bugfix for analyse function

Author: exploit

CFGGenerator.php

@@ -1083,4 +1083,30 @@ public function sinkTracebackBlock($argName,$block,$flowsNum){
 	}
 }
 
+//扫描漏洞类型
+$scan_type = 'ALL';
+echo "<pre>" ;
+//从用户那接受项目路径
+// $project_path = 'C:/users/xyw55/Desktop/test/simple-log_v1.3.1/upload';
+// $allFiles = FileUtils::getPHPfile($project_path);
+// //初始化
+// $initModule = new InitModule() ;
+// $initModule->init($project_path) ;
+
+$cfg = new CFGGenerator() ;
+$visitor = new MyVisitor() ;
+$parser = new PhpParser\Parser(new PhpParser\Lexer\Emulative) ;
+$traverser = new PhpParser\NodeTraverser ;
+$path = CURR_PATH . '/test/test.php';
+$cfg->getFileSummary()->setPath($path);
+$code = file_get_contents($path);
+$stmts = $parser->parse($code) ;
+$traverser->addVisitor($visitor) ;
+$traverser->traverse($stmts) ;
+$nodes = $visitor->getNodes() ;
+$pEntryBlock = new BasicBlock() ;
+$pEntryBlock->is_entry = true ;
+$ret = $cfg->CFGBuilder($nodes, NULL, NULL, NULL) ;
+
+
 ?>

analyser/TaintAnalyser.class.php

@@ -573,10 +573,9 @@ public function isSanitization($type,$var,$saniArr,$encodingArr){
 	 * @param FileSummary 当前文件摘要
 	 */
 	public function analysis($block, $node, $argName, $fileSummary){
-	    
 	    //传入变量本身就是source
-        $argName = substr($argName, 0, strpos($argName, '['));
-	    if(in_array($argName, $this->sourcesArr)){
+        $varName = substr($argName, 0, strpos($argName, '['));
+	    if(in_array($varName, $this->sourcesArr)){
 	        //报告漏洞
 	        $path = $fileSummary->getPath() ;
 	        $type = TypeUtils::getTypeByFuncName(NodeUtils::getNodeFunctionName($node)) ;
@@ -604,12 +603,12 @@ public function analysis($block, $node, $argName, $fileSummary){
 	 * @param string 漏洞的类型
 	 */
 	public function report($node_path, $var_path, $node, $var, $type){
-// 		echo "<pre>" ;
-// 		echo "有漏洞=====>". $type ."<br/>" ;
-// 		echo "漏洞变量：<br/>" ;
-// 		print_r($var) ;
-// 		echo "漏洞节点：<br/>" ;
-// 		print_r($node) ;
+		echo "<pre>" ;
+		echo "有漏洞=====>". $type ."<br/>" ;
+		echo "漏洞变量：<br/>" ;
+		print_r($var) ;
+		echo "漏洞节点：<br/>" ;
+		print_r($node) ;
 
 		//获取结果集上下文
 		$resultContext = ResultContext::getInstance() ;

context/ClassFinder.php

@@ -183,7 +183,7 @@ public function getRequireFileFuncs($path,$require_array){
 	 * @param 函数的信息 $mehod
 	 * @return 函数体
 	 */
-	public function getFunction($path,$method){
+	public function getFunction($path, $method){
 	    //设置code
 	    if (!$path)
 	        return null;

data/resultConetxtSerialData/D__MySoftware_wamp_www_code_phpvulhunter_test_test.php

@@ -84,8 +84,6 @@ function convertResults($resContext){
 	exit() ;
 }
 
-//项目开始时间
-$t_start = time();
 
 //1、从web ui中获取并加载项目工程
 $project_path = $_POST['path'] ;  //扫描的工程路径
@@ -119,22 +117,8 @@ function convertResults($resContext){
     	load_file($project_path) ;
     }elseif (is_dir($project_path)){
     	$path_list = $mainlFiles;
-        //$path_list = array('C:/users/xyw55/Desktop/test/simple-log_v1.3.1/upload/admin/admin.php');
-        //$path_list = array('C:/users/xyw55/Desktop/test/74cms_3.3/plus/ajax_street.php');
-//     $path_list = array('C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/allTests.php',
-//     'C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/IDS/CachingTest.php',
-//     'C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/IDS/EventTest.php',
-//     'C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/IDS/ExceptionTest.php',
-//     'C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/IDS/FilterTest.php',
-//     'C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/IDS/InitTest.php',
-//     'C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/IDS/MonitorTest.php',
-//     'C:/Users/xyw55/Desktop/test/dvwa/external/phpids/0.6/tests/IDS/ReportTest.php');
-        $path_list = array(
-            'C:/Users/xyw55/Desktop/test/dvwa/vulnerabilities/upload/source/low.php'
-        );
     	foreach ($path_list as $path){
     		try{
-    		    print_r($path.'<br/>');
     			load_file($path) ;
     		}catch(Exception $e){
     			continue ;
@@ -151,10 +135,6 @@ function convertResults($resContext){
     file_put_contents($serialPath, serialize($results)) ;
 }
 
