Skip to content
This repository was archived by the owner on Nov 28, 2023. It is now read-only.

Commit f4682c5

Browse files
authored
Merge pull request #571 from braveghz/master
improve rules
2 parents 683a0eb + f6df2e5 commit f4682c5

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

60 files changed

+1063
-136
lines changed

docs/index.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,8 @@
4848
| 290 | LB | Logic Bug | 逻辑错误 |
4949
| 320 | VO | Variables Override | 变量覆盖漏洞 |
5050
| 350 | WF | Weak Function | 不安全的函数 |
51-
| 355 | WE |Weak Encryption | 不安全的加密 |
51+
| 355 | WE | Weak Encryption | 不安全的加密 |
52+
| 360 | WS | WebShell | WebShell |
5253
| 970 | AV | Android Vulnerabilities | Android漏洞 |
5354
| 980 | IV | iOS Vulnerabilities | iOS漏洞 |
5455
| 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) |

docs/labels.md

+1
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
| 320 | VO | Variables Override | 变量覆盖漏洞 |
2727
| 350 | WF | Weak Function | 不安全的函数 |
2828
| 355 | WE |Weak Encryption | 不安全的加密 |
29+
| 360 | WS | WebShell | WebShell |
2930
| 970 | AV | Android Vulnerabilities | Android漏洞 |
3031
| 980 | IV | iOS Vulnerabilities | iOS漏洞 |
3132
| 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) |

rules/CVI-120001.xml

+9-11
Original file line numberDiff line numberDiff line change
@@ -7,20 +7,19 @@
77
<level value="6"/>
88
<test>
99
<case assert="true"><![CDATA[
10-
function curl($url){
11-
$ch = curl_init();
12-
curl_setopt($ch, CURLOPT_URL, $url);
13-
curl_setopt($ch, CURLOPT_HEADER, 0);
14-
curl_exec($ch);
15-
curl_close($ch);
16-
}
17-
$url = $_GET['url'];
18-
curl($url);
10+
function curl($url){
11+
$ch = curl_init();
12+
curl_setopt($ch, CURLOPT_URL, $url);
13+
curl_setopt($ch, CURLOPT_HEADER, 0);
14+
curl_exec($ch);
15+
curl_close($ch);
16+
}
17+
$url = $_GET['url'];
18+
curl($url);
1919
]]></case>
2020
</test>
2121
<solution>
2222
## 安全风险
23-
2423
SSRF漏洞(Server-Side Request Forgery)
2524

2625
### 形成原理
@@ -42,7 +41,6 @@
4241
curl_exec($ch);
4342
curl_close($ch);
4443
}
45-
4644
$url = $_GET['url'];
4745
curl($url);
4846
```

rules/CVI-120002.xml

+4-4
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,12 @@
66
<level value="7"/>
77
<test>
88
<case assert="true"><![CDATA[
9-
$url = $_GET['url'];
10-
echo file_get_contents($url);
9+
$url = $_GET['url'];
10+
echo file_get_contents($url);
1111
]]></case>
1212
<case assert="false"><![CDATA[
13-
$url = "http://www.example.com";
14-
echo file_get_contents($url);
13+
$url = "http://www.example.com";
14+
echo file_get_contents($url);
1515
]]></case>
1616
</test>
1717
<solution>

rules/CVI-120003.xml

+1-2
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@
33
<name value="get_headers导致的SSRF"/>
44
<language value="php"/>
55
<match mode="function-param-controllable"><![CDATA[get_headers]]></match>
6-
<repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,|preg_match(?:_all)?\s*\(\s*(?:.+?)\s*,\s*{{PARAM}}\s*[,\)]]]></repair>
76
<level value="7"/>
87
<test>
98
<case assert="true"><![CDATA[
@@ -41,5 +40,5 @@
4140
```
4241
</solution>
4342
<status value="on"/>
44-
<author name="Lightless" email="[email protected]"/>
43+
<author name="Lightless" email="[email protected]"/>
4544
</cobra>

rules/CVI-120004.xml

+35
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cobra document="https://github.com/wufeifei/cobra">
3+
<name value="fsockopen造成的SSRF"/>
4+
<language value="php"/>
5+
<match mode="function-param-controllable"><![CDATA[fsockopen]]></match>
6+
<level value="7"/>
7+
<test>
8+
<case assert="true"><![CDATA[
9+
$host = $_GET['host'];
10+
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
11+
]]></case>
12+
</test>
13+
<solution>
14+
## 安全风险
15+
SSRF漏洞(Server-Side Request Forgery)
16+
17+
### 形成原理
18+
SSRF形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。
19+
20+
### 风险
21+
1、攻击者可以对外网、服务器所在内网、本地进行端口扫描,获取服务的banner信息。
22+
2、攻击运行在内网或本地的应用程序。
23+
3、对内网web应用进行指纹识别。
24+
4、攻击内外网的web应用。
25+
5、利用file协议读取本地文件等。
26+
27+
## 修复方案
28+
1. 限制协议为HTTP、HTTPS
29+
2. 限制请求域名白名单
30+
3. 禁止30x跳转
31+
32+
</solution>
33+
<status value="on"/>
34+
<author name="JoyChou" email="[email protected]"/>
35+
</cobra>

