Skip to content
This repository was archived by the owner on Nov 28, 2023. It is now read-only.

improve rules #571

Merged
merged 40 commits into from
Sep 11, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
70369c5
修改CVI-270001
braveghz Aug 30, 2017
819dbe6
修改CVI-250001 LDAP注入
braveghz Aug 30, 2017
072dbe2
Merge remote-tracking branch 'origin/master'
braveghz Aug 30, 2017
46a2d5e
Merge pull request #2 from wufeifei/master
braveghz Aug 30, 2017
f270b7a
修改CVI-220001 HRS
braveghz Aug 30, 2017
4571cae
Merge remote-tracking branch 'origin/master'
braveghz Aug 30, 2017
75820aa
修改CVI-360001 webshell
braveghz Aug 31, 2017
ba70867
修改CVI-170002 PHP LFI/RFI
braveghz Aug 31, 2017
476dcdd
修改CVI-120004 fsockopen造成的SSRF
braveghz Aug 31, 2017
019b1eb
修改CVI-350002 Redis匿名访问
braveghz Aug 31, 2017
f2f1ed1
修改CVI-360001 CVI-360002 CVI-360003 CVI-360007 增加webshell规则
braveghz Aug 31, 2017
87fb03e
Merge pull request #3 from wufeifei/master
braveghz Aug 31, 2017
960715a
增加webshell规则
braveghz Aug 31, 2017
5fb0e3e
Merge remote-tracking branch 'origin/master'
braveghz Aug 31, 2017
4d21909
增加webshell规则
braveghz Aug 31, 2017
70923c2
增加webshell--特征扫描规则
braveghz Aug 31, 2017
d313dad
tmp-version
braveghz Sep 4, 2017
e3b3d08
tmp-version
braveghz Sep 4, 2017
35b0c68
Merge pull request #4 from wufeifei/master
braveghz Sep 5, 2017
5073b9f
Merge branch 'master' of github.com:braveghz/cobra
braveghz Sep 5, 2017
2b56cae
木马特征扫描
braveghz Sep 6, 2017
554cd4c
delete HRS + add LADP Injection
braveghz Sep 6, 2017
adb2ed7
improve rules
braveghz Sep 6, 2017
0859021
Merge pull request #5 from wufeifei/master
braveghz Sep 6, 2017
a69e303
增加webshell扫描规则
braveghz Sep 6, 2017
91505e6
merge
braveghz Sep 6, 2017
885dafc
Merge pull request #555 from wufeifei/develop
FeeiCN Sep 6, 2017
1533d3f
Merge branch 'master' of github.com:braveghz/cobra
braveghz Sep 7, 2017
832506c
Merge pull request #6 from wufeifei/master
braveghz Sep 7, 2017
6c2b6e7
improve rules
braveghz Sep 7, 2017
8ea45bb
Merge remote-tracking branch 'origin/master'
braveghz Sep 7, 2017
c3fec5e
Merge branch 'master' of github.com:braveghz/cobra
braveghz Sep 7, 2017
ca6336e
v.php
braveghz Sep 7, 2017
20b5190
testcases
braveghz Sep 8, 2017
888ff8f
Merge branch 'wufeifei-develop'
braveghz Sep 8, 2017
ce5a5c9
Merge pull request #568 from wufeifei/develop
FeeiCN Sep 8, 2017
62a0eb8
Merge pull request #8 from wufeifei/develop
braveghz Sep 8, 2017
7e85777
improve rules
braveghz Sep 11, 2017
8f5c8aa
improve rules
braveghz Sep 11, 2017
f6df2e5
Merge pull request #9 from wufeifei/master
braveghz Sep 11, 2017
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@
| 290 | LB | Logic Bug | 逻辑错误 |
| 320 | VO | Variables Override | 变量覆盖漏洞 |
| 350 | WF | Weak Function | 不安全的函数 |
| 355 | WE |Weak Encryption | 不安全的加密 |
| 355 | WE | Weak Encryption | 不安全的加密 |
| 360 | WS | WebShell | WebShell |
| 970 | AV | Android Vulnerabilities | Android漏洞 |
| 980 | IV | iOS Vulnerabilities | iOS漏洞 |
| 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) |
Expand Down
1 change: 1 addition & 0 deletions docs/labels.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
| 320 | VO | Variables Override | 变量覆盖漏洞 |
| 350 | WF | Weak Function | 不安全的函数 |
| 355 | WE |Weak Encryption | 不安全的加密 |
| 360 | WS | WebShell | WebShell |
| 970 | AV | Android Vulnerabilities | Android漏洞 |
| 980 | IV | iOS Vulnerabilities | iOS漏洞 |
| 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) |
Expand Down
20 changes: 9 additions & 11 deletions rules/CVI-120001.xml
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,19 @@
<level value="6"/>
<test>
<case assert="true"><![CDATA[
function curl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
$url = $_GET['url'];
curl($url);
function curl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
$url = $_GET['url'];
curl($url);
]]></case>
</test>
<solution>
## 安全风险

