From 24232d7d0d5e1ea718b49a89e66f972b298c6fa1 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 10:09:27 +0800 Subject: [PATCH 1/9] fix bug for LGTM --- core/core_engine/php/parser.py | 6 ++---- utils/utils.py | 2 -- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/core/core_engine/php/parser.py b/core/core_engine/php/parser.py index 92cb04a2..5ebba4a7 100644 --- a/core/core_engine/php/parser.py +++ b/core/core_engine/php/parser.py @@ -805,7 +805,7 @@ def parameters_back(param, nodes, function_params=None, lineno=0, # 这里检测的是函数参数列表...如果为空不一定不可控? if len(param_expr) <= 0 and not (isinstance(node.expr, php.FunctionCall) or isinstance(node.expr, php.MethodCall)): - _is_co = -1 + is_co = -1 cp = param return is_co, cp, 0 @@ -1156,10 +1156,8 @@ def parameters_back(param, nodes, function_params=None, lineno=0, if is_co in [-1, 1, 2]: # 目标确定直接返回 return is_co, cp, expr_lineno - if _is_co == 3 and _cp != param: + if _is_co == 3 and cp != param: # 如果不等于,说明在if/else块中产生了变化 - is_co = _is_co - cp = _cp param = _cp file_path = os.path.normpath(file_path) diff --git a/utils/utils.py b/utils/utils.py index e40fbfbe..3f12ac6b 100644 --- a/utils/utils.py +++ b/utils/utils.py @@ -683,8 +683,6 @@ def get_mainstr_from_filename(filename): mainstr = mainstr[-1] if mainstr[-1] else mainstr[-2] mainstr = mainstr.split('.')[0].strip("") - s = ScanTask.objects.filter(task_name=mainstr) - return mainstr From c479c20567d8f1b57a642940144c8548167d0606 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 11:31:38 +0800 Subject: [PATCH 2/9] add some tamper --- rules/tamper/phpbb.py | 20 ++++++++++++++++++++ rules/tamper/roundcube.py | 21 +++++++++++++++++++++ rules/tamper/thinkphp.py | 16 ++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 rules/tamper/phpbb.py create mode 100644 rules/tamper/roundcube.py create mode 100644 rules/tamper/thinkphp.py diff --git a/rules/tamper/phpbb.py b/rules/tamper/phpbb.py new file mode 100644 index 00000000..e8825963 --- /dev/null +++ b/rules/tamper/phpbb.py @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- + +""" + phpbb3 + ~~~~ + + tamper for phpbb3 + + :author: LoRexxar + :homepage: https://github.com/LoRexxar/Kunlun-M + :license: MIT, see LICENSE for more details. + :copyright: Copyright (c) 2017 LoRexxar. All rights reserved +""" + +phpbb = { +} + +phpbb_controlled = [ + "$request", +] diff --git a/rules/tamper/roundcube.py b/rules/tamper/roundcube.py new file mode 100644 index 00000000..e4d460d3 --- /dev/null +++ b/rules/tamper/roundcube.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python +# encoding: utf-8 +''' +@author: LoRexxar +@contact: lorexxar@gmail.com +@file: roundcube.py +@time: 2020/5/7 18:27 +@desc: +''' + +roundcube = { + "show": [1000, 10001, 10002], + "Q": [1000, 10001, 1009, 10002], + "login": [1000, 10001, 10002], +} + +roundcube_controlled = [ + "get_input_value", + "rcube_utils::get_input_value", + "getprop", +] diff --git a/rules/tamper/thinkphp.py b/rules/tamper/thinkphp.py new file mode 100644 index 00000000..2bbf092e --- /dev/null +++ b/rules/tamper/thinkphp.py @@ -0,0 +1,16 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# @Time : 2019/5/14 17:01 +# @Author : LoRexxar +# @File : thinkphp.py +# @Contact : lorexxar@gmail.com + + +thinkphp = { +} + +thinkphp_controlled = [ + "Input", + "request", + "I", +] From b484413a20a108630132641daab2ba66c7b6a70e Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 11:32:59 +0800 Subject: [PATCH 3/9] add some solidity --- rules/solidity/CVI_2001.py | 53 ++++++++++++++++++++++++++++++++++++++ rules/solidity/CVI_2100.py | 53 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 rules/solidity/CVI_2001.py create mode 100644 rules/solidity/CVI_2100.py diff --git a/rules/solidity/CVI_2001.py b/rules/solidity/CVI_2001.py new file mode 100644 index 00000000..60f26adf --- /dev/null +++ b/rules/solidity/CVI_2001.py @@ -0,0 +1,53 @@ +# -*- coding: utf-8 -*- + +""" + auto rule template + ~~~~ + :author: LoRexxar + :homepage: https://github.com/LoRexxar/Kunlun-M + :license: MIT, see LICENSE for more details. + :copyright: Copyright (c) 2017 LoRexxar. All rights reserved +""" + +from utils.api import * + + +class CVI_2001(): + """ + rule class + """ + + def __init__(self): + + self.svid = 2001 + self.language = "solidity" + self.author = "LoRexxar" + self.vulnerability = "假充值 vul" + self.description = "开发人员没有遵循ERC20" + + # status + self.status = True + + # 部分配置 + self.match_mode = "only-regex" + self.match = ['\\bif\\s*\\(.+(?=\\))\\)\\s*\\{[^\\}]+\\}\\s*else\\s*\\{[\\s]+return\\s+false;'] + + # for solidity + self.match_name = None + self.black_list = None + + # for chrome ext + self.keyword = None + + # for regex + self.unmatch = [] + + self.vul_function = None + + def main(self, regex_string): + """ + regex string input + :regex_string: regex match string + :return: + """ + pass diff --git a/rules/solidity/CVI_2100.py b/rules/solidity/CVI_2100.py new file mode 100644 index 00000000..a7139f16 --- /dev/null +++ b/rules/solidity/CVI_2100.py @@ -0,0 +1,53 @@ +# -*- coding: utf-8 -*- + +""" + auto rule template + ~~~~ + :author: LoRexxar + :homepage: https://github.com/LoRexxar/Kunlun-M + :license: MIT, see LICENSE for more details. + :copyright: Copyright (c) 2017 LoRexxar. All rights reserved +""" + +from utils.api import * + + +class CVI_2100(): + """ + rule class + """ + + def __init__(self): + + self.svid = 2100 + self.language = "solidity" + self.author = "Sissel" + self.vulnerability = "address(0)" + self.description = "含参数包含地址的函数开始处,应增加地址是否为0的校验,防止用户操作失误。" + + # status + self.status = True + + # 部分配置 + self.match_mode = "regex-return-regex" + self.match = [] + + # for solidity + self.match_name = r"(\bfunction\s+[^\n]*?\(.*?address\s+([^, )]*)[^\n\r]*)" + self.black_list = ['balanceOf', ';', '[]'] + + # for chrome ext + self.keyword = None + + # for regex + self.unmatch = ['\\b(if|require)\\s*\\(=padding=\\s!=\\s(address\\(0\\)|0x0)\\)'] + + self.vul_function = None + + def main(self, regex_string): + """ + regex string input + :regex_string: regex match string + :return: + """ + pass From b13876a79dfc129d7374b57696ee90982f23d370 Mon Sep 17 00:00:00 2001 From: jax777 Date: Mon, 21 Sep 2020 11:34:57 +0800 Subject: [PATCH 4/9] =?UTF-8?q?python3=20=E4=B8=AD=20commands=20=E5=B7=B2?= =?UTF-8?q?=E6=9B=BF=E6=8D=A2=E4=B8=BA=20subprocess?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit python3 中 commands 已替换为 subprocess --- utils/readlineng.