Source Code Security Audit (源代码安全审计)
Home Page: http://cobra.feei.cn
License: MIT License
Ex:
.exe
.php_copy
.php_bak
etc
显示unknown error.
Test XSS/SQL Injection/SSRF...
针对特定框架,解析路由配置,找到访问每个漏洞点的URL。
甚至后续可以根据漏洞类型构造出可直接利用的PoC。
比如Kohana框架,可解析每层controller中的route/config.php文件,得出漏洞所在文件的访问路径,如未找到该文件的路由配置,则采取默认路由的方式生成访问路径。
其它框架也类似做法,比如Laravel、ThinkPHP、Spring、Structs2等
./config file configure failed.
Error: No option 'upload_directory' in section: 'cobra'
Exception happened during processing of request from ('192.168.1.100', 28605)
Traceback (most recent call last):
File "/usr/lib64/python2.7/SocketServer.py", line 295, in _handle_request_noblock
self.process_request(request, client_address)
File "/usr/lib64/python2.7/SocketServer.py", line 321, in process_request
self.finish_request(request, client_address)
File "/usr/lib64/python2.7/SocketServer.py", line 334, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib64/python2.7/SocketServer.py", line 649, in init
self.handle()
File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 216, in handle
rv = BaseHTTPRequestHandler.handle(self)
File "/usr/lib64/python2.7/BaseHTTPServer.py", line 340, in handle
self.handle_one_request()
File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 251, in handle_one_request
return self.run_wsgi()
File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 193, in run_wsgi
execute(self.server.app)
File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 183, in execute
for data in application_iter:
File "/usr/lib/python2.7/site-packages/werkzeug/debug/init.py", line 281, in debug_application
app_iter = self.app(environ, start_response)
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1836, in call
return self.wsgi_app(environ, start_response)
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1461, in dispatch_request
return self.view_functionsrule.endpoint
File "/opt/cobra/app/controller/api.py", line 73, in add_task
code, result = scan.Scan(target).version(branch, new_version, old_version)
File "/opt/cobra/engine/scan.py", line 76, in version
repo_directory = os.path.join(config.Config('cobra', 'upload_directory').value, 'version/mogujie/')
File "/opt/cobra/utils/config.py", line 31, in init
exit()
File "/usr/lib64/python2.7/site.py", line 364, in call
raise SystemExit(code)
SystemExit: None
Cobra database structure
我一步步照着https://github.com/wufeifei/cobra/wiki/Installation做的,但是进行到pip install -r requirements.txt时候,总出现下面错误。我是centos7,x64.
copying MySQLdb/constants/REFRESH.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
copying MySQLdb/constants/CLIENT.py -> build/lib.linux-x86_64-2.7/MySQLdb/constants
running build_ext
building 'mysql' extension
creating build/temp.linux-x86_64-2.7
gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -Dversion_info=(1,2,5,'final',1) -D__version_=1.2.5 -I/usr/include/mysql -I/usr/include/python2.7 -c _mysql.c -o build/temp.linux-x86_64-2.7/_mysql.o
_mysql.c:29:20: fatal error: Python.h: No such file or directory
#include "Python.h"
^
compilation terminated.
error: command 'gcc' failed with exit status 1
----------------------------------------
Rolling back uninstall of MySQL-python
Command "/usr/bin/python -c "import setuptools, tokenize;file='/tmp/pip-build-hrCFx_/MySQL-python/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-TlCey9-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-hrCFx_/MySQL-python
[root@nginx cobra]#
之后我想继续install,结果就出现
[root@nginx cobra]# python cobra.py install
Traceback (most recent call last):
File "cobra.py", line 14, in
from app import web, manager
File "/home/test/cobra/app/init.py", line 237, in
from app.controller import api
File "/home/test/cobra/app/controller/api.py", line 20, in
from engine import scan
File "/home/test/cobra/engine/scan.py", line 18, in
from utils import config, decompress
File "/home/test/cobra/utils/decompress.py", line 18, in
import rarfile
ImportError: No module named rarfile
[root@nginx cobra]#
估计是前面的依赖包没有装好,谁来指点一下怎么做呢
供所有人测试,汇集所有Cobra数据(扫描结果、扫描规则、漏洞类型等)。
初始化数据库表结构和数据
python cobra.py install
无法操作?谢谢!
