Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

变量赋值时右值为变量拼接时存在问题 #62

Open
m4p1e opened this issue Jan 14, 2020 · 21 comments
Open

变量赋值时右值为变量拼接时存在问题 #62

m4p1e opened this issue Jan 14, 2020 · 21 comments
Labels
bug good first issue

Comments

@m4p1e
Copy link

m4p1e commented Jan 14, 2020 

function add_func($did){
	$did=$_GET['maple'];
	$pid="random";
	$pid=$pid.$did;
	$a = $pid ^ 'randow';
	$b = $a.'aaaaaaaaaaaaaaaaaaaaaaaaaaa';
	mysql_query($b);
}

为什么这里会选择略过呢? 考虑了什么逻辑?

[DEBUG] [MainThread] [17:50:53] [parser.py:1314] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [17:50:53] [parser.py:1121] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [17:50:53] [parser.py:791] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [17:50:53] [parser.py:728] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [17:50:53] [parser.py:741] [AST] param $pid in list ['$pid', '$did'], continue...
[DEBUG] [MainThread] [17:50:53] [parser.py:640] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [17:50:53] [engine.py:809] [AST] [RET] []
@grayguest
Copy link

猜测应该是常量拼接
话说LoRexxar大佬的数据流分析日志这么详细呀。

@LoRexxar
Copy link
Owner

之前遇到过这个问题...主要是我在测试中遇到过一个问题,就是变量如果来自拼接,就会来自一个列表,如果这个列表中部分可控部分不可控,这个变量是不一定可控的,之前误报太多,所以后来暂时把这部分改为只要有一个变量为确认的可控或者不可控,就确定了

@LoRexxar
Copy link
Owner

还有一个问题就是遇到大型的代码,这种分支会无限的递归下去,比较难处理

@LoRexxar LoRexxar changed the title assign 左右操作数有相同php变量时存在问题 变量赋值时右值为变量拼接时存在问题 Jan 14, 2020
@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020

但是实际上有很多,外部变量都不是直接引用的,都是或多或少拼接的。

@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020
edited
Loading

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

@grayguest
Copy link

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

@grayguest
Copy link

我感觉如果拼接,可以视为一种净化,减少误报,真正运用在sdl中如果误报过多会崩溃的,让sast解决它能解决的问题。

@LoRexxar
Copy link
Owner

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

现在的方案是,逐个处理,如果遇到其中一个为确认的可控或者确认的不可控,就不继续下去了,还是算递归的。

@LoRexxar LoRexxar added the bug label Jan 15, 2020
@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

例如$a = $pid ^ 'randow';
其中的字面量'randow'做了一次

[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None

这是在parameters_back最前面的一个logger

@LoRexxar
Copy link
Owner

我看你还继续保留字面量,我觉得可以像cobra那样在处理等号右边的expr的时候直接忽略了,没必要再放到列表里面,再做一次递归了。

哪个地方递归了?

例如$a = $pid ^ 'randow';
其中的字面量'randow'做了一次

[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None

这是在parameters_back最前面的一个logger

这里的random应该是来自$pid="random";,不是那个异或

@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020

师傅我完整的递归给你看看,这个地方是'randow' 最后一个是w

[DEBUG] [MainThread] [09:43:03] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [09:43:03] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [engine.py:809] [AST] [RET] []

师傅我注释掉了 最前面的略过的逻辑就是下面这句

 # 如果目标参数就在列表中,就会有新的问题,这里选择,如果存在,则跳过
 #if param_name in param_expr:
 #   logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr))

@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020

其中的test输出 可以忽略

@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020 

[DEBUG] [MainThread] [10:55:28] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [10:55:28] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [10:55:28] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [10:55:28] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [10:55:28] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [10:55:28] [engine.py:809] [AST] [RET] []

