-
Notifications
You must be signed in to change notification settings - Fork 153
现有利用链覆盖
wh1t3P1g edited this page Jan 19, 2021
·
5 revisions
暂未覆盖cc1和cc3,因为它用到了代理模式,这部分tabby还未覆盖
//cc2
match (m1:Method {SIGNATURE:"<java.util.PriorityQueue: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"heapify"})-[:CALL ]->(m3)-[:CALL]->(m4:Method {NAME:"siftDownUsingComparator"})-[:CALL]->(m5)-[:ALIAS*]-(m6 {SIGNATURE:"<org.apache.commons.collections.comparators.TransformingComparator: int compare(java.lang.Object,java.lang.Object)>"})-[:CALL]->(m7)-[:ALIAS*]-(m8:Method)-[:CALL]->(m9:Method {IS_SINK:true}) return *
//cc4
match (m1:Method {SIGNATURE:"<java.util.PriorityQueue: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"heapify"})-[:CALL ]->(m3)-[:CALL ]->(m4:Method {NAME:"siftDownUsingComparator"})-[:CALL ]->(m5)-[:ALIAS*]-(m6 {SIGNATURE:"<org.apache.commons.collections.comparators.TransformingComparator: int compare(java.lang.Object,java.lang.Object)>"})-[:CALL ]->(m7)-[:ALIAS*]-(m8:Method)-[:CALL ]->(m9:Method {NAME:"newInstance"}) return *
// cc5
match path=(m1:Method {SIGNATURE:"<javax.management.BadAttributeValueExpException: void readObject(java.io.ObjectInputStream)>"})-[:CALL]->(m2:Method {NAME:"toString"})-[:ALIAS*]-(m3:Method {SIGNATURE:"<org.apache.commons.collections.keyvalue.TiedMapEntry: java.lang.String toString()>"})-[:CALL]->(m4:Method {NAME:"getValue"})-[:CALL]->(m5:Method {NAME:"get"})-[:ALIAS*1..2]-(m6:Method {NAME:"get"})-[:CALL]->(m7:Method {NAME:"transform"})-[:ALIAS*]-(m8:Method)-[:CALL]->(m9:Method {IS_SINK:true}) return path
//cc10
match (source:Method {SIGNATURE:"<java.util.HashSet: void readObject(java.io.ObjectInputStream)>"})-[:CALL]->(m2:Method) where (m2.NAME in ["defaultReadObject","readFloat"])=false
match (sink:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {NAME:"transform"})
call apoc.algo.allSimplePaths(m1, m2, "<CALL|ALIAS", 10) yield path
return * limit 20
//cc7
match path=(m1:Method {SIGNATURE:"<java.util.Hashtable: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"reconstitutionPut"})-[:CALL ]->(m3:Method {NAME:"equals"})-[:ALIAS*..2]-(m4:Method)-[:CALL ]->(m5:Method {NAME:"get"})-[:ALIAS*1..2]-(m6:Method {NAME:"get"})-[:CALL]->(m7:Method {NAME:"transform"})-[:ALIAS*]-(m8:Method)-[:CALL]->(m9:Method {IS_SINK:true}) return path
//cc8
match path=(m1:Method {SIGNATURE:"<org.apache.commons.collections4.bag.TreeBag: void readObject(java.io.ObjectInputStream)>"})-[:CALL ]->(m2:Method {NAME:"doReadObject"})-[:CALL ]->(m3:Method {NAME:"put"})-[:ALIAS*1..4]-(m4:Method)-[:CALL ]->(m5:Method {NAME:"compare"})-[:CALL ]->(m6:Method)-[:ALIAS*]-(m7:Method {SIGNATURE:"<org.apache.commons.collections4.comparators.TransformingComparator: int compare(java.lang.Object,java.lang.Object)>"})-[:CALL ]->(m8)-[:ALIAS*]-(m9:Method)-[:CALL*..5 ]->(m10:Method {IS_SINK:true}) return path
//cc9
match path=(m1:Method {SIGNATURE:"<java.util.Hashtable: void readObject(java.io.ObjectInputStream)>"})-[:CALL]->(m2:Method {NAME:"reconstitutionPut"})-[:CALL]->(m3:Method {NAME:"hashCode"})-[:ALIAS*]-(m4:Method {SIGNATURE:"<org.apache.commons.collections.keyvalue.TiedMapEntry: int hashCode()>"})-[:CALL]->(m5:Method {NAME:"getValue"})-[:CALL]->(m6:Method {NAME:"get"})-[:ALIAS*1..2]-(m7:Method {NAME:"get"})-[:CALL]->(m8:Method {NAME:"transform"})-[:ALIAS*]-(m9:Method)-[:CALL]->(m10:Method {IS_SINK:true}) return path
//jdbcrowsetimpl
match path=(m1:Method)-[:CALL*..5]->(m2:Method {IS_SINK:true,NAME:"lookup"}) where m1.NAME =~ "set.*" return path
//LdapAttribute
match (source:Method {HAS_PARAMETERS:false}) where source.NAME =~ "get.*" and (source.IS_SERIALIZABLE = true or source.IS_STATIC=true)
match (sink:Method {NAME:"lookup"})
call apoc.algo.allSimplePaths(sink, source, "<CALL|ALIAS", 3) yield path
return path limit 20
//xstream 2020-1
match (from:Method {IS_SINK:true,NAME:"invoke"})<-[:CALL]-(m1:Method {NAME:"filter"})-[:ALIAS]-(m2:Method)<-[:CALL]-(m3:Method {NAME:"advance"})<-[:CALL]-(m4:Method {NAME:"next"})-[:ALIAS]-(m5:Method )<-[:CALL]-(m6:Method {NAME:"nextElement"})-[:ALIAS]-(m7:Method)<-[:CALL]-(m8:Method {NAME:"nextStream"})
match (to:Method {NAME:"hashCode"})
call apoc.algo.allSimplePaths(m8, to, "<CALL|ALIAS", 12) yield path
return * limit 20