search

bartvanarnhem / phpscan

Symbolic execution inspired PHP application scanner for code-path discovery
MIT License
30 stars 2 forks source link

Result different with README #1

Open jiahao42 opened 5 years ago

jiahao42 commented 5 years ago

Hello,

I find that the result of running example/example3 is different from README.

In README, it's:

$ python phpscan.py examples/example3.php
Scanning of examples/example3.php finished...
 - Needed 5 runs
 - Took 0.234709 seconds

Successfully reached "reached_home" using input:
_POST
_GET
  num
    value: 11 (integer)
  page
    value: home (string)
_COOKIE
_REQUEST

Successfully reached "reached_greater_than" using input:
_POST
_GET
  num
    value: 11 (integer)
  page
    value: home (string)
_COOKIE
_REQUEST

On my computer, it's:

python phpscan.py -v 1 examples/example3.php                                (master✱) 
Running with new input
_POST
_GET
_COOKIE
_FILES
_REQUEST

PHP OPs
[
    {
        "op2_type": 1, 
        "op1_data_type": "array", 
        "op1_id": "3f4e82cd-3631-4f72-8140-8d3f9520e5ab", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "page", 
        "opcode": 115, 
        "op1_value": []
    }
]

PHP TRANSFORMs
[]

CONDITIONS
[]

BASE VARS
{
    "6c5ac5cf-208f-4730-b3d9-2726deee529e": {
        "type": "array"
    }, 
    "1d38d893-5b0c-4b44-b3a5-28a7aeae136a": {
        "type": "array"
    }, 
    "fetch_dim_r(3f4e82cd-3631-4f72-8140-8d3f9520e5ab:page)": {
        "type": "unknown", 
        "value": ""
    }, 
    "b1a86d85-16cd-4a91-b56c-964aa5e3eeb6": {
        "type": "array"
    }, 
    "3c6b9fa9-ede2-4384-ac44-04347d3cd7de": {
        "type": "array"
    }, 
    "3f4e82cd-3631-4f72-8140-8d3f9520e5ab": {
        "type": "array", 
        "properties": {
            "page": {
                "type": "unknown", 
                "value": ""
            }
        }
    }
}

SOLVER RESULT
sat

SOLVER MODEL

Resulted in new state
_POST
_GET
  page
    value:  (unknown, fetch_dim_r(3f4e82cd-3631-4f72-8140-8d3f9520e5ab:page))
_COOKIE
_FILES
_REQUEST

Running with new input
_POST
_GET
  page
    value:  (unknown, 956afe53-f24b-474a-92e6-1a25448267f9)
_COOKIE
_REQUEST
_FILES

PHP OPs
[
    {
        "op2_type": 1, 
        "op1_data_type": "array", 
        "op1_id": "08ae9584-f539-4702-9fe8-bf1883dfb67b", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "page", 
        "opcode": 115, 
        "op1_value": {
            "page": ""
        }
    }, 
    {
        "op2_type": 1, 
        "op1_data_type": "array", 
        "op1_id": "08ae9584-f539-4702-9fe8-bf1883dfb67b", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "num", 
        "opcode": 115, 
        "op1_value": {
            "page": ""
        }
    }
]

PHP TRANSFORMs
[]

CONDITIONS
[]

BASE VARS
{
    "0d4b2a95-033a-4300-8d43-f88d3075728e": {
        "type": "array"
    }, 
    "a0d6bd29-3660-4546-afba-6cdcc7b0b336": {
        "type": "array"
    }, 
    "73e0d5d3-e0b5-41f3-910c-216f873c3183": {
        "type": "array"
    }, 
    "956afe53-f24b-474a-92e6-1a25448267f9": {
        "type": "unknown", 
        "value": ""
    }, 
    "08ae9584-f539-4702-9fe8-bf1883dfb67b": {
        "type": "array", 
        "properties": {
            "num": {
                "type": "unknown", 
                "value": ""
            }, 
            "page": {
                "type": "unknown", 
                "value": ""
            }
        }
    }, 
    "ff70b47d-4e9e-4022-b681-93277921f352": {
        "type": "array"
    }, 
    "fetch_dim_r(08ae9584-f539-4702-9fe8-bf1883dfb67b:num)": {
        "type": "unknown", 
        "value": ""
    }
}

SOLVER RESULT
sat

SOLVER MODEL

Resulted in new state
_POST
_GET
  num
    value:  (unknown, fetch_dim_r(08ae9584-f539-4702-9fe8-bf1883dfb67b:num))
  page
    value:  (unknown, 956afe53-f24b-474a-92e6-1a25448267f9)
_COOKIE
_REQUEST
_FILES

Running with new input
_POST
_GET
  num
    value:  (unknown, d042ab98-d7cd-4c51-8805-187cb7b3175d)
  page
    value:  (unknown, 8d89aa19-a669-415d-a4df-98a3ed632ded)
_COOKIE
_FILES
_REQUEST