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/readlineng.py b/utils/readlineng.py index 53a1f186..251ef5fe 100644 --- a/utils/readlineng.py +++ b/utils/readlineng.py @@ -41,9 +41,9 @@ uses_libedit = False if PLATFORM == 'mac' and _readline: - import commands + import subprocess - (status, result) = commands.getstatusoutput("otool -L %s | grep libedit" % _readline.__file__) + (status, result) = subprocess.getstatusoutput("otool -L %s | grep libedit" % _readline.__file__) if status == 0 and len(result) > 0: # We are bound to libedit - new in Leopard From 7e04e33c92e96b2f37675261e80586d8732d9962 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 15:16:07 +0800 Subject: [PATCH 5/9] update docs --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d6379446..6d50d98f 100644 --- a/README.md +++ b/README.md @@ -184,8 +184,15 @@ KunLun-M (root) > [dev.md](./docs/dev.md) +## 交流社区 + +KunLun-M是404Team 星链机会中的一环,如果对KunLun-M有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。 + +- [https://github.com/knownsec/404StarLink-Project#community](https://github.com/knownsec/404StarLink-Project#community) + ## Contributors 感谢如下贡献者对本工具发展过程中的贡献: - Knownsec 404 Team [LoRexxar](https://github.com/LoRexxar) -- 北邮天枢 [Sissel](https://github.com/boke1208) \ No newline at end of file +- 北邮天枢 [Sissel](https://github.com/boke1208) +- [@jax777](https://github.com/jax777) \ No newline at end of file From 3b10450e0ca01db43ed1577eaf03eee626eb59a6 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 16:01:22 +0800 Subject: [PATCH 6/9] update docs --- README.md | 22 ++++++++++++++++++++-- core/console.py | 5 ++++- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6d50d98f..166819a3 100644 --- a/README.md +++ b/README.md @@ -115,6 +115,12 @@ KunLun-M可能是市面上唯一的开源并长期维护的自动化代码审计 pip install -r requirements.txt ``` +配置文件迁移 +``` +cp Kunlun_M/settings.py.bak Kunlun_M/settings.py +``` + + 初始化数据库,默认采用sqlite作为数据库 ``` python kunlun.py init @@ -159,7 +165,7 @@ python3 kunlun.py console | |/ / _ _ _ __ | | _ _ _ __ | . . | | \| | | | '_ \| | | | | | '_ \ _____| |\/| | | |\ \ |_| | | | | |___| |_| | | | |_____| | | | -\_| \_/\__,_|_| |_\_____/\__,_|_| |_| \_| |_/ -v2.0 beta1 +\_| \_/\__,_|_| |_\_____/\__,_|_| |_| \_| |_/ -v2.0 GitHub: https://github.com/LoRexxar/Kunlun-M @@ -178,6 +184,18 @@ Global commands: KunLun-M (root) > ``` +#### 使用KunLun-M 查看 rules 和 tampers + +[![asciicast](https://asciinema.org/a/360842.svg)](https://asciinema.org/a/360842) + +#### 使用KunLun-M 扫描漏洞 + +[![asciicast](https://asciinema.org/a/360843.svg)](https://asciinema.org/a/360843) + +#### 使用KunLun-M 查看扫描结果 + +[![asciicast](https://asciinema.org/a/360845.svg)](https://asciinema.org/a/360845) + ## 开发文档 开发文档还未更新. @@ -195,4 +213,4 @@ KunLun-M是404Team 星链机会中的一环,如果对KunLun-M有任何疑问 感谢如下贡献者对本工具发展过程中的贡献: - Knownsec 404 Team [LoRexxar](https://github.com/LoRexxar) - 北邮天枢 [Sissel](https://github.com/boke1208) -- [@jax777](https://github.com/jax777) \ No newline at end of file +- [#jax777](https://github.com/jax777) \ No newline at end of file diff --git a/core/console.py b/core/console.py index 0d14abb5..e1ca2b63 100644 --- a/core/console.py +++ b/core/console.py @@ -759,7 +759,10 @@ def check_scan_options(self): def check_scan_log_file(self): last_scantask = ScanTask.objects.all().order_by('-id').first() - logfile_name = 'ScanTask_{}'.format(last_scantask.id+1) + if