back is_co, cp, expr_lineno = parameters_back(param, vul_nodes, function_params, lineno, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 699, in parameters_back return parameters_back(param, nodes[:-1], function_params, lineno, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1168, in parameters_back is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1168, in parameters_back is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno, File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 1168, in parameters_back is_co, cp, expr_lineno = parameters_back(param, nodes[:-1], function_params, lineno, [Previous line repeated 11 more times] File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 680, in parameters_back is_co, cp, expr_lineno = array_back(param, nodes, file_path=file_path, isback=isback) File "D:\Tools\PenetrationTesting\4.Vulnerability_Analysis\CodeAudit\Kunlun-M\core\core_engine\php\parser.py", line 536, in array_back n_node = php.Variable(param_node_expr.node.value) AttributeError: 'MethodCall' object has no attribute 'value'

LoRexxar commented 4 years ago

研究了一下,应该是污点到数组的时候单独处理了,这部分应该整体都是有问题的,需要把这个逻辑去掉。