Skip to content

规则开发案例讲解

Jump to bottom
铲子科技 edited this page Nov 14, 2024 · 10 revisions

命令执行

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('exec' IN  sinkNode.selectors AND 'Runtime' IN  sinkNode.receiverTypes) OR
  sinkNode.AllocationClassName = 'ProcessBuilder' OR
  ('command' IN sinkNode.selectors AND 'ProcessBuilder' IN sinkNode.receiverTypes)

MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

URL重定向

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  'sendRedirect' IN sinkNode.selectors OR
  //    return "redirect:" + url;   // Spring MVC写法 302临时重定向 , 加法表达式左边拼接  redirect:
  sinkNode.addLeft = "\"redirect:\"" OR
    ('setLocation' IN sinkNode.selectors AND 'HttpHeaders' IN  sinkNode.receiverTypes)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

服务端请求伪造(SSRF)

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE  'url' IN sinkNode.selectors OR
  'URL' IN sinkNode.selectors OR
  sinkNode.AllocationClassName = 'URL' OR
  sinkNode.AllocationClassName = 'GetMethod' OR
  sinkNode.AllocationClassName = 'XmlStreamReader' OR
  sinkNode.AllocationClassName = 'HttpGet' OR
  sinkNode.AllocationClassName = 'HttpPost' OR
  sinkNode.AllocationClassName = 'HttpUriRequestBase' OR
  sinkNode.AllocationClassName = 'BasicClassicHttpRequest' OR
  sinkNode.AllocationClassName = 'BasicHttpRequest' OR
  sinkNode.AllocationClassName = 'BasicRequestProducer' OR
  sinkNode.AllocationClassName = 'BasicHttpEntityEnclosingRequest' OR
  'HttpGet' IN sinkNode.selectors OR
  'HttpPost' IN sinkNode.selectors OR
  ('execute' IN sinkNode.selectors AND   'CloseableHttpClient' IN  sinkNode.receiverTypes) OR
  ('execute' IN sinkNode.selectors AND   'CloseableHttpAsyncClient' IN  sinkNode.receiverTypes) OR
  ('ofUrl' IN sinkNode.selectors AND   'Pictures' IN  sinkNode.receiverTypes) OR
  ('execute' IN sinkNode.selectors AND   'HttpClient' IN  sinkNode.receiverTypes) OR
  ('createPost' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('createRequest' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('createGet' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('connect' IN sinkNode.selectors AND   'Jsoup' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'URI' IN  sinkNode.receiverTypes) OR
  ('read' IN sinkNode.selectors AND   'ImageIO' IN  sinkNode.receiverTypes) OR
  ('executeMethod' IN sinkNode.selectors AND   'HttpClient' IN  sinkNode.receiverTypes) OR
  ('Get' IN sinkNode.selectors AND   'Request' IN  sinkNode.receiverTypes) OR
  ('Post' IN sinkNode.selectors AND   'Request' IN  sinkNode.receiverTypes) OR
  ('exchange' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadString' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadFile' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadFileFromUrl' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('download' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadBytes' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'HttpRequest' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'HttpRequest' IN  sinkNode.receiverTypes) OR
  ('of' IN sinkNode.selectors AND   'HttpRequest' IN  sinkNode.receiverTypes) OR
  ('HikariConfig' IN sinkNode.selectors AND   'HikariConfig' IN  sinkNode.receiverTypes) OR
  ('setQueryString' IN sinkNode.selectors AND   'GetMethod' IN  sinkNode.receiverTypes) OR
  ('copyFile' IN sinkNode.selectors AND   'PathUtils' IN  sinkNode.receiverTypes) OR
  ('copyFileToDirectory' IN sinkNode.selectors AND   'PathUtils' IN  sinkNode.receiverTypes) OR
  ('copyURLToFile' IN sinkNode.selectors AND   'FileUtils' IN  sinkNode.receiverTypes) OR
  ('copy' IN sinkNode.selectors AND   'IOUtils' IN  sinkNode.receiverTypes) OR
  ('toByteArray' IN sinkNode.selectors AND   'IOUtils' IN  sinkNode.receiverTypes) OR
