search

wh1t3p1g / tabby-vul-finder

A vul-finder for loading CPG and automated finding vul-call-chains
35 stars 3 forks source link

无法测出web漏洞 #6

Open TheTh1nk3r opened 5 days ago

TheTh1nk3r commented 5 days ago

java -Xmx6g -jar tabby.jar java -jar tabby-vul-finder.jar load output/dev

用这个项目( https://github.com/JoyChou93/java-sec-code)生成导入后, , 使用命令java -jar tabby-vul-finder.jar query test ./rules/cyphers.yml 试了预留的所有规则,发现都是Found 0,是我这哪里弄错了吗

2024-11-18 11:05:22.452 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_exec. 2024-11-18 11:05:23.113 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_exec 2024-11-18 11:05:23.113 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_file_write. 2024-11-18 11:05:23.361 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_file_write 2024-11-18 11:05:23.361 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_file. 2024-11-18 11:05:23.749 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_file 2024-11-18 11:05:23.750 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_code. 2024-11-18 11:05:24.119 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_code 2024-11-18 11:05:24.120 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_ssrf. 2024-11-18 11:05:24.326 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_ssrf 2024-11-18 11:05:24.327 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_xxe. 2024-11-18 11:05:24.568 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_xxe 2024-11-18 11:05:24.568 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_jndi. 2024-11-18 11:05:24.776 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_jndi 2024-11-18 11:05:24.777 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_sqli. 2024-11-18 11:05:24.848 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_sqli 2024-11-18 11:05:24.848 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Start Cypher web_to_serialize. 2024-11-18 11:05:25.286 INFO 77577 --- [ main] tabby.vul.finder.core.Finder : Found 0 path for web_to_serialize 2024-11-18 11:05:25.286 INFO 77577 --- [ main] tabby.vul.finder.App : Done. Bye!

wh1t3p1g commented 5 days ago

是不是没开污点分析

TheTh1nk3r commented 5 days ago

我配置文件是这样的,应该是开着的吧

# need to modify
tabby.build.target                        = ./java-sec-code-1.0.0.jar
tabby.build.libraries                     = libs
tabby.build.mode                          = web
tabby.output.directory                    = ./output/dev

# debug
tabby.debug.details                       = false
tabby.debug.print.current.methods         = true

# jdk settings
tabby.build.useSettingJRE                 = false
tabby.build.isJRE9Module                  = false
#tabby.build.javaHome                      = /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home
tabby.build.javaHome                      = /Library/Java/JavaVirtualMachines/jdk1.8.0_131.jdk/Contents/Home
tabby.build.isJDKProcess                  = false
tabby.build.withAllJDK                    = false
tabby.build.isJDKOnly                     = false

# dealing fatjar
tabby.build.checkFatJar                   = true

# pointed-to analysis
tabby.build.isFullCallGraphCreate         = true
tabby.build.thread.timeout                = 2
tabby.build.method.timeout                = 5
tabby.build.isNeedToCreateIgnoreList      = false
tabby.build.timeout.forceStop             = false
tabby.build.isNeedToDealNewAddedMethod    = true

tabby.neo4j.username                      = neo4j  
tabby.neo4j.password                      = test@123  
tabby.neo4j.url                           = bolt://127.0.0.1:7687
wh1t3p1g commented 5 days ago

tabby.build.isFullCallGraphCreate = true 这个改成false