网站空间租用多少钱,交易网站开发合同,相册管理网站模板下载,教育集团网站建设的目的从了解到修复 Navex, 其中花了一年多, 从对自动化代码审计一无所知到学习PL/Static Analysis, 翻阅十几年前的文档, 补全Gremlin Step, 理解AST, CFG, DDG, PDG, CPG, 也感谢z3r0yu师傅和Gaba哥的的交流指导.本文重点在于静态分析 Joern-图查询部分, 后面的动态分析自动生成EXP…从了解到修复 Navex, 其中花了一年多, 从对自动化代码审计一无所知到学习PL/Static Analysis, 翻阅十几年前的文档, 补全Gremlin Step, 理解AST, CFG, DDG, PDG, CPG, 也感谢z3r0yu师傅和Gaba哥的的交流指导.本文重点在于静态分析 Joern-图查询部分, 后面的动态分析自动生成EXP部分是剪枝的过程, 也相对好实现, 各位有兴趣的话, 我会在下一篇文章继续谈论.这里不得不说的Navex实际的效果没有描述的那么优秀, 以及作者故意在代码里埋坑, 毕竟人家也研究了快十年, 留一手也是正常的.这里不是说一定非要完成/使用Navex, 而是借鉴新鲜的学术思想, 结合实际环境实现相关功能来降低排查漏洞成本.预备知识Navex 是什么下面这段摘自z3r0yu师傅的博文 NavexNAVEX-Precise and Scalable Exploit Generation for Dynamic Web Applications出处27th USENIX Security Symposium作者Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and V.N.单位Venkatakrishnan University of Illinois at Chicago资料Paper | Github作者在本文中提出了一种以静态分析作为指导结合动态分析自动验证漏洞并构造可用exploit的工具NAVEX。研究问题解决以往自动化审计的误报以及必须结合人工参与构造Exp的问题静态分析虽然覆盖率高但是对于具有动态特性的语言其建模困难。解决方案静态分析阶段使用符号执行创建Web应用程序的各个模块的行为模型。标记出包含潜在漏洞点的模块动态分析阶段使用Web爬虫和concolic执行器去发现可能导致攻击者进入易受攻击模块的可能的HTTP导航路径之后使用约束求解器生成一组对漏洞进行利用的HTTP输入序列。方案优点.动态分析与静态分析相结合提升了性能可以应用于大型应用程序是一种多类型漏洞的Exp生成框架。NAVEX分析了320万行PHP代码自动构建并利用204个漏洞其中有195个与SQLI和XSS相关而9个与逻辑漏洞相关。此外NAVEX是第一个可以自动发现并利用EAR漏洞的方案。Joern 静态分析核心模块Joern 是ShiftLeft公司开发的用于C/C代码健壮性分析的平台. 其核心思想: 将代码分析问题转化为用Gremlin去遍历存储在Neo4j中的CPG(代码属性图). 其商业产品 Ocular 支持多种语言, 也侧面证明 CPG 作为一种 IR, 是可以解决大部分语言的审计问题.PS. 静态分析这部分其实可以使用Codeql代替.CPG 代码属性图CPG (代码属性图) 的论文可以参考Modeling and Discovering Vulnerabilities with Code Property Graphs这里用几张图简要描述一下原始代码代码对应的AST(抽象语法树)代码对应的CFG(控制流程图)代码对应的PDG(程序依赖图)](https://blog.riskivy.com/wp-content/uploads/2020/05/4afab12ab74238d1b09a90517beabf9e.png)代码对应的CPG(代码属性图)其实以上的信息都可以从AST中获取, 只是后续的操作提高了单位节点的信息密集度, 对分析过程更友好TinkerPop 2.x Gremlin 图查询语言由于Navex作者是2012年开始研究这个方向, 所以大部分依赖都是远古版本, 我尽可能的修复了一些, 其中TinkerPop 2.x Gremlin由于官方已经更新 TinkerPop 3.x, 2.x 已经不再维护了, 全网只有一个github上面的历史文档spmallette/GremlinDocs: Gremlin Documentation and Samples或者阅读TinkerPop 2.x Gremlin的实现源码tinkerpop/gremlin: A Graph Traversal Language (no longer active – see Apache TinkerPop).其实更新为最新版的TP3(文档, 性能和语法都更好), 我也尝试过, 但是整个框架的Gremlin step需要重写, 不利于前期探索, TP2目前还够用, 所以如果后续有需要, 可以考虑整体重构.目前的python-joern的实现方式是通过HTTP请求发送Gremlin查询语言(Groovy实现)到Neo4j的Gremlin插件为什么不用Neo4j自带的Cypher, 因为Gremlin支持Groovy语法, 有更强的操作性, 也兼容其他图数据库Tinkerpop 2.x Gremlin 基础知识首先得了解Groovy的相关语法精通 GroovyTinkerPop 2.x Gremlin 文档查看这个tinkerpop/gremlin: A Graph Traversal Language (no longer active – see Apache TinkerPop).下面是我添加了一些注释, 方便理解itit 是groovy闭包中的默认参数list.each {println it
}//等于list.each { obj -println obj
}idGets the unique identifier of the element.每个节点/边都有唯一的idgremlin v g.V(name, marko).next()
v[1]
gremlin v.id
1
gremlin g.v(1).id
