闭源系统半自动漏洞挖掘工具，针对 jar/war/zip 进行静态代码分析，LLM 根据上下文代码环境判断该路径的可信分数

免责声明

由于传播、利用本公众号夜组安全所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号夜组安全及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除并致歉。谢谢！所有工具安全性自测！！！VX：baobeiaini_ya

朋友们现在只对常读和星标的公众号才展示大图推送，建议大家把夜组安全“设为星标”，否则可能就看不到了啦！

工具介绍

闭源系统半自动漏洞挖掘工具，针对 jar/war/zip 进行静态代码分析，增加 LLM 大模型能力验证路径可达性，LLM 根据上下文代码环境判断该路径的可信分数。

运行说明

       _         _      __  _             _                   (_)       | |    / _|(_)           | |              ___  _  _ __  | | __| |_  _  _ __    __| |  ___  _ __  / __|| || '_  | |/ /|  _|| || '_   / _` | / _ | '__| __ | || | | ||   < | |  | || | | || (_| ||  __/| |    |___/|_||_| |_||_|_|_|  |_||_| |_| __,_| ___||_|                                                2.0@medi0cr1tyusage: SinkFinder -cb,--class_exclusions <arg>         自定义class_exclusions规则，类黑名单 -ci,--class_inclusions <arg>         自定义class_inclusions规则，类白名单 -d,--depth <3>                       指定递归查找深度 -h,--help                            帮助 -jb,--jar_exclusions <arg>           自定义jar_exclusions规则，jar包黑名单 -ji,--jar_inclusions <arg>           自定义jar_inclusions规则，jar包白名单 -l,--llm                             启用通义大模型能力 -lk,--llm_key <arg>                  配置通义大模型 API KEY（sk-xxx） -p,--path <arg>                      指定目标分析路径，支持多个以,分隔 -r,--rule <rules.json>               指定Sink                                      JSON规则路径，初始化默认resources/rules.json -s,--sink <arg>                      自定义sink规则，可添加多个以,分隔 -scb,--sink_category_block <arg>     禁用sink规则类别 -sci,--sink_category_include <arg>   配置sink规则类别