  ('toString' IN sinkNode.selectors AND   'IOUtils' IN  sinkNode.receiverTypes) OR
  ('loadJSONHTML' IN sinkNode.selectors AND   'DownloadService' IN  sinkNode.receiverTypes) OR
  ('loadJSON' IN sinkNode.selectors AND   'DownloadService' IN  sinkNode.receiverTypes) OR
  ('download' IN sinkNode.selectors AND   'UpdateCenterConfiguration' IN  sinkNode.receiverTypes) OR
  ('loadJSONHTML' IN sinkNode.selectors AND   'DownloadService' IN  sinkNode.receiverTypes) OR
  ('newCall' IN sinkNode.selectors AND   'OkHttpClient' IN  sinkNode.receiverTypes) OR
  ('newWebSocket' IN sinkNode.selectors AND   'OkHttpClient' IN  sinkNode.receiverTypes) OR
  ('url' IN sinkNode.selectors AND   'Builder' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'BasicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'BasicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'BasicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'SimpleHttpRequest' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'SimpleHttpRequest' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'SimpleHttpRequest' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'ClassicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'ClassicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'ClassicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'Request' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'ClassicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'ClassicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('connect' IN sinkNode.selectors AND   'HttpAsyncRequester' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'AsyncRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'AsyncRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('setUri' IN sinkNode.selectors AND   'AbstractRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'BasicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'BasicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('setURI' IN sinkNode.selectors AND   'HttpRequestBase' IN  sinkNode.receiverTypes) OR
  ('setURI' IN sinkNode.selectors AND   'HttpRequestWrapper' IN  sinkNode.receiverTypes) OR
  ('setURI' IN sinkNode.selectors AND   'RequestWrapper' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'RequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'RequestBuilder' IN  sinkNode.receiverTypes) OR
  ('newHttpRequest' IN sinkNode.selectors AND   'HttpRequestFactory' IN  sinkNode.receiverTypes) OR
  ('newRequest' IN sinkNode.selectors AND   'HttpClient' IN  sinkNode.receiverTypes) OR
  ('open' IN sinkNode.selectors AND   'Jdbi' IN  sinkNode.receiverTypes) OR
  ('doExecute' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('exchange' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('getForEntity' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('getForObject' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('postForEntity' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('postForLocation' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('postForObject' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'WebClient' IN  sinkNode.receiverTypes) OR
  ('url' IN sinkNode.selectors AND   'WSClient' IN  sinkNode.receiverTypes) OR
  ('url' IN sinkNode.selectors AND   'StandaloneWSClient' IN  sinkNode.receiverTypes) OR
  ('getConnection' IN sinkNode.selectors AND   'DriverManager' IN  sinkNode.receiverTypes) OR
  (sinkNode.selector = 'getContent' AND sinkNode.type='URL') OR
  (sinkNode.selector = 'openConnection' AND sinkNode.type='URL') OR
  (sinkNode.selector = 'openStream' AND sinkNode.type='URL') OR
  (sinkNode.selector = 'create' AND sinkNode.type='Retrofit')
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))

