Giter Site home page Giter Site logo

chip's Introduction

Chip - 发现所有PHP动态特性安全隐患

工具介绍

用一些简单的问题来介绍Chip工具。

这个工具是做什么的?

PHP源代码静态分析,发掘所有可能由于动态特性导致的安全隐患。

什么是“动态特性”?

一段代码,其使用变量作为参数,且改变变量的值将可能导致这段代码发生功能上的变化,我将这种现象成为“PHP的动态特性”。

例如:

<?php
eval('echo ' . $_POST['name']);

例如:

<?php
array_map($function_name, $_POST);

例如:

<?php
$f($arg);

Chip是不是一个webshell检测工具?

不是。Chip只对扫描的代码提出安全建议,并不会判断这段代码是否是webshell。

Chip是不是一个自动化代码审计工具?

不是。Chip只对扫描的代码提出安全建议,不会分析上下文是否有用户输入,安全隐患点是否可控等。

Chip适合在哪些场景下使用?

  • 在开发中,在持续集成阶段对开发者提交的代码进行安全性检查,并给出修改意见
  • 在代码审计中,发现可能存在的代码活命令执行漏洞
  • Wargame比赛中对流量、新的Web文件进行扫描

Chip不适合扫描哪些代码

  • Web框架的库文件(不要扫描/vendor/中的文件),原因是有的库使用了很多黑魔法,可能涉及到大量动态特性
  • 业务中的确使用了很多动态特性的代码

安装与使用

命令行下使用

直接下载PHAR包,使用命令行调用:

php chip.phar check tests/cases/

生成html报告:

php chip.phar check tests/cases/ -r html -o report.html

使用API调用

使用composer安装:

composer require phith0n/chip "dev-master"

使用:

<?php
require 'vendor/autoload.php';

use Chip\Exception\FormatException;
use Chip\ChipFactory;

try {
    $chipManager = (new ChipFactory)->create();
    $alarm = $chipManager->detect('<?php usort($a, $b);');

    print_r($alarm);
} catch (FormatException $e) {
    echo $e->getMessage();
}

应该参考的项目

chip's People

Contributors

phith0n avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

imulmul rhakb sk3lk0 wucaishi sry309 raystyle linchong-cmd c0d1007 chennqqi om3go 5l1v3r1 betsy0 justmd5 pr1s0n aleffine m3wsec su-led medasz missxq131

chip's Issues

无法生成html报告

php chip.phar check xxx
这条语句是可以的,并且会显示很多报告

php chip.phar check xxx -r html -o report.html
这样执行之后就什么都没有显示,也没有报告

CentOS Linux release 7.7.1908 (Core)
非root用户下,目录也是和用户权限对应的,有写入权限

Uncaught TypeError: strtolower() expects parameter 1 to be string, null given

Payload:

<?php
$cmd=$_GET['cmd'];
system($cmd);
?>

异常:

PHP Fatal error:  Uncaught TypeError: strtolower() expects parameter 1 to be string, null given in D:\pro\chip\vendor\nikic\php-parser\lib\PhpParser\Node\Name.php:116
Stack trace:
#0 D:\pro\chip\vendor\nikic\php-parser\lib\PhpParser\Node\Name.php(116): strtolower(NULL)
#1 D:\pro\chip\src\Chip\Code.php(89): PhpParser\Node\Name->toLowerString()
#2 D:\pro\chip\src\Chip\Visitor\MbPregExec.php(31): Chip\Code::getFunctionName(Object(PhpParser\Node\Expr\FuncCall))
#3 D:\pro\chip\src\Chip\BaseVisitor.php(43): Chip\Visitor\MbPregExec->checkNode(Object(PhpParser\Node\Expr\FuncCall))
#4 D:\pro\chip\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php(123): Chip\BaseVisitor->enterNode(Object(PhpParser\Node\Expr\FuncCall))
#5 D:\pro\chip\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php(223): PhpParser\NodeTraverser->traverseNode(Object(PhpParser\Node\Stmt\Expression))
#6 D:\pro\chip\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php(91): PhpParser\NodeTraverser->traverseArray(Array)
#7 D:\pro\chip\src\Chip\Chip.php(88): PhpP in D:\pro\chip\vendor\nikic\php-parser\lib\PhpParser\Node\Name.php on line 116

异常触发点在:

    public function toLowerString() : string {
        return strtolower(implode('\\', $this->parts));
    }

原本$this->parts应该是一个数组,但这里却是一个字符串,导致implode出错。

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.