@LoRexxar
Copy link
Owner

师傅我完整的递归给你看看,这个地方是'randow' 最后一个是w

[DEBUG] [MainThread] [09:43:03] [parser.py:1315] [AST] vul_function:mysql_query
[DEBUG] [MainThread] [09:43:03] [parser.py:1122] [AST] AST to find param Variable('$b')
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$glob'), ArrayOffset(Variable('$_GET'), 'maple'), False), Function('add_func', [FormalParameter('$did', None, False, None)], [Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False), FunctionCall('mysql_query', [Parameter(Variable('$b'), False)])], False)],function_params=None, lineno=10,function_flag=0,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:792] [AST] param $b line 10 in function add_func line 3, start ast in function
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$b'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False), Assignment(Variable('$b'), BinaryOp('.', Variable('$a'), 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $b from list for ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa'] in line 9, start ast for list ['$a', 'aaaaaaaaaaaaaaaaaaaaaaaaaaa']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$a'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $a from list for ['$pid', 'randow'] in line 8, start ast for list ['$pid', 'randow']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:729] [AST] Find $pid from list for ['$pid', '$did'] in line 6, start ast for list ['$pid', '$did']
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$pid'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $pid=random in line 0, start ast for param random
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = None,expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('$did'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=0
[DEBUG] [MainThread] [09:43:03] [parser.py:641] [AST] Find $did=$_GET in line 4, start ast for param $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:339] [AST] is_controllable --> $_GET
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=1 ,cp = Variable('$_GET'),expr_lineno=4 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('randow'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('randow'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:598] [BT] param=Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),nodes=[Assignment(Variable('$did'), ArrayOffset(Variable('$_GET'), 'maple'), False), Assignment(Variable('$pid'), 'random', False), Assignment(Variable('$pid'), BinaryOp('.', Variable('$pid'), Variable('$did')), False), Assignment(Variable('$a'), BinaryOp('^', Variable('$pid'), 'randow'), False)],function_params=[FormalParameter('$did', None, False, None)], lineno=3,function_flag=1,vul_function=mysql_query,file_path=/root/cobra/tests/vulnerabilities/sql.php,isback=False,parent_node=None
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:757] [TEST] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [parser.py:945] [TEST2] is_controllable=-1 ,cp = Variable('aaaaaaaaaaaaaaaaaaaaaaaaaaa'),expr_lineno=0 
[DEBUG] [MainThread] [09:43:03] [engine.py:809] [AST] [RET] []

师傅我注释掉了 最前面的略过的逻辑就是下面这句

 # 如果目标参数就在列表中,就会有新的问题,这里选择,如果存在,则跳过
 #if param_name in param_expr:
 #   logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr))

我知道怎么回事了,我看看怎么修

@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020

师傅理论上如果我把上面那个地方注释掉了,就可以检测出来, 但是结果是没有,我还在找递归逻辑哪里不对 -。-

@LoRexxar
Copy link
Owner

师傅理论上如果我把上面那个地方注释掉了,就可以检测出来, 但是结果是没有,我还在找递归逻辑哪里不对 -。-

我具体不太记得了,只是模糊记得,因为这个list会出现在很多地方,还有函数参数,所以很容易遇到问题,调整了很多次...

我想我可能需要一个看板,把每次修复时候遇到的范例代码记下来...完全不记得了

@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020
edited
Loading

我想我找到了
https://github.com/LoRexxar/Cobra-W/blob/master/cobra/core_engine/php/parser.py#L757

这里当发现一个可控是不是就可以返回了呢?没有必要再继续遍历了?
后面加一行

if _is_co != -1:  # 当参数可控时,值赋给is_co 和 cp,有一个参数可控,则认定这个函数可能可控
                            is_co = _is_co
                            cp = _cp
+                           return is_co,cp,expr_lineno

这里我加了之后 检测出来了

@LoRexxar
Copy link
Owner

我想我找到了
https://github.com/LoRexxar/Cobra-W/blob/master/cobra/core_engine/php/parser.py#L757

这里当发现一个可控是不是就可以返回了呢?
后面加一行

if _is_co != -1:  # 当参数可控时,值赋给is_co 和 cp,有一个参数可控,则认定这个函数可能可控
                            is_co = _is_co
                            cp = _cp
+                           return is_co,cp,expr_lineno

这里我加了之后 检测出来了

如果你在这里return就会遇到我说的那个...你遇到一个可控就判定为可控了,但是并不是所有的拼接都有问题...

@LoRexxar
Copy link
Owner

这个问题暂时先放一下,我有空细跟下吧

@m4p1e
Copy link
Author

m4p1e commented Jan 15, 2020

师傅邮箱多少? 有时间我想请教一下师傅!

@LoRexxar
Copy link
Owner

师傅邮箱多少? 有时间我想请教一下师傅!

lorexxar@gmail.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grayguest @LoRexxar @m4p1e