PHP OPs
[
    {
        "op2_type": 1, 
        "op1_data_type": "array", 
        "op1_id": "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "page", 
        "opcode": 115, 
        "op1_value": {
            "num": "", 
            "page": ""
        }
    }, 
    {
        "op2_type": 1, 
        "op1_data_type": "array", 
        "op1_id": "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "num", 
        "opcode": 115, 
        "op1_value": {
            "num": "", 
            "page": ""
        }
    }, 
    {
        "op2_type": 1, 
        "op1_data_type": "array", 
        "op1_id": "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "page", 
        "opcode": 81, 
        "op1_value": {
            "num": "", 
            "page": ""
        }
    }, 
    {
        "op2_type": 1, 
        "op1_data_type": "string", 
        "op1_id": "untracked (zval_id=-1)", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "home", 
        "opcode": 15, 
        "op1_value": ""
    }, 
    {
        "op2_type": 1, 
        "op1_data_type": "array", 
        "op1_id": "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 4, 
        "op2_value": "num", 
        "opcode": 81, 
        "op1_value": {
            "num": "", 
            "page": ""
        }
    }, 
    {
        "op2_type": 4, 
        "op1_data_type": "integer", 
        "op1_id": "untracked (zval_id=-1)", 
        "op2_id": "untracked (zval_id=-1)", 
        "op2_data_type": "string", 
        "op1_type": 1, 
        "op2_value": "", 
        "opcode": 19, 
        "op1_value": 10
    }
]

PHP TRANSFORMs
{
    "fetch_dim_r(a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4:num)": {
        "function": "fetch_dim_r", 
        "args": [
            {
                "type": "symbolic", 
                "id": "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4", 
                "value": {
                    "num": "", 
                    "page": ""
                }
            }, 
            {
                "type": "raw_value", 
                "value": "num"
            }
        ], 
        "ids": [
            "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4"
        ]
    }, 
    "fetch_dim_r(a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4:page)": {
        "function": "fetch_dim_r", 
        "args": [
            {
                "type": "symbolic", 
                "id": "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4", 
                "value": {
                    "num": "", 
                    "page": ""
                }
            }, 
            {
                "type": "raw_value", 
                "value": "page"
            }
        ], 
        "ids": [
            "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4"
        ]
    }
}

CONDITIONS
[]

BASE VARS
{
    "0f49047b-72dc-4f2f-8df2-d1c4c9eb68ee": {
        "type": "array"
    }, 
    "8d89aa19-a669-415d-a4df-98a3ed632ded": {
        "type": "unknown", 
        "value": ""
    }, 
    "1e6ac4da-bb4f-4b38-947e-7792dd64bf45": {
        "type": "array"
    }, 
    "7267eb83-f1e9-4f08-ad20-37aeea56e0ab": {
        "type": "array"
    }, 
    "60c6f5f1-086c-4928-9c1b-468cf0745dd0": {
        "type": "array"
    }, 
    "a0d0c97e-ba4f-4706-b4e4-02d5b25d75e4": {
        "type": "array", 
        "properties": {
            "num": {
                "type": "unknown", 
                "value": ""
            }, 
            "page": {
                "type": "unknown", 
                "value": ""
            }
        }
    }, 
    "d042ab98-d7cd-4c51-8805-187cb7b3175d": {
        "type": "unknown", 
        "value": ""
    }
}

SOLVER RESULT
sat

SOLVER MODEL

Resulted in new state
_POST
_GET
  num
    value:  (unknown, d042ab98-d7cd-4c51-8805-187cb7b3175d)
  page
    value:  (unknown, 8d89aa19-a669-415d-a4df-98a3ed632ded)
_COOKIE
_FILES
_REQUEST

Scanning of examples/example3.php finished...
 - Needed 4 runs
 - Took 0.147223 seconds

The # of run is different, also, the exact value cannot be solved, I wonder if it's something wrong with my computer? Similar things happen to other examples as well (the value stays unknown).

Here is some info about my build:

php: PHP 7.1.28-1+ubuntu18.04.1+deb.sury.org+3 (cli) (built: Apr 10 2019 10:50:29) ( NTS )
OS: Linux Mint, 4.15.0-20-generic
runkit7: https://github.com/TysonAndre/runkit7/commit/a85089484b45ef4f198cba36e345ea92dc0c6271
z3: https://github.com/Z3Prover/z3/commit/aafb16e8ede6df8015e0c644c3e47cd4426de162

Any help is appreciated, thanks!

qiyeboy commented 4 years ago

@bartvanarnhem 我遇到的也是上面的问题

qiyeboy commented 4 years ago

@jiahao42 你有没有什么进展,能不能分享一下

jiahao42 commented 4 years ago

@jiahao42 你有没有什么进展,能不能分享一下

Hi, I remembered I got it to work but I cannot remember how. Here is my edited code, I hope it can help.

RootDNA commented 2 years ago

have you seen where error came from

RootDNA commented 2 years ago

@jiahao42 //