RETURN
  p AS path

XXE

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  sinkNode.AllocationClassName = 'XSSFWorkbook' OR
  'setByteStream' IN sinkNode.selectors OR
  'createXMLStreamReader' IN sinkNode.selectors OR
  ( 'StreamingReader.builder()' IN sinkNode.receivers AND  'open' IN sinkNode.selectors) OR
  ( 'read' IN sinkNode.selectors AND  'SAXReader' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'XMLReader' IN sinkNode.receiverTypes) OR
  ( 'build' IN sinkNode.selectors AND  'SAXBuilder' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'SAXParser' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'DocumentBuilder' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'Digester' IN sinkNode.receiverTypes) OR
  ( 'parseText' IN sinkNode.selectors AND  'DocumentHelper' IN sinkNode.receiverTypes) OR
  ( 'transform' IN sinkNode.selectors AND  'Transformer' IN sinkNode.receiverTypes) OR
  ( 'read' IN sinkNode.selectors AND  'NodeBuilder' IN sinkNode.receiverTypes) OR
  ( 'format' IN sinkNode.selectors AND  'Formatter' IN sinkNode.receiverTypes) OR
  ( 'newSchema' IN sinkNode.selectors AND  'SchemaFactory' IN sinkNode.receiverTypes) OR
  ( 'evaluate' IN sinkNode.selectors AND  'XPathExpression' IN sinkNode.receiverTypes) OR
  ( 'validate' IN sinkNode.selectors AND  'Persister' IN sinkNode.receiverTypes) OR
  ( 'read' IN sinkNode.selectors AND  'Persister' IN sinkNode.receiverTypes) OR
  ( 'provide' IN sinkNode.selectors AND  'DocumentProvider' IN sinkNode.receiverTypes) OR
  ( 'provide' IN sinkNode.selectors AND  'StreamProvider' IN sinkNode.receiverTypes) OR
  ( 'newTransformer' IN sinkNode.selectors AND  'TransformerFactory' IN sinkNode.receiverTypes) OR
  ( 'newTransformer' IN sinkNode.selectors AND  'SAXTransformerFactory' IN sinkNode.receiverTypes) OR
  ( 'newXMLFilter' IN sinkNode.selectors AND  'SAXTransformerFactory' IN sinkNode.receiverTypes) OR
  ( 'unmarshal' IN sinkNode.selectors AND  'Unmarshaller' IN sinkNode.receiverTypes)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

fastjson反序列化

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('parseObject' IN sinkNode.selectors AND  'JSON' IN sinkNode.receivers)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

弱hash算法

// 先找到设置了 md5 的 MessageDigest, 作为 mds 变量传给下一个查询
// MessageDigest md = MessageDigest.getInstance("MD5");
MATCH
  (md5Node:StringLiteral)
  WHERE
  (md5Node.name = 'MD5') OR  (md5Node.name = 'SHA-1')
MATCH
  (md)
  WHERE
  (md.type = 'MessageDigest')
MATCH
  p = (md5Node)-[*..30]->(md)
WITH collect(md) AS mds

// 请求数据 流向 md5 的 md, 所以sink点是 md, 并且在 mds里
// md.update(msg.getBytes());
MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  (
  (sinkNode.selector = 'update' OR  sinkNode.selector = 'digest') AND
  (sinkNode.type = 'MessageDigest')  AND
  (sinkNode IN mds)
  )
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

Java反序列化

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ( sinkNode.selector='readObject'  AND  sinkNode.type='ObjectInputStream')
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

jdbc sql注入

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('prepareCall' IN  sinkNode.selectors AND 'Connection' IN  sinkNode.receiverTypes) OR
  ('execute' IN  sinkNode.selectors AND 'Statement' IN  sinkNode.receiverTypes) OR
  ('executeUpdate' IN  sinkNode.selectors AND 'Statement' IN  sinkNode.receiverTypes) OR
  ('executeQuery' IN  sinkNode.selectors AND 'Statement' IN  sinkNode.receiverTypes) OR
  ('prepareStatement' IN  sinkNode.selectors AND 'Connection' IN  sinkNode.receiverTypes)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

spel表达式注入

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('parseExpression' IN sinkNode.selectors AND 'SpelExpressionParser' IN sinkNode.receiverTypes) OR
  ('parseExpression' IN sinkNode.selectors AND 'ExpressionParser' IN sinkNode.receiverTypes) OR
  ('parseExpression' IN sinkNode.selectors AND 'TemplateAwareExpressionParser' IN sinkNode.receiverTypes)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