1VThe vertex iterator for the graph. Utilize this to iterate through all the vertices in the graph. Use with care on large graphs unless used in combination with a key index lookup.在 TP2中g.V() 代表所有节点g.v(1) 注意这里是小写的v, 可以用node_id取值g.V(name, marko) 返回 v.namemarko 的节点gremlin g.V
v[3]
v[2]
v[1]
v[6]
v[5]
v[4]
gremlin g.V(name, marko)
v[1]
gremlin g.V(name, marko).name
markoEThe edge iterator for the graph. Utilize this to iterate through all the edges in the graph. Use with care on large graphs.返回节点的所有边gremlin g.E
e[10][4-created-5]
e[7][1-knows-2]
e[9][1-created-3]
e[8][1-knows-4]
e[11][4-created-3]
e[12][6-created-3]
gremlin g.E.weight
1.0
0.5
0.4
1.0
0.4
0.2inGets the adjacent vertices to the vertex.返回当前node的父节点参数的调用可以不写 ()没有参数的调用可以不写 ()这个技巧在后面存储路径信息的时候会用到g.v(4).inE.outV g.v(4).ing.v(4).outE.inV g.v(4).outgremlin v g.v(4)
v[4]
gremlin v.inE.outV
v[1]
gremlin v.in
v[1]
gremlin v g.v(3)
v[3]
gremlin v.in(created)
v[1]
v[4]
v[6]
gremlin v.in(2,created)
v[1]
v[4]
gremlin v.inE(created).outV
v[1]
v[4]
v[6]
gremlin v.inE(2,created).outV[0]
v[1]outGets the out adjacent vertices to the vertex.返回当前node的子节点gremlin v g.v(1)
v[1]
gremlin v.outE.inV
v[2]
v[4]
v[3]
gremlin v.out
v[2]
v[4]
v[3]
gremlin v.outE(knows).inV
v[2]
v[4]
gremlin v.out(knows)
v[2]
v[4]
gremlin v.out(1,knows)
v[2]bothGet both adjacent vertices of the vertex, the in and the out.both 操作表示node 的相邻节点, 也就有有edge 存在, 且忽略 edge 的方向gremlin v g.v(4)
v[4]
gremlin v.both
v[1]
v[5]
v[3]
gremlin v.both(knows)
v[1]
gremlin v.both(knows, created)
v[1]
v[5]
v[3]
gremlin v.both(1, knows, created)
v[1]TransformTransform steps take an object and emit a transformation of it.Transform 操作可以返回其后面闭包里面的值Identity turns an arbitrary object into a “pipeline”.gremlin x [1,2,3]
1
2
3
gremlin x._().transform{it1}
2
3
4
gremlin x g.E.has(weight, T.gt, 0.5f).toList()
e[10][4-created-5]
e[8][1-knows-4]
gremlin x.inV
[StartPipe, InPipe]
[StartPipe, InPipe]
gremlin x._().inV
v[5]
v[4]has使用has可以做一些简单的属性判断Allows an element if it has a particular property. Utilizes several options for comparisons through T:T.gt – greater thanT.gte – greater than or equal toT.eq – equal toT.neq – not equal toT.lte – less than or equal toT.lt – less thanhttp://T.in – contained in a listT.notin – not contained in a listIt is worth noting that the syntax of has is similar to g.V(name, marko), which has the difference of being a key index lookup and as such will perform faster. In contrast, this line, g.V.has(name, marko), will iterate over all vertices checking the name property of each vertex for a match and will be significantly slower than the key index approach. All that said, the behavior of has is dependent upon the underlying implementation and the above description is representative of most Blueprints implementations. For instance, Titan will actually try to use indices where it sees the opportunity to do so. It is therefore important to understand the functionality of the underlying database when writing traversals.gremlin g.V.has(name, marko).name
