When dealing with php variable declaration, .= format is not recoginzed correctly.

[mark0smith]

System and Python Environment

Item	Tooltip	Value
System	uname -a	Linux kali 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-4kali1 (2021-08-09) x86_64 GNU/Linux
Python	python -V	Python 3.9.7
Cobra	python kunlun.py	v2.6.3

Description

When dealing with php variable declaration, .= format is not recoginzed correctly.

Steps to Reproduce

example vulnerable code:

<?php
$cmd = "/usr/local/1.php";
$cmd .= " " . $_GET ["pass"];
exec ( $cmd . "  > /dev/null &" );
?>

Expected behavior: Function-param-controllable

Actual behavior:

[01:50:38] [!] Start scan [CVI-1011]
 [01:50:38] [ENGINE] [ORIGIN] match-mode function-param-regex
 [01:50:38] [CVI-1011] [ORIGIN] /tmp/test.php: 4: exec ( $cmd . "  > /dev/null &" )
 [01:50:38] [CVI-1011] [VERIFY-VULNERABILITY] (0)
        > File: `/tmp/test.php:4`
        > Code: `exec ( $cmd . "  > /dev/null &" )`
 [01:50:38] [CVI-1011] match-mode function-param-regex
 [01:50:38] [AST] [LANGUAGE] php
 [01:50:38] [RULE_MATCH] ['system', 'passthru', 'exec', 'pcntl_exec', 'shell_exec', 'popen', 'proc_open', 'ob_start', 'expect_popen', 'mb_send_mail', 'w32api_register_function', 'w32api_invoke_function', 'ssh2_exec']
 [01:50:38] [AST] vul_function:exec
 [01:50:38] [AST] AST to find param Variable('$cmd')
 [01:50:38] [AST] Find $cmd=/usr/local/1.php in line 0, start ast for param /usr/local/1.php
 [01:50:38] [AST] [RET] []
 [01:50:38] [AST] Parser failed / vulnerability parameter is not controllable []
 [01:50:38] Not vulnerability: Can't parser
 [01:50:38] [CVI-1011] RCE Vulnerabilities: 0

[LoRexxar]

暂时把这个语法支持加上了，但是这部分语义分析其实有很多特殊语法没有支持，不太好弄，本来打算重构成正向的。但是感觉时间成本有点儿大，暂时不弄了