-//项目结束时间
-$t_end = time();
-$t = $t_end - $t_start;
-print_r($t);
 
 
 //5、处理results 传给template

main.php

@@ -1,12 +1,5 @@
 <?php 
 $id = $_GET['id'] ;
-if($id){
-    echo $id ;
-}else{
-    echo false;
-}
-
-$sql = "xxx". $id ;
-mysql_query($sql) ;
-
+$id.="xxxx";
+echo $id ;
 ?>

test/test.php

@@ -1,29 +1,29 @@
-<?php /* Smarty version 3.1.23, created on 2015-05-21 13:34:13
+<?php /* Smarty version 3.1.23, created on 2015-05-23 15:14:40
          compiled from "views/template/navigation.html" */ ?>
 <?php
-/*%%SmartyHeaderCode:4125555dc2b56e4564_89075330%%*/
+/*%%SmartyHeaderCode:1621955607d40c52a77_64501409%%*/
 if(!defined('SMARTY_DIR')) exit('no direct access allowed');
 $_valid = $_smarty_tpl->decodeProperties(array (
   'file_dependency' => 
   array (
     'ec4feeb21b21903d6f3d0b9b7aad22aa8062f668' => 
     array (
       0 => 'views/template/navigation.html',
-      1 => 1432208001,
+      1 => 1432386176,
       2 => 'file',
     ),
   ),
-  'nocache_hash' => '4125555dc2b56e4564_89075330',
+  'nocache_hash' => '1621955607d40c52a77_64501409',
   'has_nocache_code' => false,
   'version' => '3.1.23',
-  'unifunc' => 'content_555dc2b56e83e1_70260282',
+  'unifunc' => 'content_55607d411042e5_00553795',
 ),false);
 /*/%%SmartyHeaderCode%%*/
-if ($_valid && !is_callable('content_555dc2b56e83e1_70260282')) {
-function content_555dc2b56e83e1_70260282 ($_smarty_tpl) {
+if ($_valid && !is_callable('content_55607d411042e5_00553795')) {
+function content_55607d411042e5_00553795 ($_smarty_tpl) {
 ?>
 <?php
-$_smarty_tpl->properties['nocache_hash'] = '4125555dc2b56e4564_89075330';
+$_smarty_tpl->properties['nocache_hash'] = '1621955607d40c52a77_64501409';
 ?>
 <div class="menu">
 	<div class="logo">
@@ -60,11 +60,11 @@ function content_555dc2b56e83e1_70260282 ($_smarty_tpl) {
 							'ldap' 			=> '- LDAP Injection',
 							'database' 		=> '- SQL Injection',
 							'xpath' 		=> '- XPath Injection',
+							'unserialize' 	=> '- Unserialize / POP'
 							'other' 		=> '- other',
 							'client' 		=> 'All client-side',
 							'xss' 			=> '- Cross-Site Scripting',
 							'httpheader'	=> '- HTTP Response Splitting',
-							'unserialize' 	=> 'Unserialize / POP'
 							//'crypto'		=> 'Crypto hints'
 						);
 
@@ -86,11 +86,11 @@ function content_555dc2b56e83e1_70260282 ($_smarty_tpl) {
 						<option value="ldap" >- LDAP Injection</option>
 						<option value="sqli" >- SQL Injection</option>
 						<option value="xpath" >- XPath Injection</option>
+						<option value="unserialize">- Unserialize / POP</option>
 <!-- 						<option value="other" >- other</option> -->
 						<option value="client" >All client-side</option>
 						<option value="xss" >- Cross-Site Scripting</option>
 						<option value="httpheader" >- HTTP Response Splitting</option>
-						<option value="unserialize" >Unserialize / POP</option>
 					</select>
 					<a href="javascript:;" class="select-btn"><em>︿</em></a>
 				</div>