marko
gremlin g.v(1).outE.has(weight, T.gte, 0.5f).weight
0.5
1.0
gremlin g.V.has(age).name
vadas
marko
peter
josh
gremlin g.V.has(age,T.in,[29,32])
v[1]
v[4]
gremlin g.V.has(age).has(age,T.notin, [27,35]).name
marko
josh[i]A index filter that emits the particular indexed object.通过下标可以进行取值, 跟Python的数组相似gremlin g.V[0].name
lop[i..j]A range filter that emits the objects within a range.下标也可以取范围. 前闭后开, [0,2)gremlin g.V[0..2].name
lop
vadas
marko
gremlin g.V[0..2].name
lop
vadasfilterDecide whether to allow an object to pass. Return true from the closure to allow an object to pass.filter操作就是通过一个闭包函数来过滤输入//filter有时会失效,最好用has()
g.v(1).outE.has(label,created)
//g.v(1).outE.filter{it.labelcreated}groovyin filter{}it.xxx() 可能返回 pipe 对象可以使用it.xxx().next()来获取第一个节点gremlin g.V.filter{it.age 29}.name
peterdedupEmit only incoming objects that have not been seen before with an optional closure being the object to check on.用于去除重复元素gremlin g.v(1).out.in
v[1]
v[1]
v[1]
v[4]
v[6]
gremlin g.v(1).out.in.dedup()
v[1]
v[4]
v[6]asEmits input, but names the previous step.给一个操作设置一个别名, 配合select, loopg.v(1).as(sloop).outE.inV.loop(sloop){it.loops 2}循环体为 .outE.inV. 等价g.v(1).outE.inV.loop(2){it.loops 2}gremlin g.V.as(x).outE(knows).inV.has(age, T.gt, 30).back(x).age
29selectSelect the named steps to emit after select with post-processing closures.select 一般配合as一起使用gremlin g.v(1).as(x).out(knows).as(y).select
[x:v[1], y:v[2]]
[x:v[1], y:v[4]]
gremlin g.v(1).as(x).out(knows).as(y).select([y])
[y:v[2]]
[y:v[4]]
gremlin g.v(1).as(x).out(knows).as(y).select([y]){it.name}
[y:vadas]
[y:josh]
gremlin g.v(1).as(x).out(knows).as(y).select{it.id}{it.name}
[x:1, y:vadas]
[x:1, y:josh]sideEffectEmits input, but calls a side effect closure on each input.官方示例中的是交互console, 可以延伸到下一条语句gremlin youngest Integer.MAX_VALUE
2147483647
gremlin g.V.has(age).sideEffect{youngestyoungestit.age?it.age:youngest}
v[2]
v[1]
v[6]
v[4]
gremlin youngest
27sideEffect可以在运行过程中执行指定操作, 但是不会影响遍历过程, 主要用于收集信息, 尽量不要用于改变节点信息在python-joern中, sideEffect的作用域只在当前遍历过程/语句, 这里比较坑人, 大家注意g.V.has(age).sideEffect{youngestyoungestit.age?it.age:youngest}.transform{youngest}ifThenElseAllows for if-then-else conditional logic.gremlin g.v(1).out.ifThenElse{it.namejosh}{it.age}{it.name}
vadas
32
lop判断条件选择分支执行, 这边倾向于单独使用groovy的 if语句来处理, 逻辑更清晰loopLoop over a particular set of steps in the pipeline. The first argument is either the number of steps back in the pipeline to go or a named step. The second argument is a while closure evaluating the current object. The it component of the loop step closure has three properties that are accessible. These properties can be used to reason about when to break out of the