rules/CVI-140001.xml

-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
32
<cobra document="https://github.com/wufeifei/cobra">
43
<name value="文本框反射型XSS"/>
54
<language value="jsp"/>

rules/CVI-140002.xml

+1-2
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
32
<cobra document="https://github.com/wufeifei/cobra">
4-
<name value="输出入参"/>
3+
<name value="输出入参可能导致XSS"/>
54
<language value="java"/>
65
<match mode="regex-only-match"><![CDATA[out\.println\s*\(\s*request\.get(Parameter|QueryString)\s*\(\s*\"]]></match>
76
<level value="4"/>

rules/CVI-140003.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
<name value="直接输出入参可能导致XSS"/>
44
<language value="php"/>
55
<match mode="function-param-controllable"><![CDATA[(echo|print|print_r|exit|die|printf|vprintf|trigger_error|user_error|odbc_result_all|ovrimos_result_all|ifx_htmltbl_result)]]></match>
6-
<repair block="in-function"><![CDATA[(htmlspecialchars\s*\(\s*{{PARAM}}\s*)]]></repair>
6+
<repair block="in-function"><![CDATA[(htmlspecialchars]]></repair>
77
<level value="4"/>
88
<test>
99
<case assert="true"><![CDATA[print_r ($_GET['test']);]]></case>

rules/CVI-140004.xml

-22
This file was deleted.

rules/CVI-160001.xml

-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
32
<cobra document="https://github.com/wufeifei/cobra">
43
<name value="拼接SQL注入"/>
54
<language value="java"/>

rules/CVI-160002.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
<case assert="false"><![CDATA[$query = "SELECT id FROM products LIMIT 20 ;";]]></case>
1010
<case assert="true"><![CDATA[$s = "select" + $v + "from " + $tb + "where id = " + $id;]]></case>
1111
<case assert="true"><![CDATA[
12-
$query = "SELECT id, name, inserted, size FROM products
12+
$query = "SELECT id, name, inserted, size FROM products
1313
WHERE size = '$size'
1414
ORDER BY $order
1515
LIMIT $limit, $offset;";

rules/CVI-160003.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
<name value="MySQL Execute Functions可能导致SQL注入"/>
44
<language value="php"/>
55
<match mode="function-param-controllable"><![CDATA[(mysql_query|mysql_db_query)]]></match>
6-
<repair block="in-function"><![CDATA[(?:mysql_real_escape_string|addslashes)\s*\(\s*{{PARAM}}\s*[\),]]]></repair>
6+
<repair block="in-function"><![CDATA[(mysql_real_escape_string|addslashes)]]></repair>
77
<level value="8"/>
88
<test>
99
<case assert="true"><![CDATA[

rules/CVI-160004.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
<cobra document="https://github.com/wufeifei/cobra">
33
<name value="SQL Execute Functions可能导致SQL注入"/>
44
<language value="php"/>
5-
<match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)\s?\(]]></match>
5+
<match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)]]></match>
66
<level value="8"/>
77
<test>
88
<case assert="true"><![CDATA[

rules/CVI-165001.xml

+30
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cobra document="https://github.com/wufeifei/cobra">
3+
<name value="LDAP注入"/>
4+
<language value="php"/>
5+
<match mode="function-param-controllable"><![CDATA[(ldap_add|ldap_delete|ldap_list|ldap_read|ldap_search|ldap_bind)]]></match>
6+
<repair block="in-function-up"><![CDATA[ldap_escape\s*\(\s*.+?\s*,\s*.+?\s*,\s*LDAP_ESCAPE_FILTER\s*\)]]></repair>
7+
<level value="5"/>
8+
<test>
9+
<case assert="true"><![CDATA[
10+
$surname=$_GET['surname'];
11+
$filter = "(sn=" . $surname . ")";
12+
$sr=ldap_search($ds, "o=My Company, c=US", $filter);
13+
$info = ldap_get_entries($ds, $sr);
14+
]]></case>
15+
</test>
16+
<solution>
17+
## 安全风险
18+
19+
LDAP Injection
20+
允许进行LDAP查询 + 输入未进行过滤 ---> LDAP注入
21+
这种威胁可以让攻击者能够从LADP树中提取到很多很重要的信息
22+
23+
## 修复方案
24+
对用户输入数据中包含的”语言本身的保留字符”进行转义(例如可以使用`ldap_escape`)
25+
26+
</solution>
27+
<status value="on"/>
28+
<author name="Feei" email="[email protected]"/>
29+
</cobra>
30+