SSRF漏洞(Server-Side Request Forgery)

### 形成原理
Expand All @@ -42,7 +41,6 @@
curl_exec($ch);
curl_close($ch);
}

$url = $_GET['url'];
curl($url);
```
Expand Down
8 changes: 4 additions & 4 deletions rules/CVI-120002.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@
<level value="7"/>
<test>
<case assert="true"><![CDATA[
$url = $_GET['url'];
echo file_get_contents($url);
$url = $_GET['url'];
echo file_get_contents($url);
]]></case>
<case assert="false"><![CDATA[
$url = "http://www.example.com";
echo file_get_contents($url);
$url = "http://www.example.com";
echo file_get_contents($url);
]]></case>
</test>
<solution>
Expand Down
3 changes: 1 addition & 2 deletions rules/CVI-120003.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
<name value="get_headers导致的SSRF"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[get_headers]]></match>
<repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,|preg_match(?:_all)?\s*\(\s*(?:.+?)\s*,\s*{{PARAM}}\s*[,\)]]]></repair>
<level value="7"/>
<test>
<case assert="true"><![CDATA[
Expand Down Expand Up @@ -41,5 +40,5 @@
```
</solution>
<status value="on"/>
<author name="Lightless" email="[email protected]"/>
<author name="Lightless" email="[email protected]"/>
</cobra>
35 changes: 35 additions & 0 deletions rules/CVI-120004.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<cobra document="https://github.com/wufeifei/cobra">
<name value="fsockopen造成的SSRF"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[fsockopen]]></match>
<level value="7"/>
<test>
<case assert="true"><![CDATA[
$host = $_GET['host'];
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
]]></case>
</test>
<solution>
## 安全风险
SSRF漏洞(Server-Side Request Forgery)

### 形成原理
SSRF形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。

### 风险
1、攻击者可以对外网、服务器所在内网、本地进行端口扫描,获取服务的banner信息。
2、攻击运行在内网或本地的应用程序。
3、对内网web应用进行指纹识别。
4、攻击内外网的web应用。
5、利用file协议读取本地文件等。

## 修复方案
1. 限制协议为HTTP、HTTPS
2. 限制请求域名白名单
3. 禁止30x跳转

</solution>
<status value="on"/>
<author name="JoyChou" email="[email protected]"/>
</cobra>
1 change: 0 additions & 1 deletion rules/CVI-140001.xml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>

<cobra document="https://github.com/wufeifei/cobra">
<name value="文本框反射型XSS"/>
<language value="jsp"/>
Expand Down
3 changes: 1 addition & 2 deletions rules/CVI-140002.xml
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>