loop.it.object: the current object of the traverser.it.path: the current path of the traverser.it.loops: the number of times the traverser has looped through the loop section.The final argument is known as the “emit” closure. This boolean-based closure will determine wether the current object in the loop structure is emitted or not. As such, it is possible to emit intermediate objects, not simply those at the end of the loop.gremlin g.v(1).out.out
v[5]
v[3]
gremlin g.v(1).out.loop(1){it.loops3}
v[5]
v[3]
gremlin g.v(1).out.loop(1){it.loops3}{it.object.namejosh}
v[4]loop应该这里最关键的操作, 可以参考Loop Pattern · tinkerpop/gremlin Wiki大部分的查询操作都需要loop进行配合g.v(1).out.loop(1){it.loops3}{it.object.namejosh}大概等价于arr []
for (i1; i3; i){if(it.object.namejosh){arr.add(it.object)}
}
return arr结合后面的enablePath, 可以在遍历的过程中获取当前所在的完整路径信息g.v(1).out.loop(1){it.loops3}{it.object.namejosh it.path.contains(g.v(4))}.enablePath大概等价于arr []
for (i1; i3; i){if(it.object.namejosh it.path.contains(g.v(4))){arr.add(it.object)}
}
return arrPipe.enablePathIf the path information is required internal to a closure, Gremlin doesn’t know that as it can not interpret what is in a closure. As such, be sure to use GremlinPipeline.enablePath() if path information will be required by the expression.主要是保存路径信息gremlin g.v(1).out.loop(1){it.loops 3}{it.path.contains(g.v(4))}
Cannot invoke method contains() on null object
Display stack trace? [yN]
gremlin g.v(1).out.loop(1){it.loops 3}{it.path.contains(g.v(4))}.enablePath()
v[5]
v[Pipe.nextGets the next object in the pipe or the next n objects. This is an important notion to follow when considering the behavior of the Gremlin Console. The Gremlin Console iterates through the pipeline automatically and outputs the results. Outside of the Gremlin Console or if more than one statement is present on a single line of the Gremlin Console, iterating the pipe must be done manually. Read more about this topic in the Gremlin Wiki Troubleshooting Page.There are some important things to note in the example below. Had the the first line of Gremlin been executed separately, as opposed to being placed on the same line separated by a semi-colon, the name of the vertex would have changed because the Gremlin Console would have automatically iterated the pipe and processed the side-effect.gremlin g.v(1).sideEffect{it.namesame};g.v(1).name
marko
gremlin g.v(1).sideEffect{it.namesame}.next();g.v(1).name
same
gremlin g.V.sideEffect{it.namesame-again}.next(3);g.V.name
same-again
same-again
same-again
peter
ripple
joshnext 操作可以从pipe中取出对象 // pipe返回的一般都是生成器对象pathGets the path through the pipeline up to this point, where closures are post-processing for each object in the path. If the path step is provided closures then, in a round robin fashion, the closures are evaluated over each object of the path and that post-processed path is returned.gremlin g.v(1).out.path
