update to beta2

update to beta2

Kunlun_M/settings.py.bak

@@ -78,7 +78,7 @@ WSGI_APPLICATION = 'Kunlun_M.wsgi.application'
 DATABASES = {
     'default': {
         'ENGINE': 'django.db.backends.sqlite3',
-        'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
+        'NAME': os.path.join(BASE_DIR, 'db', 'kunlun.db'),
     }
 }
 

README.md

@@ -115,6 +115,12 @@ KunLun-M可能是市面上唯一的开源并长期维护的自动化代码审计
 pip install -r requirements.txt
 ```
 
+配置文件迁移
+```
+cp Kunlun_M/settings.py.bak Kunlun_M/settings.py
+```
+
+
 初始化数据库，默认采用sqlite作为数据库
 ```
 python kunlun.py init
@@ -159,7 +165,7 @@ python3 kunlun.py console
 | |/ / _   _ _ __ | |    _   _ _ __       | .  . |
 |    \| | | | '_ \| |   | | | | '_ \ _____| |\/| |
 | |\  \ |_| | | | | |___| |_| | | | |_____| |  | |
-\_| \_/\__,_|_| |_\_____/\__,_|_| |_|     \_|  |_/  -v2.0 beta1
+\_| \_/\__,_|_| |_\_____/\__,_|_| |_|     \_|  |_/  -v2.0
 