actuator配置不当

MATCH
  (sinkNode:YmlKeyValue|PropertiesKeyValue)
WHERE
sinkNode.name = 'management.endpoints.web.exposure.include' AND
(sinkNode.value = '*' OR
sinkNode.value  CONTAINS 'heapdump' OR
sinkNode.value  CONTAINS 'beans' OR
sinkNode.value  CONTAINS 'caches' OR
sinkNode.value  CONTAINS 'configprops' OR
sinkNode.value  CONTAINS 'env' OR
sinkNode.value  CONTAINS 'loggers' OR
sinkNode.value  CONTAINS 'restart' OR
sinkNode.value  CONTAINS 'threaddump'  OR
sinkNode.value  CONTAINS 'metrics'  OR
sinkNode.value  CONTAINS 'scheduledtasks'  OR
sinkNode.value  CONTAINS 'mappings'  OR
sinkNode.value  CONTAINS 'prometheus'  OR
sinkNode.value  CONTAINS 'logfile'  OR
sinkNode.value  CONTAINS 'liquibase'  OR
sinkNode.value  CONTAINS 'flyway'  OR
sinkNode.value  CONTAINS 'sessions'  OR
sinkNode.value  CONTAINS 'shutdown'  OR
sinkNode.value  CONTAINS 'httptrace'  OR
sinkNode.value  CONTAINS 'integrationgraph'  OR
sinkNode.value  CONTAINS 'metrics'  OR
sinkNode.value  CONTAINS 'quartz'  OR
sinkNode.value  CONTAINS 'jolokia'  OR
sinkNode.value  CONTAINS 'auditevents')

RETURN
  sinkNode AS path

druid未授权

MATCH
  (sinkNode:YmlKeyValue|PropertiesKeyValue)
WHERE
sinkNode.name = 'spring.datasource.druid.stat-view-servlet.enabled' AND
sinkNode.value = 'true'

RETURN
  sinkNode AS path

硬编码

MATCH
  (sinkNode:YmlKeyValue|PropertiesKeyValue)
WHERE
(LOWER(sinkNode.name) ENDS WITH 'password' AND NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'pass' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'passwd' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'secretkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'apikey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'apitoken' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'accesstoken' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'sessionKey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'encryptionkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'decryptionkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'bearertoken' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'sshkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'jwtsecret' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'presharedkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'privatekey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'secret' AND  NOT LOWER(sinkNode.value) STARTS WITH '${')

RETURN
  sinkNode AS path

Cookie 无httponly

// 先找到设置了 httponly的cookie,后边过滤掉
MATCH
  (filterNode:StringLiteral)
MATCH
  (x)
  WHERE
  (x.selector = 'setHttpOnly')
MATCH
  (filterNode)-[*..30]->(x)
WITH collect(DISTINCT filterNode) AS filterNodes

// 查询设置的敏感cookie,过滤掉设置了 httponly的, 查询语句中强烈不建议用 CONTAINS ,节点多时性能会很差
MATCH
  (sourceNode:StringLiteral)
  WHERE
  (
  (lower(sourceNode.name) ENDS WITH '"ticket"') OR
  (lower(sourceNode.name)  ENDS WITH  'token') OR
  (lower(sourceNode.name)  ENDS WITH  'jwt') OR
  (lower(sourceNode.name)  ENDS WITH  'session') OR
  (lower(sourceNode.name)  ENDS WITH  'sessionid') OR
  (lower(sourceNode.name)  ENDS WITH  'password') OR
  (lower(sourceNode.name)  ENDS WITH  'passwd') OR
  (lower(sourceNode.name)  ENDS WITH  'pass')
  ) AND
  sourceNode.AllocationClassName = 'Cookie' AND (NOT sourceNode IN filterNodes)
MATCH
  (sinkNode)
  WHERE
  ('addCookie' IN sinkNode.selectors) OR
  ('setCookie' IN sinkNode.selectors)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

Java密钥硬编码

// String password = "xxxxxx" ;
MATCH
  (sourceNode:StringLiteral)
    WHERE NOT sourceNode:CallArg
MATCH
  (sinkNode)
  WHERE
  (LOWER(sinkNode.name) ENDS WITH  'secretkey') OR
  (LOWER(sinkNode.name) ENDS WITH 'accesskey') OR
  (LOWER(sinkNode.name) ENDS WITH 'privatekey') OR
  (LOWER(sinkNode.name) ENDS WITH 'password') OR
  (LOWER(sinkNode.name) ENDS WITH 'pass') OR
  (LOWER(sinkNode.name) ENDS WITH 'passwd')
 MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
 DISTINCT sourceNode AS path

swagger信息泄露

MATCH
  (sinkNode:Argument)
  WHERE
  ('EnableOpenApi' IN  sinkNode.classAnnotations AND 'Bean' IN sinkNode.methodAnnotations AND sinkNode.name='noArg') OR
  ('EnableSwagger2' IN  sinkNode.classAnnotations AND 'Bean' IN sinkNode.methodAnnotations AND sinkNode.name='noArg') OR
  ('EnableSwagger2' IN  sinkNode.classAnnotations) OR
  ('EnableDubboSwagger' IN  sinkNode.classAnnotations)
RETURN
  sinkNode AS path LIMIT 1

jsp xss

MATCH
  (sourceNode:JspServiceArg)