<cobra document="https://github.com/wufeifei/cobra">
<name value="输出入参"/>
<name value="输出入参可能导致XSS"/>
<language value="java"/>
<match mode="regex-only-match"><![CDATA[out\.println\s*\(\s*request\.get(Parameter|QueryString)\s*\(\s*\"]]></match>
<level value="4"/>
Expand Down
2 changes: 1 addition & 1 deletion rules/CVI-140003.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<name value="直接输出入参可能导致XSS"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[(echo|print|print_r|exit|die|printf|vprintf|trigger_error|user_error|odbc_result_all|ovrimos_result_all|ifx_htmltbl_result)]]></match>
<repair block="in-function"><![CDATA[(htmlspecialchars\s*\(\s*{{PARAM}}\s*)]]></repair>
<repair block="in-function"><![CDATA[(htmlspecialchars]]></repair>
<level value="4"/>
<test>
<case assert="true"><![CDATA[print_r ($_GET['test']);]]></case>
Expand Down
22 changes: 0 additions & 22 deletions rules/CVI-140004.xml

This file was deleted.

1 change: 0 additions & 1 deletion rules/CVI-160001.xml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>

<cobra document="https://github.com/wufeifei/cobra">
<name value="拼接SQL注入"/>
<language value="java"/>
Expand Down
2 changes: 1 addition & 1 deletion rules/CVI-160002.xml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<case assert="false"><![CDATA[$query = "SELECT id FROM products LIMIT 20 ;";]]></case>
<case assert="true"><![CDATA[$s = "select" + $v + "from " + $tb + "where id = " + $id;]]></case>
<case assert="true"><![CDATA[
$query = "SELECT id, name, inserted, size FROM products
$query = "SELECT id, name, inserted, size FROM products
WHERE size = '$size'
ORDER BY $order
LIMIT $limit, $offset;";
Expand Down
2 changes: 1 addition & 1 deletion rules/CVI-160003.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<name value="MySQL Execute Functions可能导致SQL注入"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[(mysql_query|mysql_db_query)]]></match>
<repair block="in-function"><![CDATA[(?:mysql_real_escape_string|addslashes)\s*\(\s*{{PARAM}}\s*[\),]]]></repair>
<repair block="in-function"><![CDATA[(mysql_real_escape_string|addslashes)]]></repair>
<level value="8"/>
<test>
<case assert="true"><![CDATA[
Expand Down
2 changes: 1 addition & 1 deletion rules/CVI-160004.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<cobra document="https://github.com/wufeifei/cobra">
<name value="SQL Execute Functions可能导致SQL注入"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)\s?\(]]></match>
<match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)]]></match>
<level value="8"/>
<test>
<case assert="true"><![CDATA[
Expand Down
30 changes: 30 additions & 0 deletions rules/CVI-165001.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<cobra document="https://github.com/wufeifei/cobra">
<name value="LDAP注入"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[(ldap_add|ldap_delete|ldap_list|ldap_read|ldap_search|ldap_bind)]]></match>
<repair block="in-function-up"><![CDATA[ldap_escape\s*\(\s*.+?\s*,\s*.+?\s*,\s*LDAP_ESCAPE_FILTER\s*\)]]></repair>
<level value="5"/>
<test>
<case assert="true"><![CDATA[
$surname=$_GET['surname'];
$filter = "(sn=" . $surname . ")";
$sr=ldap_search($ds, "o=My Company, c=US", $filter);
$info = ldap_get_entries($ds, $sr);
]]></case>
</test>
<solution>
## 安全风险

LDAP Injection
允许进行LDAP查询 + 输入未进行过滤 ---> LDAP注入
这种威胁可以让攻击者能够从LADP树中提取到很多很重要的信息

## 修复方案
对用户输入数据中包含的”语言本身的保留字符”进行转义(例如可以使用`ldap_escape`)

</solution>
<status value="on"/>
<author name="Feei" email="[email protected]"/>
</cobra>