[v[1], v[2]]
[v[1], v[4]]
[v[1], v[3]]
gremlin g.v(1).out.path{it.id}
[1, 2]
[1, 4]
[1, 3]
gremlin g.v(1).out.path{it.id}{it.name}
[1, vadas]
[1, josh]
[1, lop]
gremlin g.v(1).outE.inV.name.path
[v[1], e[7][1-knows-2], v[2], vadas]
[v[1], e[8][1-knows-4], v[4], josh]path操作返回遍历的所有路径simplePathEmit the object only if the current path has no repeated elements.gremlin g.v(1).out.in
v[1]
v[1]
v[1]
v[4]
v[6]
gremlin g.v(1).out.in.simplePath
v[4]
v[6]simplePath返回没有环路的pathtoListg.v(1).out //返回生成器
g.v(1).out.toList() //返回一个列表, 已经把数据都读出来了, 可以随便操作intersect返回交集[1,2,3].intersect([1]) [1][].intersect([1]) []Navex 排坑被删除的查询语句当你信心满满的解决了前面的各种古老依赖, 奇怪版本号问题时, 在最关键的查询语句是丢失的如果你真的尝试运行了, 大概会这样#python static-main.py the query is
xss_funcs [print, echo]
sql_query_funcs [mysql_query, mysqli_query, pg_query, sqlite_query]
os_command_funcs [backticks, exec , expect_popen,passthru,pcntl_exec,popen,proc_open,shell_exec,system, mail ]m []; queryMapList []; g.V().filter{sql_query_funcs.contains(it.code) isCallExpression(it.nameToCall().next()) }.callexpressions().sideEffect{m start(it, [], 0, sql, false, queryMapList)}.sideEffect{ warnmessage warning(it.toFileAbs().next().name, it.lineno, it.id, sql, 1)}.sideEffect{ reportmessage report(it.toFileAbs().next().name, it.lineno, it.id)}.ifThenElse{m.isEmpty()}{it.transform{reportmessage}}{it.transform{findSinkLocation(m, warnmessage, sql, queryMapList, it)}}
Caught exception: class py2neo.error.BadInputException groovy.lang.MissingMethodException: No signature of method: com.tinkerpop.gremlin.groovy.jsr223.GremlinGroovyScriptEngine.start() is applicable for argument types: (com.tinkerpop.blueprints.impls.neo4j2.Neo4j2Vertex, java.util.ArrayList, java.lang.Integer, java.lang.String, java.lang.Boolean, java.util.ArrayList) values: [v[721], [], 0, sql, false, []]
Possible solutions: wait(), any(), every()
None很显然是作者删除了关键函数m start(it, [], 0, sql, false, queryMapList) # 筛选sql注入节点findSinkLocation(m, warnmessage, sql, queryMapList, it) # 查找Sink所以你不可能直接复现论文里的静态分析结果, 世界上除了作者应该没人知道写的是啥了, issue中也有人反馈这样的问题python-joern/Analysis.py at e5f651511143938511ae572b7986bfa92c6c4936 · aalhuz/python-joern大部分想尝试的人, 面对这样未知的领域, 未知的语言, 未知的代码, 都会就此止步, 可惜了, 我不信邪, 哪怕重新写一个.之后的时间, 去寻找“Tinkerpop Gremlin的教程, 然后学完百度的HugeGraph教程才发现市面上的文档都是针对Tinkerpop 3.x, 甚至又学习了一个宝藏博主的Tinkerpop 3.x教程PRACTICAL GREMLIN: An Apache TinkerPop Tutorial想着触类旁通, 修复Tinkerpop 2.x 的 Navex, 在一个完全陌生的领域探索必然是缓慢而痛苦的, 又过了很久, 找到 github上面的一份古老文档spmallette/GremlinDocs: Gremlin Documentation and Samples这是一份 2012-2015 年的Tinkerpop 2.x文档, 然后勉强把Tinkerpop 2.x文档扣了一遍, 中间穿插学习了编译原理, 离散数学, 南大的静态分析课程, 也算是知道了什么是静态分析, 大概的原理和目的也算是清楚了些.在浏览器相关收藏快100个了的时候, 前后知识点终于打通了, 被迫完成了作者删除的代码, 回过头来看, 也不是特别难, 硬着头皮写Gremlin遍历, 边查边写就是了.CPG – Vertex, Edge , PropertyCPG的节点, 边和属性信息都记录在下面这个文件中joern/phpjoernsteps/_constants.groovy// AST node property keysObject.metaClass.NODE_INDEX id // 每个node都有自己的id
