-
Notifications
You must be signed in to change notification settings - Fork 153
现有利用链覆盖
wh1t3P1g edited this page Apr 25, 2021
·
5 revisions
暂未覆盖cc1和cc3,因为它用到了代理模式,这部分tabby还未覆盖
//cc2
match (m1:Method {SIGNATURE:"<java.util.PriorityQueue: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"heapify"})-[:CALL ]->(m3)-[:CALL]->(m4:Method {NAME:"siftDownUsingComparator"})-[:CALL]->(m5)-[:ALIAS*]-(m6 {SIGNATURE:"<org.apache.commons.collections.comparators.TransformingComparator: int compare(java.lang.Object,java.lang.Object)>"})-[:CALL]->(m7)-[:ALIAS*]-(m8:Method)-[:CALL]->(m9:Method {IS_SINK:true}) return *
//cc4
match (m1:Method {SIGNATURE:"<java.util.PriorityQueue: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"heapify"})-[:CALL ]->(m3)-[:CALL ]->(m4:Method {NAME:"siftDownUsingComparator"})-[:CALL ]->(m5)-[:ALIAS*]-(m6 {SIGNATURE:"<org.apache.commons.collections.comparators.TransformingComparator: int compare(java.lang.Object,java.lang.Object)>"})-[:CALL ]->(m7)-[:ALIAS*]-(m8:Method)-[:CALL ]->(m9:Method {NAME:"newInstance"}) return *
// cc5
match path=(m1:Method {SIGNATURE:"<javax.management.BadAttributeValueExpException: void readObject(java.io.ObjectInputStream)>"})-[:CALL]->(m2:Method {NAME:"toString"})-[:ALIAS*]-(m3:Method {SIGNATURE:"<org.apache.commons.collections.keyvalue.TiedMapEntry: java.lang.String toString()>"})-[:CALL]->(m4:Method {NAME:"getValue"})-[:CALL]->(m5:Method {NAME:"get"})-[:ALIAS*1..2]-(m6:Method {NAME:"get"})-[:CALL]->(m7:Method {NAME:"transform"})-[:ALIAS*]-(m8:Method)-[:CALL]->(m9:Method {IS_SINK:true}) return path
//cc10
match (source:Method {SIGNATURE:"<java.util.HashSet: void readObject(java.io.ObjectInputStream)>"})-[:CALL]->(m2:Method) where (m2.NAME in ["defaultReadObject","readFloat","readObject"])=false
match (sink:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {NAME:"transform"})
call apoc.algo.allSimplePaths(m1, m2, "<CALL|ALIAS", 10) yield path
return * limit 20
//cc7
match path=(m1:Method {SIGNATURE:"<java.util.Hashtable: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"reconstitutionPut"})-[:CALL ]->(m3:Method {NAME:"equals"})-[:ALIAS*..2]-(m4:Method)-[:CALL ]->(m5:Method {NAME:"get"})-[:ALIAS*1..2]-(m6:Method {NAME:"get"})-[:CALL]->(m7:Method {NAME:"transform"})-[:ALIAS*]-(m8:Method)-[:CALL]->(m9:Method {IS_SINK:true}) return path
//cc8
match path=(m1:Method {SIGNATURE:"<org.apache.commons.collections4.bag.TreeBag: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"doReadObject"})-[:CALL ]->(m3:Method {NAME:"put"})-[:ALIAS*1..4]-(m4:Method)-[:CALL ]->(m5:Method {NAME:"compare"})-[:CALL ]->(m6:Method)-[:ALIAS*]-(m7:Method {SIGNATURE:"<org.apache.commons.collections4.comparators.TransformingComparator: int compare(java.lang.Object,java.lang.Object)>"})-[:CALL ]->(m8)-[:ALIAS*]-(m9:Method)-[:CALL*..5 ]->(m10:Method {IS_SINK:true}) return path
//cc9
match path=(m1:Method {SIGNATURE:"<java.util.Hashtable: void readObject(java.io.ObjectInputStream)>"})-[:CALL]->(m2:Method {NAME:"reconstitutionPut"})-[:CALL]->(m3:Method {NAME:"hashCode"})-[:ALIAS*]-(m4:Method {SIGNATURE:"<org.apache.commons.collections.keyvalue.TiedMapEntry: int hashCode()>"})-[:CALL]->(m5:Method {NAME:"getValue"})-[:CALL]->(m6:Method {NAME:"get"})-[:ALIAS*1..2]-(m7:Method {NAME:"get"})-[:CALL]->(m8:Method {NAME:"transform"})-[:ALIAS*]-(m9:Method)-[:CALL]->(m10:Method {IS_SINK:true}) return path
//jdbcrowsetimpl
match path=(m1:Method)-[:CALL*..5]->(m2:Method {IS_SINK:true,NAME:"lookup"}) where m1.NAME =~ "set.*" return path
//LdapAttribute
match (source:Method {HAS_PARAMETERS:false}) where source.NAME =~ "get.*" and (source.IS_SERIALIZABLE = true or source.IS_STATIC=true)
match (sink:Method {NAME:"lookup"})
call apoc.algo.allSimplePaths(sink, source, "<CALL|ALIAS", 3) yield path
return path limit 20
// URLDNS jdk 8
match path=(source:Method {NAME:"readObject"})-[:CALL]->(m1:Method {NAME:"hash"})-[:CALL]->(m2:Method {NAME:"hashCode"})
return path
//xstream 2020-1
match (from:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {NAME:"filter"})-[:ALIAS]-(m2:Method)<-[:CALL]-(m3:Method {NAME:"advance"})<-[:CALL]-(m4:Method {NAME:"next"})-[:ALIAS]-(m5:Method )<-[:CALL]-(m6:Method {NAME:"nextElement"})-[:ALIAS]-(m7:Method)<-[:CALL]-(m8:Method {NAME:"nextStream"})