分别在ubuntu和centos上装了一遍,都是这个报错,按wiki上安装时并未出现什么问题
Traceback (most recent call last): File "/data/cobra/cobra.py", line 25, in <module> main() File "/data/cobra/cobra.py", line 21, in main manager.run() File "/usr/lib/python2.6/site-packages/flask_script/__init__.py", line 412, in run result = self.handle(sys.argv[0], sys.argv[1:]) File "/usr/lib/python2.6/site-packages/flask_script/__init__.py", line 383, in handle res = handle(*args, **config) File "/usr/lib/python2.6/site-packages/flask_script/commands.py", line 216, in __call__ return self.run(*args, **kwargs) File "/data/cobra/app/__init__.py", line 75, in run ['cloc', target], stdout=subprocess.PIPE) File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__ errread, errwrite) File "/usr/lib64/python2.6/subprocess.py", line 1238, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory
某些框架只支持部分框架,比如Kohana内封装好了get()/post()方法对外部参数进行了过滤。
如果还存在$_GET/$_POST/$_REQUEST就会出现XSS。
所以添加规则时可以选择规则对应的框架,默认框架可不选择。
由此引出框架识别需要可维护。#71
配置文件里的secret_key值是多少?
部分规则只针对特定框架(Framework)才能发挥出效果,所以框架识别必须可方便维护。
这个问题之前提过,当时回答的是不支持svn,改成git或upload,但实际上我就是用git和upload测试的,全部报这个错误,代码获取没有问题,是开始分析代码时出现了报错。
测试主机系统:ubuntu 14.04,Centos 6.5
安装过程是照着wiki来的,ubuntu的包名有些区别改了一下,centos原样安装的,中间未发生什么问题
Traceback (most recent call last): File "/data/cobra/cobra.py", line 25, in <module> main() File "/data/cobra/cobra.py", line 21, in main manager.run() File "/usr/lib/python2.6/site-packages/flask_script/__init__.py", line 412, in run result = self.handle(sys.argv[0], sys.argv[1:]) File "/usr/lib/python2.6/site-packages/flask_script/__init__.py", line 383, in handle res = handle(*args, **config) File "/usr/lib/python2.6/site-packages/flask_script/commands.py", line 216, in __call__ return self.run(*args, **kwargs) File "/data/cobra/app/__init__.py", line 75, in run ['cloc', target], stdout=subprocess.PIPE) File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__ errread, errwrite) File "/usr/lib64/python2.6/subprocess.py", line 1238, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory
出现这个报错的结果就是马上就显示分析完成,查看报告的话就一直是统计代码行数中,过了一晚上再看报告出现了如下错误
Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/flask/app.py", line 1836, in __call__ return self.wsgi_app(environ, start_response) File "/usr/lib/python2.6/site-packages/flask/app.py", line 1820, in wsgi_app response = self.make_response(self.handle_exception(e)) File "/usr/lib/python2.6/site-packages/flask/app.py", line 1403, in handle_exception reraise(exc_type, exc_value, tb) File "/usr/lib/python2.6/site-packages/flask/app.py", line 1817, in wsgi_app response = self.full_dispatch_request() File "/usr/lib/python2.6/site-packages/flask/app.py", line 1477, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/lib/python2.6/site-packages/flask/app.py", line 1381, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/lib/python2.6/site-packages/flask/app.py", line 1475, in full_dispatch_request rv = self.dispatch_request() File "/usr/lib/python2.6/site-packages/flask/app.py", line 1461, in dispatch_request return self.view_functions[rule.endpoint](**req.view_args) File "/data/cobra/app/controller/route.py", line 172, in report 'files': common.convert_number(files), File "/data/cobra/utils/common.py", line 55, in convert_number return '{:20,}'.format(number) ValueError: zero length field name in format
如果有如下定位规则:
header\(.*?(\$[a-zA-Z_][a-zA-Z0-9_]+).*\)其中$[a-zA-Z_][a-zA-Z0-9_]+会出现多次,可以抽取为常量,例如{{PHPVar}},方便规则编写,改写后的规则如下:
header\(.*?({{PHPVar}}).*\)对于该定位规则,如果修复规则为in_array($_GET["url"], $url_list);
需要在正则中再次使用匹配到的变量,所以可以使用常量进行解决,例如:
in_array\({{MatchVar}},(.*)\)
请问规则应该如何下载导入,目前是否只有PHP的CURL SSRF规则,直接将规则复制进文档中在管理员页面add上传么
配置说明文档里面没有写啊?