Object.metaClass.NODE_TYPE type // 节点的类型, 后面AST node types有具体描述
Object.metaClass.NODE_FLAGS flags // 参考AST node flags, 赋值, 二元操作,判断, 文件包含, 目录信息
Object.metaClass.NODE_LINENO lineno // 当前节点所处源文件的行数
Object.metaClass.NODE_CODE code // 引用的函数或者变量的名称
Object.metaClass.NODE_FUNCID funcid // 所处文件的文件id
Object.metaClass.NODE_ENDLINENO endlineno // 所处文件的总行数
Object.metaClass.NODE_NAME name // 函数声明的函数名称, 文件的文件名
Object.metaClass.NODE_DOCCOMMENT doccomment // 注释// AST node types
//g.V().has(type, TYPE_STMT_LIST)
Object.metaClass.TYPE_STMT_LIST AST_STMT_LIST // ...; ...; ...;
Object.metaClass.TYPE_CALL AST_CALL // foo()
Object.metaClass.TYPE_STATIC_CALL AST_STATIC_CALL // bla::foo()
Object.metaClass.TYPE_METHOD_CALL AST_METHOD_CALL // $bla-foo()
Object.metaClass.TYPE_PROP AST_PROP // e.g., $bla-foo
Object.metaClass.TYPE_FUNC_DECL AST_FUNC_DECL // function foo() {}
Object.metaClass.TYPE_METHOD AST_METHOD // class bla { ... function foo() {} ... }
Object.metaClass.TYPE_ARG_LIST AST_ARG_LIST // foo( $a1, $a2, $a3)
Object.metaClass.TYPE_PARAM_LIST AST_PARAM_LIST // function foo( $p1, $p2, $p3) {}
Object.metaClass.TYPE_PARAM AST_PARAM // $p1
Object.metaClass.TYPE_ASSIGN AST_ASSIGN // $buzz true
Object.metaClass.TYPE_ASSIGN_REF AST_ASSIGN_REF // $b $a
Object.metaClass.TYPE_ASSIGN_OP AST_ASSIGN_OP // $x 3
Object.metaClass.TYPE_NAME AST_NAME // names (e.g., name of a called function in call expressions)
Object.metaClass.TYPE_VAR AST_VAR // $v
Object.metaClass.TYPE_BINARY_OP AST_BINARY_OP // e.g., foo.bar or 34
Object.metaClass.TYPE_ENCAPS_LIST AST_ENCAPS_LIST // e.g., blah{$var1}buzz $var2 beep
Object.metaClass.TYPE_INCLUDE_OR_EVAL AST_INCLUDE_OR_EVAL // eval, include, require
//Abeer
Object.metaClass.TYPE_CALLEE Callee
Object.metaClass.TYPE_FUNCTION Function
Object.metaClass.TYPE_ECHO AST_ECHO // echo
Object.metaClass.TYPE_PRINT AST_PRINT // PRINT//ABEER
Object.metaClass.TYPE_IF_ELEM AST_IF_ELEM // HOLDES THE COND INSIDE IF
Object.metaClass.TYPE_DIM AST_DIM // _POST[x]
Object.metaClass.TYPE_ISSET AST_ISSET // is_set()
// TODO and many more...// AST node flags
// of AST_ASSIGN.*
Object.metaClass.FLAG_ASSIGN_CONCAT ASSIGN_CONCAT // $v . foo
// of AST_BINARY_OP
Object.metaClass.FLAG_BINARY_CONCAT BINARY_CONCAT // foo.bar
//Abeer
Object.metaClass.FLAG_BINARY_EQUAL BINARY_IS_EQUAL // xy
Object.metaClass.FLAG_BINARY_NOT_EQUAL BINARY_IS_NOT_EQUAL // x ! y
Object.metaClass.FLAG_BINARY_IS_IDENTICAL BINARY_IS_IDENTICAL // 1 1
Object.metaClass.FLAG_BINARY_IS_NOT_IDENTICAL BINARY_IS_NOT_IDENTICAL // 1 ! 1
// of AST_INCLUDE_OR_EVAL
Object.metaClass.FLAG_EXEC_EVAL EXEC_EVAL // eval(...)
