Merge pull request #571 from braveghz/master

improve rules

Author: FeeiCN

docs/index.md

@@ -48,7 +48,8 @@
 | 290 | LB | Logic Bug  | 逻辑错误 |
 | 320 | VO | Variables Override | 变量覆盖漏洞 |
 | 350 | WF | Weak Function | 不安全的函数 |
-| 355 | WE |Weak Encryption | 不安全的加密 |
+| 355 | WE | Weak Encryption | 不安全的加密 |
+| 360 | WS | WebShell | WebShell |
 | 970 | AV | Android Vulnerabilities | Android漏洞 |
 | 980 | IV | iOS Vulnerabilities | iOS漏洞 |
 | 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) |

docs/labels.md

@@ -26,6 +26,7 @@
 | 320 | VO | Variables Override | 变量覆盖漏洞 |
 | 350 | WF | Weak Function | 不安全的函数 |
 | 355 | WE |Weak Encryption | 不安全的加密 |
+| 360 | WS | WebShell | WebShell |
 | 970 | AV | Android Vulnerabilities | Android漏洞 |
 | 980 | IV | iOS Vulnerabilities | iOS漏洞 |
 | 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) |

rules/CVI-120001.xml

@@ -7,20 +7,19 @@
     <level value="6"/>
     <test>
         <case assert="true"><![CDATA[
-        function curl($url){
-            $ch = curl_init();
-            curl_setopt($ch, CURLOPT_URL, $url);
-            curl_setopt($ch, CURLOPT_HEADER, 0);
-            curl_exec($ch);
-            curl_close($ch);
-        }
-        $url = $_GET['url'];
-        curl($url);
+            function curl($url){
+                $ch = curl_init();
+                curl_setopt($ch, CURLOPT_URL, $url);
+                curl_setopt($ch, CURLOPT_HEADER, 0);
+                curl_exec($ch);
+                curl_close($ch);
+            }
+            $url = $_GET['url'];
+            curl($url);
         ]]></case>
     </test>
     <solution>
         ## 安全风险
-
         SSRF漏洞(Server-Side Request Forgery)
 
         ### 形成原理
@@ -42,7 +41,6 @@
             curl_exec($ch);
             curl_close($ch);
         }
-
         $url = $_GET['url'];
         curl($url);
         ```

rules/CVI-120002.xml

@@ -6,12 +6,12 @@
     <level value="7"/>
     <test>
         <case assert="true"><![CDATA[
-                $url = $_GET['url'];
-                echo file_get_contents($url);
+            $url = $_GET['url'];
+            echo file_get_contents($url);
         ]]></case>
         <case assert="false"><![CDATA[
-                $url = "http://www.example.com";
-                echo file_get_contents($url);
+            $url = "http://www.example.com";
+            echo file_get_contents($url);
         ]]></case>
     </test>
     <solution>

rules/CVI-120003.xml

@@ -3,7 +3,6 @@
     <name value="get_headers导致的SSRF"/>
     <language value="php"/>
     <match mode="function-param-controllable"><![CDATA[get_headers]]></match>
-    <repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,|preg_match(?:_all)?\s*\(\s*(?:.+?)\s*,\s*{{PARAM}}\s*[,\)]]]></repair>
     <level value="7"/>
     <test>
         <case assert="true"><![CDATA[
@@ -41,5 +40,5 @@
         ```
     </solution>
     <status value="on"/>
-    <author name="Lightless" email="[email protected]"/>
+    <author name="Lightless" email="[email protected]"/>
 </cobra>

rules/CVI-120004.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cobra document="https://github.com/wufeifei/cobra">
+    <name value="fsockopen造成的SSRF"/>
+    <language value="php"/>
+    <match mode="function-param-controllable"><![CDATA[fsockopen]]></match>
+    <level value="7"/>
+    <test>
+        <case assert="true"><![CDATA[
+            $host = $_GET['host'];
+            $fp = fsockopen($host, intval($port), $errno, $errstr, 30);
+        ]]></case>
+    </test>
+    <solution>
+        ## 安全风险
+        SSRF漏洞(Server-Side Request Forgery)
+
+        ### 形成原理
+        SSRF形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。
+
+        ### 风险
+        1、攻击者可以对外网、服务器所在内网、本地进行端口扫描，获取服务的banner信息。
+        2、攻击运行在内网或本地的应用程序。
+        3、对内网web应用进行指纹识别。
+        4、攻击内外网的web应用。
+        5、利用file协议读取本地文件等。
+
+        ## 修复方案
+        1. 限制协议为HTTP、HTTPS
+        2. 限制请求域名白名单
+        3. 禁止30x跳转
+
+    </solution>
+    <status value="on"/>
+    <author name="JoyChou" email="[email protected]"/>
+</cobra>