开始扫描时候弹框提示“undefined”,但是我在源码里并没有找到undefined相关的代码,望解答~谢谢
Replace grep(ggrep on Mac OS X) to find(gfind on Mac OS X)
目前如果扫出来的漏洞太多,会导致报告页(report)加载缓慢。
/# python cobra.py install
Start create database structure...
MySQL database error: (_mysql_exceptions.OperationalError) (2003, "Can't connect to MySQL server on '127.0.0.1' (111)")
FAQ: https://github.com/wufeifei/cobra/wiki/Error#mysql
需要:扫描本地某个路径下的代码
拿到gitlab地址后,是通过判断仓库地址中是否包含gitlab关键字来判断是否需要使用config中git密码的。
会有较多误报。
clone时,判断是否有auth返回,有则使用config中git配置的账号密码clone,没有则直接clone。
Hi wufeifei,
您好,想请教一下,搭建在服务器上,如何可以外联服务呢,只能本地访问吗,试着在config里修改ip和端口,无果,报错,无法请求地址 socket.error: [Errno 99] Cannot assign requested address ,是得配置nginx才可以吗
Thx
没有task删除选项么,还有能不能对所有项目做个列表并加个report链接呢,不然都不知道某个项目该对应的report/几
Name: Kohana Site: http://kohanaframework.org/ Source: https://github.com/kohana/kohana
Rules Count: 2 Rules Info: {'directory': 'system/guide/kohana', 'file': 'system/config/userguide.php'}
Detection(file): /app/cienv/cobra/data/versions/mogujie/system/config/userguide.php
Detection(directory): /app/cienv/cobra/data/versions/mogujie/system/guide/kohana
Name: Laravel Site: http://laravel.com/ Source: https://github.com/laravel/laravel
Rules Count: 1 Rules Info: {'file': '/artisan'}
Detection(file): /artisan
Name: ThinkPHP Site: http://www.thinkphp.cn/ Source: https://github.com/top-think/thinkphp
Rules Count: 1 Rules Info: {'file': '/ThinkPHP/ThinkPHP.php'}
Detection(file): /ThinkPHP/ThinkPHP.php
Name: CodeIgniter Site: https://codeigniter.com/ Source: https://github.com/bcit-ci/CodeIgniter
Rules Count: 1 Rules Info: {'file': '/system/core/CodeIgniter.php'}
Detection(file): /system/core/CodeIgniter.php
Name: Tesla/MWP Site: http://www.mogujie.com/ Source: http://www.mogujie.com/
Rules Count: 1 Rules Info: {'file': '/pom.xml'}
Detection(file): /pom.xml
172.21.132.132 - - [25/Aug/2016 14:38:33] "POST /api/add HTTP/1.1" 200 -
Traceback (most recent call last):
File "/app/cienv/cobra/cobra.py", line 25, in
main()
File "/app/cienv/cobra/cobra.py", line 21, in main
manager.run()
File "/usr/lib/python2.6/site-packages/flask_script/init.py", line 412, in run
result = self.handle(sys.argv[0], sys.argv[1:])
File "/usr/lib/python2.6/site-packages/flask_script/init.py", line 383, in handle
res = handle(_args, *_config)
File "/usr/lib/python2.6/site-packages/flask_script/commands.py", line 216, in call
return self.run(_args, *_kwargs)
File "/app/cienv/cobra/app/init.py", line 75, in run
['cloc', target], stdout=subprocess.PIPE)
File "/usr/lib64/python2.6/subprocess.py", line 639, in init
errread, errwrite)
File "/usr/lib64/python2.6/subprocess.py", line 1228, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
Target is not directory
你好,首先感谢关注Cobra,
Best Regard
Feei - [email protected]
Site: http://wufeifei.com
Weibo: @吴止介 | Github: @wufeifei
On 2016年8月11日, at PM 11:43, secsystem
你好 cobra作者,在微博看到这个项目感觉很棒,于是常识部署了下,但是在测试的时候遇到了如下问题,希望能在此得到解答!
1、在扫描完的时候没有显示整个项目行数,而且也扫不到漏洞我是拿的DVWA漏洞演示程序扫的!