9 changes: 1 addition & 8 deletions rules/CVI-167001.xml
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,13 @@
<level value="5"/>
<test>
<case assert="true"><![CDATA[
<?php
$xml = $_POST['xml'];
$data = simplexml_load_string($xml);
?>
]]></case>
<case assert="false"><![CDATA[
<?php
$xml = $_POST['xml'];
libxml_disable_entity_loader(true);
$data = simplexml_load_string($xml);
?>
]]></case>
</test>
<solution>
Expand All @@ -42,18 +38,15 @@

## 举例
```php
<?php
$xml = $_POST['xml'];
$data = simplexml_load_string($xml);
?>
```
修改后代码
```php
<?php
$xml = $_POST['xml'];
libxml_disable_entity_loader(true);
$data = simplexml_load_string($xml);
?>
```
</solution>
<status value="on"/>
<author name="Lightless" email="[email protected] "/>
Expand Down
2 changes: 1 addition & 1 deletion rules/CVI-180001.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<cobra document="https://github.com/wufeifei/cobra">
<name value="远程代码执行"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|preg_replace)]]></match>
<match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|array_walk_recursive|uasort|uksort|usort)]]></match>
<level value="10"/>
<test>
<case assert="true"><![CDATA[array_map($_GET['pass'],$array);]]></case>
Expand Down
24 changes: 0 additions & 24 deletions rules/CVI-180002.xml

This file was deleted.

2 changes: 1 addition & 1 deletion rules/CVI-181001.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<name value="远程命令执行"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[(system|passthru|exec|pcntl_exec|shell_exec|popen|proc_open|ob_start|expect_popen|mb_send_mail|w32api_register_function|w32api_invoke_function|ssh2_exec)]]></match>
<repair block="in-function"><![CDATA[escapeshellcmd\s*\(\s*(.+?)\s*\)|escapeshellarg\s*\(\s*(.+?)\s*\)]]></repair>
<repair block="in-function"><![CDATA[(escapeshellcmd|escapeshellarg)]]></repair>
<level value="10"/>
<test>
<case assert="true"><![CDATA[system($_GET['pass']);]]></case>
Expand Down
7 changes: 3 additions & 4 deletions rules/CVI-200002.xml
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>

<cobra document="https://github.com/wufeifei/cobra">
<name value="不安全的随机数"/>
<language value="php"/>
<match mode="regex-only-match"><![CDATA[uniqid\s?\(]]></match>
<level value="2"/>
<test>
<case assert="true"><![CDATA[$uniq = uniqid();]]></case>
</test>
<solution>
## 安全风险
uniqid基于时间戳生成的,属于伪随机生成器,不建议使用。

## 修复方案
使用random替代
</solution>
<test>
<case assert="true"><![CDATA[$uniq = uniqid();]]></case>
</test>
<status value="on"/>
<author name="Feei" email="[email protected]"/>
</cobra>
2 changes: 1 addition & 1 deletion rules/CVI-210001.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
<name value="未经验证的任意链接跳转"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[header]]></match>
<repair block="in-function-up"><![CDATA[in_array]]></repair>
<level value="5"/>
<test>
<case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case>
Expand All @@ -25,7 +26,6 @@
4. 设置URL跳转白名单。
5. 当用户跳转离开时,强制跳转到警告页面上,提示用户正在离开当前网站。

## 修复方案
使用白名单判断
```php
<?php if(!in_array($_GET["url"], $whitelist)) exit; ?>
Expand Down
4 changes: 1 addition & 3 deletions rules/CVI-260001.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,12 @@
<cobra document="https://github.com/wufeifei/cobra">
<name value="PHP反序列化漏洞"/>
<language value="php"/>
<match mode="function-param-controllable"><![CDATA[is_a|unserialize]]></match>
<match mode="function-param-controllable"><![CDATA[unserialize]]></match>
<level value="5"/>
<test>
<case assert="true"><![CDATA[
<?php
$test = $_POST['test'];
$test_uns = unserialize($test);
?>
]]></case>
</test>
<solution>
Expand Down
Loading