last_scantask: + logfile_name = 'ScanTask_{}'.format(last_scantask.id+1) + else: + logfile_name = 'ScanTask_1' i = 1 while os.path.exists(os.path.join(LOGS_PATH, logfile_name+'.log')): From 8e90e18839ebf6bfca215297e61c2cacccfc8bf9 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 16:09:25 +0800 Subject: [PATCH 7/9] fix db name --- Kunlun_M/settings.py.bak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Kunlun_M/settings.py.bak b/Kunlun_M/settings.py.bak index 7e31a948..b452ba69 100644 --- a/Kunlun_M/settings.py.bak +++ b/Kunlun_M/settings.py.bak @@ -78,7 +78,7 @@ WSGI_APPLICATION = 'Kunlun_M.wsgi.application' DATABASES = { 'default': { 'ENGINE': 'django.db.backends.sqlite3', - 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), + 'NAME': os.path.join(BASE_DIR, 'db', 'kunlun.db'), } } From d70c9cc2acc11319f913ccac73e867e654e93154 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 16:10:05 +0800 Subject: [PATCH 8/9] new php xss rule --- rules/php/CVI_10002.py | 53 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 rules/php/CVI_10002.py diff --git a/rules/php/CVI_10002.py b/rules/php/CVI_10002.py new file mode 100644 index 00000000..b0b37e93 --- /dev/null +++ b/rules/php/CVI_10002.py @@ -0,0 +1,53 @@ +# -*- coding: utf-8 -*- + +""" + auto rule template + ~~~~ + :author: LoRexxar + :homepage: https://github.com/LoRexxar/Kunlun-M + :license: MIT, see LICENSE for more details. + :copyright: Copyright (c) 2017 LoRexxar. All rights reserved +""" + +from utils.api import * + + +class CVI_10002(): + """ + rule class + """ + + def __init__(self): + + self.svid = 10002 + self.language = "php" + self.author = "LoRexxar" + self.vulnerability = "Reflected XSS" + self.description = "Reflected XSS" + + # status + self.status = True + + # 部分配置 + self.match_mode = "function-param-regex" + self.match = r"echo|print" + + # for solidity + self.match_name = None + self.black_list = None + + # for chrome ext + self.keyword = "is_echo_statement" + + # for regex + self.unmatch = None + + self.vul_function = None + + def main(self, regex_string): + """ + regex string input + :regex_string: regex match string + :return: + """ + pass From a8f7de2755ee6612764888dfd65322988d7e089b Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 21 Sep 2020 16:13:37 +0800 Subject: [PATCH 9/9] update to beta2 --- core/__version__.py | 2 +- docs/changelog.md | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/core/__version__.py b/core/__version__.py index 57157917..450d7419 100644 --- a/core/__version__.py +++ b/core/__version__.py @@ -7,7 +7,7 @@ __issue_page__ = 'https://github.com/LoRexxar/Kunlun-M/issues/new' __python_version__ = sys.version.split()[0] __platform__ = platform.platform() -__version__ = '2.0 beta1' +__version__ = '2.0 beta2' __author__ = 'LoRexxar' __author_email__ = 'LoRexxar@gmail.com' __license__ = 'MIT License' diff --git a/docs/changelog.md b/docs/changelog.md index 34729209..84c4f1e8 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -188,4 +188,9 @@ - 公开了js相关的多个rules - 再次完善了php的相关语法 #75 - **添加了console模式,更方便的使用以及扫描.** #73 - \ No newline at end of file +- 2020-09-21 + - KunLun-M 2.0.0 beta2 + - 更新了部分PHP的rule和1个Solidity rule样例 + - 更新了部分模板tamper + - 修复了一个mac下的bug + - 添加了演示视频在文档中 \ No newline at end of file