2、使用私有git地址库,在config配置了用户名密码,但是在前端输入git地址的时候,服务端界面还是要求输入用户名密码
3、是否可以考虑扫描完直接转向或者弹出包括地址呢?而不是在url输入
4、项目对接人和项目pe是否可以动态获取
下面下我的运行截图,附件是log,不知是我部署的问题还是程序本身bug希望能够得到确认,谢谢!
你好,首先感谢关注Cobra,
Best Regard
Feei - [email protected]
Site: http://wufeifei.com
Weibo: @吴止介 | Github: @wufeifei
你好 cobra作者,在微博看到这个项目感觉很棒,于是常识部署了下,但是在测试的时候遇到了如下问题,希望能在此得到解答!
1、在扫描完的时候没有显示整个项目行数,而且也扫不到漏洞我是拿的DVWA漏洞演示程序扫的!
2、使用私有git地址库,在config配置了用户名密码,但是在前端输入git地址的时候,服务端界面还是要求输入用户名密码
3、是否可以考虑扫描完直接转向或者弹出包括地址呢?而不是在url输入
4、项目对接人和项目pe是否可以动态获取
下面下我的运行截图,附件是log,不知是我部署的问题还是程序本身bug希望能够得到确认,谢谢!
ValueError
ValueError: zero length field name in format
Traceback (most recent call last)
This is the Copy/Paste friendly version of the traceback. Paste created: #90b536fba2ff8e59ede690b46a42881d
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1836, in call
return self.wsgi_app(environ, start_response)
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1820, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1403, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.6/site-packages/flask/app.py", line 1461, in dispatch_request
return self.view_functionsrule.endpoint
File "/app/cienv/cobra/app/controller/route.py", line 172, in report
'files': common.convert_number(files),
File "/app/cienv/cobra/utils/common.py", line 55, in convert_number
return '{:20,}'.format(number)
ValueError: zero length field name in format
The debugger caught an exception in your WSGI application. You can now look at the traceback which led to the error.
To switch between the interactive traceback and the plaintext one, you can click on the "Traceback" headline. From the text traceback you can also create a paste of it. For code execution mouse-over the frame you want to debug and click on the console icon on the right side.
You can execute arbitrary Python code in the stack frames and there are some extra helpers available for introspection:
dump() shows all variables in the frame
dump(obj) dumps all that's known about the object
安装正常,数据库连接创建也正常,但是开始扫描以后就一直转圈,就没有别的反应了。。
后台管理登录也没有反应,但是报告输出回显正常。
怎么解决?
能否分享下kali下安装依赖的库。
当企业收到漏洞后,需要知道这个漏洞在公司范围内的所有项目的影响。
可以通过添加Cobra扫描规则,扫描企业私有的gitlab中的所有项目来判断哪些地方有风险。
$pwd = 'test';
$passwd = 'test';
$password = 'test';
const PAD = 'te\'s12$t';
const X_PASSWD = 'te\'s12$t';
const A_PASSWORD = 'te\'s12$t';
private $ftp_pwd = 'test123';
privaate $ssh_passwd = "tes1t";
privaate $db_password = "tes1t";
'pwd' => 'test123'
'passwd' => 'test123'
'password' => 'test123'
$pwd = md5("test123");
$passwd = md5('test123');
$password = md5("test123");
$VAR_ZPDO['ctu']['pwd'] = 'test123';
$VAR_ZPDO['ctu']['passwd'] = 'test123';
$VAR_ZPDO['ctu']['password'] = 'test123';
mysql -uroot -p'test123' -e "ALTER TABLE TEST ADD INDEX(twitterId);"$pdo = new PDO("mysql:host=127.0.0.1;dbname=stats", 'bda', 'thisispassword');$con = mysql_connect('127.0.0.1:3306', 'root', 'thisispassword');curl_setopt($curl, CURLOPT_USERPWD, "thisispassword");define("PASSWORD", "123456");$password = post('password');
<input type="password" placeholder="Password..." class="form-control">普通规则匹配时在某些漏洞类型上存在大量误报,所以需要增加规则复杂性。
每条规则由查询规则+确认规则构成,并且确认规则可以定位在函数体内[上|下]、类体内[上|下]。
以此提高扫描规则准确性,减少扫描误报率。
如图
TODO
TODO
有没有规则样例,或者什么时候更新规则?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.