MATCH
  (sinkNode)
  WHERE
  ('format' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('write' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('append' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('format' IN  sinkNode.selectors AND 'response.getWriter()' IN  sinkNode.receivers) OR
  ('printf' IN  sinkNode.selectors AND 'response.getWriter()' IN  sinkNode.receivers) OR
  ('println' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('print' IN  sinkNode.selectors AND 'ServletOutputStream' IN  sinkNode.receiverTypes) OR
  ('println' IN  sinkNode.selectors AND 'ServletOutputStream' IN  sinkNode.receiverTypes) OR
  ('write' IN  sinkNode.selectors AND 'ServletOutputStream' IN  sinkNode.receiverTypes)

  MATCH
p = shortestPath((sourceNode)- [ * ..30] - >(sinkNode))

RETURN
  p AS path

log4j不安全的版本

// pom 的版本号可能是放在 properties标签里的, dependence标签里使用${xxx.version} 的方式引入
// 所以 sink点的version 是 ${xxx.version} ,而 realVersion才是真实的版本号
MATCH
  (sinkNode:PomDependency)
  WHERE
  sinkNode.groupId = 'org.apache.logging.log4j' AND   sinkNode.artifactId = 'log4j-core' AND   sinkNode.
    realVersion =~ '2\\.(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17).*'
RETURN
  sinkNode AS path

snakeyaml不安全的版本

// pom 的版本号可能是放在 properties标签里的, dependence标签里使用${xxx.version} 的方式引入
// 所以 sink点的version 是 ${xxx.version} ,而 realVersion才是真实的版本号
MATCH
  (sinkNode:PomDependency)
  WHERE
  sinkNode.groupId = 'org.yaml' AND   sinkNode.artifactId = 'snakeyaml' AND sinkNode.realVersion STARTS WITH '1.'
RETURN
  sinkNode AS path

socket服务命令注入

MATCH
  (sourceNode)
  WHERE
  (sourceNode.type='Socket' AND sourceNode.selector ='getInputStream')

MATCH
  (sinkNode)
  WHERE
  ('exec' IN  sinkNode.selectors AND 'Runtime' IN  sinkNode.receiverTypes) OR
  sinkNode.AllocationClassName = 'ProcessBuilder' OR
  ('command' IN sinkNode.selectors AND 'ProcessBuilder' IN sinkNode.receiverTypes)

MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

websocket服务反序列化

MATCH
  (sourceNode:Argument)
  WHERE
  (sourceNode.method='onMessage') OR
  (sourceNode.method='handleTextMessage')

MATCH
  (sinkNode)
  WHERE
  ('exec' IN  sinkNode.selectors AND 'Runtime' IN  sinkNode.receiverTypes) OR
  sinkNode.AllocationClassName = 'ProcessBuilder' OR
  ('command' IN sinkNode.selectors AND 'ProcessBuilder' IN sinkNode.receiverTypes)

MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

velocity模版注入

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('evaluate' IN sinkNode.selectors AND 'Velocity' IN sinkNode.receivers) OR
  ('mergeTemplate' IN sinkNode.selectors AND 'Velocity' IN sinkNode.receivers) OR
  ('evaluate' IN sinkNode.selectors AND 'VelocityEngine' IN sinkNode.receivers) OR
  ('mergeTemplate' IN sinkNode.selectors AND 'VelocityEngine' IN sinkNode.receivers) OR
  ('evaluate' IN sinkNode.selectors AND 'RuntimeServices' IN sinkNode.receivers) OR
  ('parse' IN sinkNode.selectors AND 'RuntimeServices' IN sinkNode.receivers) OR
  ('parse' IN sinkNode.selectors AND 'RuntimeSingleton' IN sinkNode.receivers)

MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

铲子SAST,专注于发现Java代码安全漏洞

Clone this wiki locally