rules/CVI-167001.xml

+1-8
Original file line numberDiff line numberDiff line change
@@ -7,17 +7,13 @@
77
<level value="5"/>
88
<test>
99
<case assert="true"><![CDATA[
10-
<?php
1110
$xml = $_POST['xml'];
1211
$data = simplexml_load_string($xml);
13-
?>
1412
]]></case>
1513
<case assert="false"><![CDATA[
16-
<?php
1714
$xml = $_POST['xml'];
1815
libxml_disable_entity_loader(true);
1916
$data = simplexml_load_string($xml);
20-
?>
2117
]]></case>
2218
</test>
2319
<solution>
@@ -42,18 +38,15 @@
4238

4339
## 举例
4440
```php
45-
<?php
4641
$xml = $_POST['xml'];
4742
$data = simplexml_load_string($xml);
48-
?>
4943
```
5044
修改后代码
5145
```php
52-
<?php
5346
$xml = $_POST['xml'];
5447
libxml_disable_entity_loader(true);
5548
$data = simplexml_load_string($xml);
56-
?>
49+
```
5750
</solution>
5851
<status value="on"/>
5952
<author name="Lightless" email="[email protected] "/>

rules/CVI-180001.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
<cobra document="https://github.com/wufeifei/cobra">
33
<name value="远程代码执行"/>
44
<language value="php"/>
5-
<match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|preg_replace)]]></match>
5+
<match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|array_walk_recursive|uasort|uksort|usort)]]></match>
66
<level value="10"/>
77
<test>
88
<case assert="true"><![CDATA[array_map($_GET['pass'],$array);]]></case>

rules/CVI-180002.xml

-24
This file was deleted.

rules/CVI-181001.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
<name value="远程命令执行"/>
44
<language value="php"/>
55
<match mode="function-param-controllable"><![CDATA[(system|passthru|exec|pcntl_exec|shell_exec|popen|proc_open|ob_start|expect_popen|mb_send_mail|w32api_register_function|w32api_invoke_function|ssh2_exec)]]></match>
6-
<repair block="in-function"><![CDATA[escapeshellcmd\s*\(\s*(.+?)\s*\)|escapeshellarg\s*\(\s*(.+?)\s*\)]]></repair>
6+
<repair block="in-function"><![CDATA[(escapeshellcmd|escapeshellarg)]]></repair>
77
<level value="10"/>
88
<test>
99
<case assert="true"><![CDATA[system($_GET['pass']);]]></case>

rules/CVI-200002.xml

+3-4
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,19 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
32
<cobra document="https://github.com/wufeifei/cobra">
43
<name value="不安全的随机数"/>
54
<language value="php"/>
65
<match mode="regex-only-match"><![CDATA[uniqid\s?\(]]></match>
76
<level value="2"/>
7+
<test>
8+
<case assert="true"><![CDATA[$uniq = uniqid();]]></case>
9+
</test>
810
<solution>
911
## 安全风险
1012
uniqid基于时间戳生成的,属于伪随机生成器,不建议使用。
1113

1214
## 修复方案
1315
使用random替代
1416
</solution>
15-
<test>
16-
<case assert="true"><![CDATA[$uniq = uniqid();]]></case>
17-
</test>
1817
<status value="on"/>
1918
<author name="Feei" email="[email protected]"/>
2019
</cobra>

rules/CVI-210001.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
<name value="未经验证的任意链接跳转"/>
44
<language value="php"/>
55
<match mode="function-param-controllable"><![CDATA[header]]></match>
6+
<repair block="in-function-up"><![CDATA[in_array]]></repair>
67
<level value="5"/>
78
<test>
89
<case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case>
@@ -25,7 +26,6 @@
2526
4. 设置URL跳转白名单。
2627
5. 当用户跳转离开时,强制跳转到警告页面上,提示用户正在离开当前网站。
2728

28-
## 修复方案
2929
使用白名单判断
3030
```php
3131
<?php if(!in_array($_GET["url"], $whitelist)) exit; ?>

rules/CVI-260001.xml

+1-3
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,12 @@
22
<cobra document="https://github.com/wufeifei/cobra">
33
<name value="PHP反序列化漏洞"/>
44
<language value="php"/>
5-
<match mode="function-param-controllable"><![CDATA[is_a|unserialize]]></match>
5+
<match mode="function-param-controllable"><![CDATA[unserialize]]></match>
66
<level value="5"/>
77
<test>
88
<case assert="true"><![CDATA[
9-
<?php
109
$test = $_POST['test'];
1110
$test_uns = unserialize($test);
12-
?>
1311
]]></case>
1412
</test>
1513
<solution>

0 commit comments

Comments
 (0)