本文从https://etherscan.io/tokens获取目标以太坊区块链应用,爬取已经ICO,且交易量大的区块链应用代码,方便以后进行安全性分析
直接上代码
<?php
function getbody($url){
if(!function_exists('curl_init')){
echo "no curl support";
exit();
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 120);
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, 'okhttp/3.7.0.6');
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$page = 1;
$tokens = array();
for ($i = $page; ; $i++) {
$url = "https://etherscan.io/tokens?p=$i";
$data = getbody($url);
preg_match_all("/\/0x[A-Za-z0-9]{40}'/", $data, $result);
if(count($result[0])){
$out = array_unique($result[0]);
foreach ($out as $key => $value) {
$tokens[] = ltrim(rtrim($value, "'"), "/");
}
//echo count($out).'<BR>';
}else{
echo count($tokens);
break;
}
}
foreach ($tokens as $key => $value) {
echo $value.'<BR>';
}
// $tokenstr = '';
// $tokens = explode("\n", $tokenstr);
//echo 'Total: '.count($tokens);
//$tokenurl = "https://etherscan.io/token/{token}";
ini_set("max_execution_time", 0);
foreach ($tokens as $k => $t) {
$t = trim($t);
if(file_exists($t)){//不重复下载code
continue;
}else{
echo $t;
}
$url = "https://etherscan.io/address/$t";
$data = getbody($url);
if(preg_match("/dividcode\".*?<\/pre>/s", $data, $result)){
$tmp = str_replace("</pre>", "", $result[0]);
$i = strpos($tmp, 'sourcecopyarea');
if($i){
$tmp = substr($tmp, $i);
$i = strpos($tmp, '>');
if($i){
$tmp = substr($tmp, $i+1);
}
}
file_put_contents($t, htmlspecialchars_decode($tmp, ENT_QUOTES));
}else{
echo 'none<br>';
}
}
代码大概70行,首先下载页面https://etherscan.io/tokens?p=$i,正则匹配到区块链address;然后下载页面https://etherscan.io/address/$t,正则匹配到应用代码;保存代码到以address为名的文件中
没有使用额外的xml解析模块,轻量级的。增量更新时可以设置$page=9(目前最大页数)
至于区块链代码安全性分析:
漏洞参考https://medium.com/@ranimes/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536
工具参考 https://github.com/ConsenSys/mythril
mythril测试环境:
阿里云centos7
python3.6
1、首先安装mythril: wget https://github.com/ConsenSys/mythril/archive/v0.16.25.tar.gz
tar xf解压,然后python3.6 setup.py install
2、mythril采用符号分析原理,构建路径图,分析的进过编译的solidity代码,需要安装solc
wget https://github.com/ethereum/solidity/releases/download/v0.4.23/solc-static-linux
然后添加到可执行路径 ln -s /path/solc-static-linux /usr/bin/solc
3、接着开工
myth -x 0x0aef06dcccc531e581f0440059e6ffcc206039ee
结果如下,发现了几个小问题
4、该工具可以发现的问题类型:https://github.com/ConsenSys/mythril/blob/master/security_checks.md