rules/CVI-140001.xml

@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
 <cobra document="https://github.com/wufeifei/cobra">
     <name value="文本框反射型XSS"/>
     <language value="jsp"/>

rules/CVI-140002.xml

@@ -1,7 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
 <cobra document="https://github.com/wufeifei/cobra">
-    <name value="输出入参"/>
+    <name value="输出入参可能导致XSS"/>
     <language value="java"/>
     <match mode="regex-only-match"><![CDATA[out\.println\s*\(\s*request\.get(Parameter|QueryString)\s*\(\s*\"]]></match>
     <level value="4"/>

rules/CVI-140003.xml

@@ -3,7 +3,7 @@
     <name value="直接输出入参可能导致XSS"/>
     <language value="php"/>
     <match mode="function-param-controllable"><![CDATA[(echo|print|print_r|exit|die|printf|vprintf|trigger_error|user_error|odbc_result_all|ovrimos_result_all|ifx_htmltbl_result)]]></match>
-    <repair block="in-function"><![CDATA[(htmlspecialchars\s*\(\s*{{PARAM}}\s*)]]></repair>
+    <repair block="in-function"><![CDATA[(htmlspecialchars]]></repair>
     <level value="4"/>
     <test>
         <case assert="true"><![CDATA[print_r ($_GET['test']);]]></case>

rules/CVI-140004.xml

@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
 <cobra document="https://github.com/wufeifei/cobra">
     <name value="拼接SQL注入"/>
     <language value="java"/>

rules/CVI-160001.xml

@@ -9,7 +9,7 @@
         <case assert="false"><![CDATA[$query  = "SELECT id FROM products LIMIT 20 ;";]]></case>
         <case assert="true"><![CDATA[$s = "select"  + $v + "from " + $tb + "where id = " + $id;]]></case>
         <case assert="true"><![CDATA[
-        $query  = "SELECT id, name, inserted, size FROM products
+            $query  = "SELECT id, name, inserted, size FROM products
                     WHERE size = '$size'
                     ORDER BY $order
                     LIMIT $limit, $offset;";

rules/CVI-160002.xml

@@ -3,7 +3,7 @@
     <name value="MySQL Execute Functions可能导致SQL注入"/>
     <language value="php"/>
     <match mode="function-param-controllable"><![CDATA[(mysql_query|mysql_db_query)]]></match>
-    <repair block="in-function"><![CDATA[(?:mysql_real_escape_string|addslashes)\s*\(\s*{{PARAM}}\s*[\),]]]></repair>
+    <repair block="in-function"><![CDATA[(mysql_real_escape_string|addslashes)]]></repair>
     <level value="8"/>
     <test>
         <case assert="true"><![CDATA[

rules/CVI-160003.xml

@@ -2,7 +2,7 @@
 <cobra document="https://github.com/wufeifei/cobra">
     <name value="SQL Execute Functions可能导致SQL注入"/>
     <language value="php"/>
-    <match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)\s?\(]]></match>
+    <match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)]]></match>
     <level value="8"/>
     <test>
         <case assert="true"><![CDATA[

rules/CVI-160004.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cobra document="https://github.com/wufeifei/cobra">
+    <name value="LDAP注入"/>
+    <language value="php"/>
+    <match mode="function-param-controllable"><![CDATA[(ldap_add|ldap_delete|ldap_list|ldap_read|ldap_search|ldap_bind)]]></match>
+    <repair block="in-function-up"><![CDATA[ldap_escape\s*\(\s*.+?\s*,\s*.+?\s*,\s*LDAP_ESCAPE_FILTER\s*\)]]></repair>
+    <level value="5"/>
+    <test>
+        <case assert="true"><![CDATA[
+            $surname=$_GET['surname'];
+            $filter = "(sn=" . $surname . ")";
+            $sr=ldap_search($ds, "o=My Company, c=US", $filter);
+            $info = ldap_get_entries($ds, $sr);
+       ]]></case>
+    </test>
+    <solution>
+        ## 安全风险
+
+        LDAP Injection
+        允许进行LDAP查询 + 输入未进行过滤 ---> LDAP注入
+        这种威胁可以让攻击者能够从LADP树中提取到很多很重要的信息
+
+        ## 修复方案
+        对用户输入数据中包含的”语言本身的保留字符”进行转义(例如可以使用`ldap_escape`)
+
+    </solution>
+    <status value="on"/>
+    <author name="Feei" email="[email protected]"/>
+</cobra>
+