Object.metaClass.FLAG_EXEC_INCLUDE EXEC_INCLUDE // include ...
Object.metaClass.FLAG_EXEC_INCLUDE_ONCE EXEC_INCLUDE_ONCE // include_once ...
Object.metaClass.FLAG_EXEC_REQUIRE EXEC_REQUIRE // require ...
Object.metaClass.FLAG_EXEC_REQUIRE_ONCE EXEC_REQUIRE_ONCE // require_once ...// TODO and many more...// Other (non-AST) node types
// 目录结构信息
Object.metaClass.TYPE_DIRECTORY Directory
Object.metaClass.TYPE_FILE FileObject.metaClass.TYPE_STRING string// Edge typesObject.metaClass.DIRECTORY_EDGE DIRECTORY_OF
Object.metaClass.FILE_EDGE FILE_OF
Object.metaClass.AST_EDGE PARENT_OF// 不清楚, dvwa里面没有这种边
Object.metaClass.TYPE_IDENTIFIER_DECL_STMT IdentifierDeclStatement
Object.metaClass.TYPE_PARAMETER ParameterObject.metaClass.TYPE_FILE File// Edge typesObject.metaClass.CALLS_EDGE CALLS // 类中的函数定义
Object.metaClass.CFG_EDGE FLOWS_TO // 用来描述 ControlFlowObject.metaClass.USES_EDGE USE
Object.metaClass.DEFINES_EDGE DEF
Object.metaClass.DATA_FLOW_EDGE REACHES // 用来描述 DataFlowObject.metaClass.FUNCTION_TO_AST_EDGE IS_FUNCTION_OF_AST
Object.metaClass.FILE_TO_FUNCTION_EDGE IS_FILE_OF// Edge keysObject.metaClass.DATA_FLOW_SYMBOL var // 如果这是一条REACHES的边, 就会有var这个key, 其值代表上一个节点流出到下一个节点的变量名//Abeer
// phpjoern 自带的过滤函数检测, 这里我们不用
Object.metaClass.DATA_FLOW_TAINT_SRC taint_src
Object.metaClass.DATA_FLOW_TAINT_DST taint_dst作者:斗象能力中心 TCC – 小胖虎由于篇幅有限有关漏洞查询代码补全分析、完整代码、安装与使用、查询结果分析、总结与参考内容将在 《复活Navex-使用图查询进行代码分析下》篇展示记得持续关注哦~如果想要获得「更多最前沿的安全技术研究与内容」欢迎关注‘斗象智能安全能力中心’斗象能力中心 - 斗象智能安全blog.riskivy.comTCC Team长期招聘包含各细分领域安全研究员[Web/网络攻防/逆向]、机器学习、数据分析等职位。感兴趣不妨发简历联系我们。