match (to:Method {NAME:"hashCode"})
call apoc.algo.allSimplePaths(m8, to, "<CALL|ALIAS", 12) yield path
return * limit 20
//xstream 2021-1
match (source:Method {NAME:"compareTo",CLASSNAME:"javax.naming.ldap.Rdn$RdnEntry"})-[:CALL]->(m2:Method {NAME:"equals"})-[:ALIAS*..3]-(m3:Method {CLASSNAME:"com.sun.org.apache.xpath.internal.objects.XString"}) match (sink:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {CLASSNAME:"sun.swing.SwingLazyValue",NAME:"createValue"}) call apoc.algo.allSimplePaths(m1, m3, "<CALL|ALIAS", 12) yield path return * limit 20
//xstream 2021-2
match (source:Method {NAME:"compareTo",CLASSNAME:"javax.naming.ldap.Rdn$RdnEntry"}) match (sink:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {CLASSNAME:"com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces",NAME:"parseSome"}) call apoc.algo.allSimplePaths(m1, source, "<CALL|ALIAS", 12) yield path return path limit 20
//xstream cve-2021-21345
match path=(source:Method {NAME:"compare",CLASSNAME:"sun.awt.datatransfer.DataTransferer$IndexOrderComparator"})-[:CALL]->(m1:Method {NAME:"compareIndices"})-[:CALL]->(m2:Method {NAME:"get"})-[:ALIAS*..3]-(m3:Method {CLASSNAME:"com.sun.xml.internal.ws.client.ResponseContext"})-[:CALL]->(m4:Method {NAME:"getAttachments"})-[:ALIAS*..3]-(m5:Method {CLASSNAME:"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart"})-[:CALL]->(m6:Method {NAME:"getMessage"})-[:CALL]->(m7:Method {NAME:"getInputStream"})-[:ALIAS*..3]-(m8:Method {CLASSNAME:"com.sun.xml.internal.ws.message.JAXBAttachment"})-[:CALL]->(m9:Method {NAME:"asInputStream"})-[:CALL]->(m10:Method {NAME:"writeTo"})-[:CALL]->(m11:Method {NAME:"marshal"})-[:ALIAS*..3]-(m12:Method {SIGNATURE:"<com.sun.xml.internal.ws.db.glassfish.BridgeWrapper: void marshal(java.lang.Object,java.io.OutputStream,javax.xml.namespace.NamespaceContext,javax.xml.bind.attachment.AttachmentMarshaller)>"})-[:CALL]->(m13:Method {NAME:"marshal"})-[:CALL]->(m14:Method {NAME:"marshal"})-[:ALIAS*..3]-(m15:Method {CLASSNAME:"com.sun.xml.internal.bind.v2.runtime.BridgeImpl"})-[:CALL]->(m16:Method {NAME:"write"})-[:CALL]->(m17:Method {NAME:"childAsXsiType"})-[:CALL]->(m18:Method {NAME:"serializeURIs"})-[:ALIAS]-(m19:Method {CLASSNAME:"com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl"})-[:CALL]->(m20:Method {NAME:"get"})-[:ALIAS]-(m21:Method {CLASSNAME:"com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection"})-[:CALL]->(m22:Method {IS_SINK:true, NAME:"invoke"}) return path
match (source:Method) where source.NAME in ["hashCode","compare","compareTo"]
match (sink:Method {IS_SINK:true,NAME:"loadClass"})<-[:CALL]-(m1:Method) where m1.CLASSNAME = "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator"
call apoc.algo.allSimplePaths(sink, source, "<CALL|ALIAS", 12) yield path
return * limit 20
//clojure-1-invoke
match (sink:Method {NAME:"invoke",IS_SINK:true})<-[:CALL]-(m2:Method {NAME:"invoke"})-[:ALIAS]-(m3:Method)-[:ALIAS]-(m4:Method)<-[:CALL]-(m5:Method {NAME:"sval"})<-[:CALL]-(m6:Method {NAME:"seq"})<-[:CALL]-(m7:Method {NAME:"hashCode"})
return *
//hibernate
match (source:Method {NAME:"hashCode",CLASSNAME:"org.hibernate.engine.spi.TypedValue"})-[:CALL]->(m2:Method {NAME:"getValue"})
match (sink:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {NAME:"get"}) where m1.CLASSNAME =~ "org.hibernate.*"
call apoc.algo.allSimplePaths(m1, m2, "<CALL|ALIAS", 12) yield path
return * limit 20
// hibernate 2
match (source:Method {NAME:"readObject",IS_SERIALIZABLE:true}) where (source.CLASSNAME in ["java.text.SimpleDateFormat","javax.swing.JOptionPane"]) = false,match (sink:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {NAME:"get"}) where m1.CLASSNAME =~ "org.hibernate.*",call apoc.algo.allSimplePaths(m1, source, "<CALL|ALIAS", 12) yield path,return * limit 20
weblogic.servlet.ejb2jsp.dd.EJBTaglibDescriptor weblogic.wsee.security.wssc.sct.SCCredential weblogic.wsee.reliability.WsrmSequenceContext weblogic.wsee.message.UnknownMsgHeader weblogic.wsee.reliability.WsrmServerPayloadContext
match (source:Method {NAME:"readExternal"})
match (sink:Method {IS_SINK:true, VUL:"XXE"})
call apoc.algo.allSimplePaths(sink, source, "<CALL|ALIAS", 6) yield path where none(r in relationships(path) where startNode(r).NAME in ["readExternal"] and type(r)="ALIAS")
return * limit 20