rules/CVI-165001.xml

@@ -7,17 +7,13 @@
     <level value="5"/>
     <test>
         <case assert="true"><![CDATA[
-        <?php
             $xml = $_POST['xml'];
             $data = simplexml_load_string($xml);
-        ?>
         ]]></case>
         <case assert="false"><![CDATA[
-        <?php
             $xml = $_POST['xml'];
             libxml_disable_entity_loader(true);
             $data = simplexml_load_string($xml);
-        ?>
         ]]></case>
     </test>
     <solution>
@@ -42,18 +38,15 @@
 
         ## 举例
         ```php
-        <?php
             $xml = $_POST['xml'];
             $data = simplexml_load_string($xml);
-        ?>
         ```
         修改后代码
         ```php
-        <?php
             $xml = $_POST['xml'];
             libxml_disable_entity_loader(true);
             $data = simplexml_load_string($xml);
-        ?>
+        ```
     </solution>
     <status value="on"/>
     <author name="Lightless" email="[email protected] "/>

rules/CVI-167001.xml

@@ -2,7 +2,7 @@
 <cobra document="https://github.com/wufeifei/cobra">
     <name value="远程代码执行"/>
     <language value="php"/>
-    <match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|preg_replace)]]></match>
+    <match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|array_walk_recursive|uasort|uksort|usort)]]></match>
     <level value="10"/>
     <test>
         <case assert="true"><![CDATA[array_map($_GET['pass'],$array);]]></case>

rules/CVI-180001.xml

@@ -3,7 +3,7 @@
     <name value="远程命令执行"/>
     <language value="php"/>
     <match mode="function-param-controllable"><![CDATA[(system|passthru|exec|pcntl_exec|shell_exec|popen|proc_open|ob_start|expect_popen|mb_send_mail|w32api_register_function|w32api_invoke_function|ssh2_exec)]]></match>
-    <repair block="in-function"><![CDATA[escapeshellcmd\s*\(\s*(.+?)\s*\)|escapeshellarg\s*\(\s*(.+?)\s*\)]]></repair>
+    <repair block="in-function"><![CDATA[(escapeshellcmd|escapeshellarg)]]></repair>
     <level value="10"/>
     <test>
         <case assert="true"><![CDATA[system($_GET['pass']);]]></case>

rules/CVI-180002.xml

@@ -1,20 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
 <cobra document="https://github.com/wufeifei/cobra">
     <name value="不安全的随机数"/>
     <language value="php"/>
     <match mode="regex-only-match"><![CDATA[uniqid\s?\(]]></match>
     <level value="2"/>
+    <test>
+        <case assert="true"><![CDATA[$uniq = uniqid();]]></case>
+    </test>
     <solution>
         ## 安全风险
         uniqid基于时间戳生成的，属于伪随机生成器，不建议使用。
 
         ## 修复方案
         使用random替代
     </solution>
-    <test>
-        <case assert="true"><![CDATA[$uniq = uniqid();]]></case>
-    </test>
     <status value="on"/>
     <author name="Feei" email="[email protected]"/>
 </cobra>

rules/CVI-181001.xml

@@ -3,6 +3,7 @@
     <name value="未经验证的任意链接跳转"/>
     <language value="php"/>
     <match mode="function-param-controllable"><![CDATA[header]]></match>
+    <repair block="in-function-up"><![CDATA[in_array]]></repair>
     <level value="5"/>
     <test>
         <case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case>
@@ -25,7 +26,6 @@
         4. 设置URL跳转白名单。
         5. 当用户跳转离开时，强制跳转到警告页面上，提示用户正在离开当前网站。
 
-        ## 修复方案
         使用白名单判断
         ```php
         <?php if(!in_array($_GET["url"], $whitelist)) exit; ?>

rules/CVI-200002.xml

@@ -2,14 +2,12 @@
 <cobra document="https://github.com/wufeifei/cobra">
     <name value="PHP反序列化漏洞"/>
     <language value="php"/>
-    <match mode="function-param-controllable"><![CDATA[is_a|unserialize]]></match>
+    <match mode="function-param-controllable"><![CDATA[unserialize]]></match>
     <level value="5"/>
     <test>
         <case assert="true"><![CDATA[
-        <?php
             $test = $_POST['test'];
             $test_uns = unserialize($test);
-        ?>
         ]]></case>
     </test>
     <solution>