bugfix for the assignHandler

调整了处理函数赋值的过程，并且在return前加入flow中

Author: exploit

CFGGenerator.php

@@ -233,39 +233,29 @@ private function assignHandler($node,$block,$dataFlow,$type){
 		    if($part && ($part->getType() == "Expr_FuncCall" ||
 		        $part->getType() == "Expr_MethodCall" ||
 		        $part->getType() == "Expr_StaticCall" ) ){
-		    
+
 		        //处理 id = urlencode($_GET['id']) ;
-		        if(!SymbolUtils::isValue($part)){
+		        if($type == 'right' && !SymbolUtils::isValue($part)){
 		            $funcName = NodeUtils::getNodeFunctionName($part) ;
 		            BIFuncUtils::assignFuncHandler($part, $type, $dataFlow, $funcName) ;
 		            if($dataFlow->getValue() != null){
+		                //如果处理完函数赋值，则立即返回
+		                $block->getBlockSummary()->addDataFlowItem($dataFlow);
 		                return  ;
-		            }
-		        }
-		    
-		        //处理编码和净化信息
-		        if($type == 'right'){
-		            //处理iconv等函数
-		            //处理 id = urlencode($_GET['id']) ;
-		            $encode_convert = array('iconv') ;
-		            $funcName = NodeUtils::getNodeFunctionName($part);
-		            if (array_key_exists($funcName, $encode_convert)){
-		                //将函数加入净化栈
-		                $oneFunction = new OneFunction($funcName);
-		                $dataFlow->getLocation()->addSanitization($oneFunction) ;
 		            }else{
+		                //处理 id = urlencode($_GET['id']) ;
 		                //检查是否为sink函数
 		                $this->functionHandler($part, $block, $this->fileSummary);
-		                  
+		                 
 		                //处理净化信息和编码信息
 		                SanitizationHandler::setSanitiInfo($part,$dataFlow, $block, $this->fileSummary) ;
 		                EncodingHandler::setEncodeInfo($part, $dataFlow, $block, $this->fileSummary) ;
 		            }
 		        }
+
 		    }
 		    //处理类型强制转换
-		    if($part
-		        && ($part->getType() == "Expr_Cast_Int" || $part->getType() == "Expr_Cast_Double")
+		    if($part && ($part->getType() == "Expr_Cast_Int" || $part->getType() == "Expr_Cast_Double")
 		        && $type == "right"){
 		        $dataFlow->getLocation()->setType("int") ;
 		        $symbol = SymbolUtils::getSymbolByNode($part->expr) ;
@@ -1147,34 +1137,34 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 }
 
 
-//扫描漏洞类型
-$scan_type = 'ALL';
-echo "<pre>" ;
+// //扫描漏洞类型
+// $scan_type = 'ALL';
+// echo "<pre>" ;
 
-//从用户那接受项目路径
-$project_path = 'E:/School_of_software/information_security/PHPVulScanner_project/simple-log_v1.3.12/upload/';
-$project_path = "D:/MySoftware/wamp/www/code/phpvulhunter/test/test.php" ;
-$project_path = "E:/School_of_software/information_security/PHPVulScanner_project/74cms_3.3/" ;
-$allFiles = FileUtils::getPHPfile($project_path);
+// // //从用户那接受项目路径
+// // $project_path = 'E:/School_of_software/information_security/PHPVulScanner_project/simple-log_v1.3.12/upload/';
+// // $project_path = "D:/MySoftware/wamp/www/code/phpvulhunter/test/test.php" ;
+// // $project_path = "E:/School_of_software/information_security/PHPVulScanner_project/74cms_3.3/" ;
+// // $allFiles = FileUtils::getPHPfile($project_path);
 
-//初始化
-$initModule = new InitModule() ;
-$initModule->init($project_path, $allFiles) ;
+// // //初始化
+// // $initModule = new InitModule() ;
+// // $initModule->init($project_path, $allFiles) ;
 
