在中,已经介绍了一部分syntax-flow 语法的编写规则以及关于基础的一些使用,比如#->、#>、-->等,当然,在之前的公众号中也介绍了一部分config的使用。
.开头,指定变量名开头,指定nativeCall开头,支持常量搜索。filterItemFirst: constSearchPrefix?(QuotedStringLiteral|hereDoc) # ConstFilter| nameFilter # NamedFilter| '.' lines? nameFilter # FieldCallFilter| nativeCall # NativeCallFilter........filterItem: filterItemFirst # First| '...' lines? nameFilter # DeepChainFilter| '(' lines? actualParam? ')' # FunctionCallFilter| '[' sliceCallItem ']' # FieldIndexFilter| '?{' conditionExpression '}' # OptionalFilter| '->' # NextFilter| '#>' # DefFilter| '-->' # DeepNextFilter| '-{' (config)? '}->' # DeepNextConfigFilter| '#->' # TopDefFilter| '#{' (config)? '}->' # TopDefConfigFilter| '+' refVariable # MergeRefFilter| '-' refVariable # RemoveRefFilter| '&' refVariable # IntersectionRefFilter........
syntax-flow#->是来进行搜索顶级定义的。那么,可以在之前的基础上进行一些横向拓展,在eval的过程中,我们可能会遇到匹配函数,或者匹配字段等问题。过滤条件:
conditionExpression: '(' conditionExpression ')' # ParenCondition| filterExpr # FilterCondition // filter dot(.)Member and fields| Opcode ':' opcodesCondition (',' opcodesCondition) * ','? # OpcodeTypeCondition // something like .(call, phi)| Have ':' stringLiteralWithoutStarGroup # StringContainHaveCondition // something like .(have: 'a', 'b')| HaveAny ':' stringLiteralWithoutStarGroup # StringContainAnyCondition // something like .(have: 'a', 'b')| negativeCondition conditionExpression # NotCondition| op = ('>' | '<' | '=' | '==' | '>='| '<=' | '!=') (numberLiteral | identifier | boolLiteral) # FilterExpressionCompare| op = ( '=~' | '!~') (stringLiteral | regexpLiteral) # FilterExpressionRegexpMatch| conditionExpression '&&' conditionExpression # FilterExpressionAnd| conditionExpression '||' conditionExpression # FilterExpressionOr....
?{}来进行过滤。have: 全部包含某个值,可以用,来进行分割。比如 ?{have: a,b}any: 包含某一个值,?{any: a,b}opcode: 过滤某些指令的类型为call或者const。比如?{opcode: call}!: 对过滤条件进行取反多条件过滤:?{opcode: call && have: filter}
案例1:
$b = new A();$a = $b->autoload()->bb($dd);$c = $b->cc($dd);//sf.autoload?{<getObject>?{have: b}} as $vuln
相交运算 & :
&语法来做。如案例2:在寻找exec参数顶级定义和$_GET超全局变量进行相交的点。案例2:
$a = $_GET[1];$b = str_replace($a);$c = handler($b);exec($c);//_GET.* as $param;exec(* #{until: `* & $param`}-> as $sink)
常量搜索:
string和heredoc进行衔接。适用于在代码中进行硬编码,想要快速匹配代码中的内容,比如,ip地址,密码等常见内容。r、g、e三种匹配模式,分别为正则匹配、通配符匹配、精确匹配。支持:案例3:
r"^((0|[1-9]d?|1dd|2[0-4]d|25[0-5]).){3}(0|[1-9]d?|1dd|2[0-4]d|25[0-5])$"或
r<<<CODE^((0|[1-9]d?|1dd|2[0-4]d|25[0-5]).){3}(0|[1-9]d?|1dd|2[0-4]d|25[0-5])$CODE
常用的nativeCall详解:
syntax-flow中,还适配了一些"内置方法",这里去简单的介绍一些nativeCall的使用,方便syntax-flow的编写。通用:
<getCaller>:获取值中是函数调用的值。
<?php$b = $_GET[a];if($c){$b = filter($b);}eval($b);/*//这里会hook到eval参数在向上寻找顶级定义中的所有值存到$info中eval(* #{hook: `* as $info`}->)//然后将$info中所有是call的存入到$param中$info<getCaller> as $param*/
<name>:获取名称 <slice>:获取第几位之后的变量,从 0开始,一般常用于函数调用获取参数。
f(*<slice(start=1)> as $query) //获取第二个参数及其之后的所有变量<getObject>
"操作空间",可以尝试从所有的sink点开始反推,反推到obj为某个类。class A{public $a;public $b;public function getA(){return $this->a;}}$a = new A();eval($a->a);//.a<getObject><name>?{have: A} as $param
<getMembers>
conditionExpression: '(' conditionExpression ')' # ParenCondition| filterExpr # FilterCondition // filter dot(.)Member and fields| Opcode ':' opcodesCondition (',' opcodesCondition) * ','? # OpcodeTypeCondition // something like .(call, phi)| Have ':' stringLiteralWithoutStarGroup # StringContainHaveCondition // something like .(have: 'a', 'b')| HaveAny ':' stringLiteralWithoutStarGroup # StringContainAnyCondition // something like .(have: 'a', 'b')| negativeCondition conditionExpression # NotCondition| op = ('>' | '<' | '=' | '==' | '>='| '<=' | '!=') (numberLiteral | identifier | boolLiteral) # FilterExpressionCompare| op = ( '=~' | '!~') (stringLiteral | regexpLiteral) # FilterExpressionRegexpMatch| conditionExpression '&&' conditionExpression # FilterExpressionAnd| conditionExpression '||' conditionExpression # FilterExpressionOr....0
<fullTypeName>
conditionExpression: '(' conditionExpression ')' # ParenCondition| filterExpr # FilterCondition // filter dot(.)Member and fields| Opcode ':' opcodesCondition (',' opcodesCondition) * ','? # OpcodeTypeCondition // something like .(call, phi)| Have ':' stringLiteralWithoutStarGroup # StringContainHaveCondition // something like .(have: 'a', 'b')| HaveAny ':' stringLiteralWithoutStarGroup # StringContainAnyCondition // something like .(have: 'a', 'b')| negativeCondition conditionExpression # NotCondition| op = ('>' | '<' | '=' | '==' | '>='| '<=' | '!=') (numberLiteral | identifier | boolLiteral) # FilterExpressionCompare| op = ( '=~' | '!~') (stringLiteral | regexpLiteral) # FilterExpressionRegexpMatch| conditionExpression '&&' conditionExpression # FilterExpressionAnd| conditionExpression '||' conditionExpression # FilterExpressionOr....1
rule规则的编写,但其实还有多个部分,比如desc、alert、check等多个部分。等到后续开放导入自定义规则后,再进行详细讲解。YAK官方资源
Yak 语言官方教程:
https://yaklang.com/docs/intro/
Yakit 视频教程:
https://space.bilibili.com/437503777
Github下载地址:
https://github.com/yaklang/yakit
https://github.com/yaklang/yaklang
Yakit官网下载地址:
https://yaklang.com/
Yakit安装文档:
https://yaklang.com/products/download_and_install
Yakit使用文档:
https://yaklang.com/products/intro/
常见问题速查:
https://yaklang.com/products/FAQ
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...