-
Notifications
You must be signed in to change notification settings - Fork 117
/
Copy pathjavaid.py
166 lines (148 loc) · 4.71 KB
/
javaid.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# java source danger function identify prog
# Auth by Cryin'
import re
import os
import optparse
import sys
from lxml.html import etree
'''
XXE:
"SAXReader",
"DocumentBuilder",
"XMLStreamReader",
"SAXBuilder",
"SAXParser",
"XMLReader",
"SAXSource",
"TransformerFactory",
"SAXTransformerFactory",
"SchemaFactory",
"Unmarshaller",
"XPathExpression"
JavaObjectDeserialization:
"readObject",
"readUnshared",
"Yaml.load",
"fromXML",
"ObjectMapper.readValue",
"JSON.parseObject"
SSRF:
"HttpClient",
"URL",
"HttpURLConnection"
FILE:
"MultipartFile",
"createNewFile",
"FileInputStream"
Autobinding:
"@SessionAttributes",
"@ModelAttribute"
URL-Redirect:
"sendRedirect",
"forward",
"setHeader"
EXEC:
"getRuntime.exec",
"ProcessBuilder.start",
"GroovyShell.evaluate"
'''
class javaid(object):
def __init__(self,dir):
self._function = ''
self._fpanttern = ''
self._line = 0
self._dir = dir
self._filename = ''
self._vultype = ''
def _run(self):
try:
self.banner()
self.handlePath(self._dir)
print "[-]【JavaID】identify danger function Finished!"
except:
raise
def report_id(self,vul):
print "[+]【"+vul+"】identify danger function ["+self._function+"] in file ["+self._filename+"]"
def report_line(self):
print " --> [+] on line : "+ str(self._line)
def handlePath(self, path):
dirs = os.listdir(path)
for d in dirs:
subpath = os.path.join(path, d)
if os.path.isfile(subpath):
if os.path.splitext(subpath)[1] == '.java' or os.path.splitext(subpath)[1] == '.xml':
self._filename =subpath
self.handleFile(subpath)
else:
self.handlePath(subpath)
def handleFile(self, fileName):
#print 'begin read file:' + fileName
f = open(fileName, 'r')
self._line = 0
content = f.read()
content=self.remove_comment(content)
self.check_regexp(content)
f.close()
#print 'read over file:' + fileName
#print '------------------------'
def function_search_line(self):
fl = open(self._filename, 'r')
self._line =0
importregexp="import\s[^;]*;"
#print "function_search_line"+self._filename
while True:
line = fl.readline()
if not line:
#print "flclose"+str(self._line)
break
self._line += 1
#print line
exp_pattern = re.compile(importregexp)
if exp_pattern.search(line):
continue
if self._function in line:
#print 'find danger function on line :' + str(line)
self.report_line()
continue
fl.close()
def regexp_search(self,rule_dom,content):
regmatch_dom = rule_dom[0].xpath("regmatch")
regexp_doms = regmatch_dom[0].xpath("regexp") if regmatch_dom != None else []
for regexp_dom in regexp_doms:
exp_pattern = re.compile(regexp_dom.text)
if exp_pattern.search(content):
#print "identify sfunction is : "+self._function
self.report_id(self._vultype)
self.function_search_line()
return True
def check_regexp(self, content):
if not content:
return
self._xmlstr_dom = etree.parse('regexp.xml')
javaid_doms = self._xmlstr_dom.xpath("javaid")
for javaid_dom in javaid_doms:
self._vultype =javaid_dom.get("vultype")
#print "vul_type "+self._vultype
function_doms = javaid_dom.xpath("function")
for function_dom in function_doms:
rule_dom = function_dom.xpath("rule")
self._function =rule_dom[0].get("name")
self.regexp_search(rule_dom,content)
#print "check_regexp search ..."
return True
def remove_comment(self,content):
return content
def banner(self):
print "[-]【JavaID】 Danger function identify tool"
if __name__ == '__main__':
parser = optparse.OptionParser('usage: python %prog [options](eg: python %prog -d /user/java/demo)')
parser.add_option('-d', '--dir', dest = 'dir', type = 'string', help = 'source code file dir')
(options, args) = parser.parse_args()
if options.dir == None or options.dir == "":
parser.print_help()
sys.exit()
dir =options.dir
javaidentify = javaid(dir)
javaidentify._run()