规则说明

符号 "*" 仅可用于 *_inclusions 相关的，表示允许所有。规则的白名单优先级高于黑名单。

rules.json 文件 Sink 方法名支持正则配置。但注意：不支持"()"符号，因为与方法参数支持的()冲突。

{    "depth": 3,  // 遍历深度    "dashscope_api_key": "",  // 通义API_KEY配置 [sk-xxx]    "path_exclusions": ["AndroidSDK",".idea","resources","java\bin","META-INF"], // 文件路径黑名单，如设置为"test"，test/111.jar将不会被检索    "jar_name_inclusions": ["*"], // jar文件名白名单，如设置为"test"，将仅检索包含test字符的jar包    "jar_name_exclusions": ["SinkFinder","spring-","logback","lombok","META-INF","log4j","slf4j","tomcat-","mysql-connector-java","antlr-","commons-","dubbo-","jetty-","groovy-","netty-","collections-","jboss-","rxjava-","mybatis-","guava-","test","ehcache-","batik-"], // jar文件名黑名单    "class_inclusions": ["*"], // 类白名单，如设置为"test"，com.test将进行检索    "class_exclusions": ["logback","lombok"], // 类黑名单，如设置为"test"，com.test将无法检索    "sink_rules": [        {        "sink_name": "RCE",        "sink_desc": "任意代码执行漏洞",        "severity_level": "High",        "sinks": ["java.lang.Runtime:exec","java.lang.ProcessBuilder:<init>|start","javax.script.ScriptEngine:eval",           "javax.swing.plaf.synth.SynthLookAndFeel:load","com.googlecode.aviator.AviatorEvaluator:execute",           "org.mozilla.javascript.Context:evaluateString|evaluateReader","groovy.lang.GroovyShell:evaluate",           "org.springframework.scripting.bsh.BshScriptEvaluator:evaluate", "io.kubernetes.client.util.KubeConfig:loadKubeConfig",           "cn.hutool.core.util.RuntimeUtil:exec.*","cn.hutool.cron.CronUtil:schedule",           "cn.hutool.extra.expression.ExpressionUtil:eval","cn.hutool.script.ScriptUtil:eval|evalInvocable",           "cn.hutool.script.FullSupportScriptEngine:eval","cn.hutool.script.JavaScriptEngine:eval"]        }, {        "sink_name": "UNSERIALIZE",        "sink_desc": "反序列化漏洞",        "severity_level": "High",        "sinks": ["java.io.ObjectInputStream:readObject|readUnshared", "org.yaml.snakeyaml.Yaml:load","java.beans.XMLDecoder:readObject",           "org.apache.xmlrpc.parser.XmlRpcRequestParser:startElement|endElement","com.thoughtworks.xstream.XStream:fromXML",           "com.mysql.cj.jdbc.result.ResultSetImpl:getObject", "java.sql.DriverManager:getConnection","java.sql.Driver:connect"]        }, {        "sink_name": "XSLT",        "sink_desc": "XSLT注入漏洞",        "severity_level": "High",        "sinks": ["org.apache.xml.security.transforms.Transforms:performTransforms"]        }, {        "sink_name": "FILE",        "sink_desc": "任意文件读取/写入漏洞",        "severity_level": "High",        "sinks": ["org.springframework.web.multipart.MultipartFile:transferTo","org.springframework.util.FileCopyUtils:copy",           "org.apache.tomcat.util.http.fileupload.disk.DiskFileItem:write","cn.hutool.extra.ssh.Sftp:upload",           "org.apache.commons.io.FileUtils:read[A-Z].*|write.*|copy.*|delete.*|forceDelete.*|listFiles.*|move.*",            "cn.hutool.core.io.FileUtil:read[A-Z].*|write[A-Z].*|append[A-Z].*","javax.servlet.http.Part:write",           "org.apache.commons.io.filefilter.FileFilterUtils:filter.*", "org.apache.commons.io.output.DeferredFileOutputStream:writeTo",           "org.apache.commons.io.IOUtils:copy.*","java.io.FileOutputStream:write.*", "java.nio.file.Files:write.*|copy|move|createFile"]        }, {        "sink_name": "JNDI",        "sink_desc": "JNDI注入漏洞",        "severity_level": "High",        "sinks": ["javax.naming.InitialContext:doLookup|lookup"]        }, {        "sink_name": "AuthBypass",        "sink_desc": "身份认证绕过风险",        "severity_level": "High",        "sinks": ["javax.servlet.http.HttpServletRequest:getRequestURI|getRequestURL"]        }, {        "sink_name": "SSTI",        "sink_desc": "模版注入漏洞",        "severity_level": "High",        "sinks": ["org.apache.velocity.app.Velocity:evaluate","freemarker.cache.StringTemplateLoader:putTemplate",           "org.thymeleaf.TemplateEngine:process"]        }, {        "sink_name": "SPEL",        "sink_desc": "表达式执行漏洞",        "severity_level": "High",        "sinks": ["org.springframework.expression.spel.standard.SpelExpression:getValue", "ognl.Ognl:getValue",           "org.mvel2.MVEL:eval", "org.mvel.MVEL:eval"]        }, {        "sink_name": "ZIPSLIP",        "sink_desc": "ZIP目录穿越漏洞",        "severity_level": "High",        "sinks": ["java.util.zip.ZipInputStream:close"]        }, {        "sink_name": "DynamicInvoke",        "sink_desc": "动态调用风险",        "severity_level": "High",        "sinks": ["java.lang.reflect.Constructor:newInstance","java.lang.reflect.Method:invoke",           "org.codehaus.groovy.runtime.MethodClosure:doCall|call"]        }, {        "sink_name": "XXE",        "sink_desc": "外部实体注入漏洞",        "severity_level": "Medium",        "sinks": ["javax.xml.parsers.DocumentBuilder:parse","javax.xml.parsers.SAXParser:parse",           "com.sun.org.apache.xerces.internal.parsers.DOMParser:parse","org.dom4j.io.SAXReader:read",           "org.xml.sax.XMLReader:parse","org.jdom2.input.SAXBuilder:build",           "org.apache.commons.digester3.Digester:parse","org.dom4j.DocumentHelper:parseText",           "org.apache.poi.xssf.usermodel.XSSFWorkbook:<init>"]        }, {        "sink_name": "SSRF",        "sink_desc": "服务端请求伪造漏洞",        "severity_level": "Medium",        "sinks": ["java.net.URL:openConnection|openStream","org.springframework.web.client.RestTemplate:exchange|execute|getFor.*|postFor.*",           "org.apache.http.client.fluent.Request:Get","javax.imageio.ImageIO:read(Ljava/net/URL;)",           "com.squareup.okhttp.OkHttpClient:newCall","org.apache.http.impl.client.CloseableHttpClient:execute",           "org.jsoup.Jsoup:connect","org.apache.commons.io.IOUtils:toByteArray",           "org.apache.http.client.HttpClient:execute","org.apache.commons.io.FileUtils:copyURLToFile",           "cn.hutool.http.HttpUtil:createGet|createPost|get|post|download.*"]        }, {        "sink_name": "Fastjson",        "sink_desc": "Fastjson反序列化漏洞",        "severity_level": "Medium",        "sinks": ["com.alibaba.fastjson.JSON:parseObject|parse"]      }    ]}