-$cfg = new CFGGenerator() ;
-$visitor = new MyVisitor() ;
-$parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
-$traverser = new PhpParser\NodeTraverser ;
-$path = CURR_PATH . '/test/test.php';
-$cfg->getFileSummary()->setPath($path);
-$code = file_get_contents($path);
-$stmts = $parser->parse($code) ;
-$traverser->addVisitor($visitor) ;
-$traverser->traverse($stmts) ;
-$nodes = $visitor->getNodes() ;
-$pEntryBlock = new BasicBlock() ;
-$pEntryBlock->is_entry = true ;
-$ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
+// $cfg = new CFGGenerator() ;
+// $visitor = new MyVisitor() ;
+// $parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
+// $traverser = new PhpParser\NodeTraverser ;
+// $path = CURR_PATH . '/test/test.php';
+// $cfg->getFileSummary()->setPath($path);
+// $code = file_get_contents($path);
+// $stmts = $parser->parse($code) ;
+// $traverser->addVisitor($visitor) ;
+// $traverser->traverse($stmts) ;
+// $nodes = $visitor->getNodes() ;
+// $pEntryBlock = new BasicBlock() ;
+// $pEntryBlock->is_entry = true ;
+// $ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
 
 
 

analyser/SqliAnalyser.class.php

@@ -20,7 +20,6 @@ class SqliAnalyser {
 	private function check_sanitization($var,$saniArr){
 		//CMS的编码
 		global $encoding ;
-
 		//如果数组为空，说明没有进行任何净化
 		if(count($saniArr) == 0){
 			return false ;

analyser/TaintAnalyser.class.php

@@ -249,7 +249,7 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary){
 
 		$this->getPrevBlocks($block) ;
 		$block_list = $this->pathArr ;
-		
+
 		//单基本块进入   算法停止
 		if(empty($block_list)){
 		    // 首先，在当前基本块中探测变量，如果有source和不完整的santi则报告漏洞
@@ -281,8 +281,8 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary){
 		                        }
 		                    }
 
-		                    
 		                    $vars = $this->getVarsByFlow($flow) ;
+		                    
 		                    foreach ($vars as $var){
 		                        $varName = $this->getVarName($var) ; 
 		                        //如果$varName 为source
@@ -373,8 +373,10 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary){
 		        foreach ($bitem as $block_item){   
 		            $flows = $block_item->getBlockSummary()->getDataFlowMap() ;
 		            $flows = array_reverse($flows) ;
+
 		            //如果flow中没有信息，则换下一个基本块
 		            if($flows == null){
+		                if($argName == 'key') echo "x3";
 		                //找到新的argName
 		                foreach ($block->getBlockSummary()->getDataFlowMap() as $flow){
 		                    if($flow->getName() == $argName){
@@ -431,7 +433,7 @@ public function multiBlockHandler($block, $argName, $node, $fileSummary){
 		                                return "safe" ;
 		                            }
 		                        }
-	
+	                               
 		                        //获取flow中的右边赋值变量
 		                        //得到flow->getValue()的变量node
 		                        //$sql = $a . $b ;  =>  array($a,$b)
@@ -645,8 +647,6 @@ public function analysis($block, $node, $argName, $fileSummary){
 	        $this->getPrevBlocks($block) ;
 	        $block_list = $this->pathArr ;
 	        array_push($block_list, $block) ;
-	        //首先，在当前基本块中探测变量，如果有source和不完整的santi则报告漏洞
-	        //$this->currBlockTaintHandler($block, $node, $argName, $fileSummary) ;
 	        //多个基本块的处理
 	        $this->pathArr = array() ;
 	        $this->multiBlockHandler($block, $argName, $node, $fileSummary) ;

utils/BIFuncUtils.class.php

@@ -34,7 +34,14 @@ public static function getSingleFuncs(){
 	 */
 	public static function assignFuncHandler($part, $type, $dataFlow, $funcName){
 			$single_func = self::getSingleFuncs() ;
+			$encoding_convert = array('iconv') ;
 			if($type == "right" && array_key_exists($funcName, $single_func)){
+			    //首先搜索不安全字符的转换函数
+			    if(in_array($funcName, $encoding_convert)){
+			        $oneFunction = new OneFunction($funcName);
+			        $dataFlow->getLocation()->addSanitization($oneFunction) ;
+			    }
+			    
 				$position = $single_func[$funcName] ;
 				$value = $part->args[$position]->value ;