 GitHub: https://github.com/LoRexxar/Kunlun-M
 
@@ -178,14 +184,33 @@ Global commands:
 KunLun-M (root) >
 ```
 
+#### 使用KunLun-M 查看 rules 和 tampers
+
+[![asciicast](https://asciinema.org/a/360842.svg)](https://asciinema.org/a/360842)
+
+#### 使用KunLun-M 扫描漏洞
+
+[![asciicast](https://asciinema.org/a/360843.svg)](https://asciinema.org/a/360843)
+
+#### 使用KunLun-M 查看扫描结果
+
+[![asciicast](https://asciinema.org/a/360845.svg)](https://asciinema.org/a/360845)
+
 ## 开发文档
 
 开发文档还未更新.
 
 [dev.md](./docs/dev.md)
 
+## 交流社区
+
+KunLun-M是404Team 星链机会中的一环，如果对KunLun-M有任何疑问又或是想要找小伙伴交流，可以参考星链计划的加群方式。
+
+- [https://github.com/knownsec/404StarLink-Project#community](https://github.com/knownsec/404StarLink-Project#community)
+
 ## Contributors
 
 感谢如下贡献者对本工具发展过程中的贡献：
 - Knownsec 404 Team [LoRexxar](https://github.com/LoRexxar)
-- 北邮天枢 [Sissel](https://github.com/boke1208)
+- 北邮天枢 [Sissel](https://github.com/boke1208)
+- [#jax777](https://github.com/jax777)

core/__version__.py

@@ -7,7 +7,7 @@
 __issue_page__ = 'https://github.com/LoRexxar/Kunlun-M/issues/new'
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
-__version__ = '2.0 beta1'
+__version__ = '2.0 beta2'
 __author__ = 'LoRexxar'
 __author_email__ = 'LoRexxar@gmail.com'
 __license__ = 'MIT License'

core/console.py

@@ -759,7 +759,10 @@ def check_scan_options(self):
     def check_scan_log_file(self):
         last_scantask = ScanTask.objects.all().order_by('-id').first()
 
-        logfile_name = 'ScanTask_{}'.format(last_scantask.id+1)
+        if last_scantask:
+            logfile_name = 'ScanTask_{}'.format(last_scantask.id+1)
+        else:
+            logfile_name = 'ScanTask_1'
 
         i = 1
         while os.path.exists(os.path.join(LOGS_PATH, logfile_name+'.log')):

core/core_engine/php/parser.py

@@ -805,7 +805,7 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
 
                 # 这里检测的是函数参数列表...如果为空不一定不可控？
                 if len(param_expr) <= 0 and not (isinstance(node.expr, php.FunctionCall) or isinstance(node.expr, php.MethodCall)):
-                    _is_co = -1
+                    is_co = -1
                     cp = param
                     return is_co, cp, 0
 
@@ -1156,10 +1156,8 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
             if is_co in [-1, 1, 2]:  # 目标确定直接返回
                 return is_co, cp, expr_lineno
 
-            if _is_co == 3 and _cp != param:
+            if _is_co == 3 and cp != param:
                 # 如果不等于，说明在if/else块中产生了变化
-                is_co = _is_co
-                cp = _cp
                 param = _cp
 
                 file_path = os.path.normpath(file_path)

docs/changelog.md

@@ -188,4 +188,9 @@
     - 公开了js相关的多个rules
     - 再次完善了php的相关语法 #75
     - **添加了console模式，更方便的使用以及扫描.** #73
-
+- 2020-09-21
+    - KunLun-M 2.0.0 beta2
+    - 更新了部分PHP的rule和1个Solidity rule样例
+    - 更新了部分模板tamper
+    - 修复了一个mac下的bug
+    - 添加了演示视频在文档中

rules/php/CVI_10002.py

@@ -0,0 +1,53 @@
+# -*- coding: utf-8 -*-
+
+"""
+    auto rule template
+    ~~~~
+    :author:    LoRexxar <LoRexxar@gmail.com>
+    :homepage:  https://github.com/LoRexxar/Kunlun-M
+    :license:   MIT, see LICENSE for more details.
+    :copyright: Copyright (c) 2017 LoRexxar. All rights reserved
+"""
+
+from utils.api import *
+
+
+class CVI_10002():
+    """
+    rule class
+    """
+
+    def __init__(self):
+
+        self.svid = 10002
+        self.language = "php"
+        self.author = "LoRexxar"
+        self.vulnerability = "Reflected XSS"
+        self.description = "Reflected XSS"
+
+        # status
+        self.status = True
+
+        # 部分配置
+        self.match_mode = "function-param-regex"
+        self.match = r"echo|print"
+
+        # for solidity
+        self.match_name = None
+        self.black_list = None
+
+        # for chrome ext
+        self.keyword = "is_echo_statement"
+
+        # for regex
+        self.unmatch = None
+
+        self.vul_function = None
+
+    def main(self, regex_string):
+        """
+        regex string input
+        :regex_string: regex match string
+        :return:
+        """
+        pass

rules/solidity/CVI_2001.py

@@ -0,0 +1,53 @@
+# -*- coding: utf-8 -*-
+
+"""
+    auto rule template
+    ~~~~
+    :author:    LoRexxar <LoRexxar@gmail.com>
+    :homepage:  https://github.com/LoRexxar/Kunlun-M
+    :license:   MIT, see LICENSE for more details.
+    :copyright: Copyright (c) 2017 LoRexxar. All rights reserved
+"""
+
+from utils.api import *
+
+
+class CVI_2001():
+    """
+    rule class
+    """
+
+    def __init__(self):
+
+        self.svid = 2001
+        self.language = "solidity"
+        self.author = "LoRexxar"
+        self.vulnerability = "假充值 vul"
+        self.description = "开发人员没有遵循ERC20"
+
+        # status
+        self.status = True
+
+        # 部分配置
+        self.match_mode = "only-regex"
+        self.match = ['\\bif\\s*\\(.+(?=\\))\\)\\s*\\{[^\\}]+\\}\\s*else\\s*\\{[\\s]+return\\s+false;']
+
+        # for solidity
+        self.match_name = None
+        self.black_list = None
+
+        # for chrome ext
+        self.keyword = None
+
+        # for regex
+        self.unmatch = []
+
+        self.vul_function = None
+
+    def main(self, regex_string):
+        """
+        regex string input
+        :regex_string: regex match string
+        :return:
+        """
+        pass

rules/solidity/CVI_2100.py

@@ -0,0 +1,53 @@
+# -*- coding: utf-8 -*-
+
+"""
+    auto rule template
+    ~~~~
+    :author:    LoRexxar <LoRexxar@gmail.com>
+    :homepage:  https://github.com/LoRexxar/Kunlun-M
+    :license:   MIT, see LICENSE for more details.
+    :copyright: Copyright (c) 2017 LoRexxar. All rights reserved
+"""
+
+from utils.api import *
+
+
+class CVI_2100():
+    """
+    rule class
+    """
+
+    def __init__(self):
+
+        self.svid = 2100
+        self.language = "solidity"
+        self.author = "Sissel"
+        self.vulnerability = "address(0)"
+        self.description = "含参数包含地址的函数开始处，应增加地址是否为0的校验，防止用户操作失误。"
+
+        # status
+        self.status = True
+
+        # 部分配置
+        self.match_mode = "regex-return-regex"
+        self.match = []
+
+        # for solidity
+        self.match_name = r"(\bfunction\s+[^\n]*?\(.*?address\s+([^, )]*)[^\n\r]*)"
+        self.black_list = ['balanceOf', ';', '[]']
+
+        # for chrome ext
+        self.keyword = None
+
+        # for regex
+        self.unmatch = ['\\b(if|require)\\s*\\(=padding=\\s!=\\s(address\\(0\\)|0x0)\\)']
+
+        self.vul_function = None
+
+    def main(self, regex_string):
+        """
+        regex string input
+        :regex_string: regex match string
+        :return:
+        """
+        pass

rules/tamper/phpbb.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+
+"""
+    phpbb3
+    ~~~~
+
+    tamper for phpbb3 
+
+    :author:    LoRexxar <LoRexxar@gmail.com>
+    :homepage:  https://github.com/LoRexxar/Kunlun-M
+    :license:   MIT, see LICENSE for more details.
+    :copyright: Copyright (c) 2017 LoRexxar. All rights reserved
+"""
+
+phpbb = {
+}
+
+phpbb_controlled = [
+    "$request",
+]

rules/tamper/roundcube.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+# encoding: utf-8
+'''
+@author: LoRexxar
+@contact: lorexxar@gmail.com
+@file: roundcube.py
+@time: 2020/5/7 18:27
+@desc:
+'''
+
+roundcube = {
+    "show": [1000, 10001, 10002],
+    "Q": [1000, 10001, 1009, 10002],
+    "login": [1000, 10001, 10002],
+}
+
+roundcube_controlled = [
+    "get_input_value",
+    "rcube_utils::get_input_value",
+    "getprop",
+]

rules/tamper/thinkphp.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# @Time    : 2019/5/14 17:01
+# @Author  : LoRexxar
+# @File    : thinkphp.py
+# @Contact : lorexxar@gmail.com
+
+
+thinkphp = {
+}
+
+thinkphp_controlled = [
+    "Input",
+    "request",
+    "I",
+]

utils/readlineng.py

@@ -41,9 +41,9 @@
 uses_libedit = False
 
 if PLATFORM == 'mac' and _readline:
-    import commands
+    import subprocess
 
-    (status, result) = commands.getstatusoutput("otool -L %s | grep libedit" % _readline.__file__)
+    (status, result) = subprocess.getstatusoutput("otool -L %s | grep libedit" % _readline.__file__)
 
     if status == 0 and len(result) > 0:
         # We are bound to libedit - new in Leopard

utils/utils.py

@@ -683,8 +683,6 @@ def get_mainstr_from_filename(filename):
     mainstr = mainstr[-1] if mainstr[-1] else mainstr[-2]
     mainstr = mainstr.split('.')[0].strip("")
 
-    s = ScanTask.objects.filter(task_name=mainstr)
-
     return mainstr