Seay source code audit system based on white box code audit tool, with automatic code audit function simplifies the tedious process of manual audits, the code audit smarter concise.
The default installation all the way
.Net download and install the relevant components can be used normally
This is an example to dvwa
Upper left corner of the new project, select the source folder dvwa
When click OK on the left lists the files organizational structure
Click on the top menu bar automatic audit
Progress appears below
We can click on generate reports easily keep track of audit
View in a browser, vulnerability type, file path, suspicious functions at a glance
Back to the audit system, a closer look at the scan results
Not difficult to find, most of the results of the audit is quite accurate, such as ID for the 156-163, the results of the audit out of the command, see the file path is part of exec, we know next dvwa source folder is stored in exec web command execution services. Another example is the ID of 166 and 167, it is a file that contains the vulnerability audit, the same source code comparison shows that in dvwa put under fi folder that contains the file is a web service.
We look at the vulnerabilities detailed in this column, you can see that it gives the suspect a specific file path statement like the loophole.
160, 161 as an example of the command execution
Vulnerability Details can be seen in the statement of suspected create a loophole
However, the specific circumstances still have to analyze the context, so we double-click to open the complete file
We can see two flaws in front of the seat line 10 and line 14 is the discovery of the reason is because there are two first determine the operating system, and then perform different ping statement according to different systems.
We are in the windows, so shell_exec do is ping $ target, and what we passed in $ target variable.
trick here is that:
windows and Linux systems can be used ";", "&&", "||" and "&" to perform multiple commands
;: Execute multiple instructions, before a failed does not matter
&&: After a command to execute before and after a successful execution of instructions
||: After the instruction execution before a failure to execute a command
&: Simultaneously execute two commands (time in no particular order)
程序默认我们传入的是ip地址,可是如果我们在ip地址后面加上上面提到的四个符号中的一个,那么就可以执行其他命令了
输入127.0.0.1果然是返回ping之后的结果,然后我们再用127.0.0.1&&netstat –ano 试试
果然,在执行了ping之外,还执行了我们额外的命令,这就是命令执行漏洞了
Seay审计系统典型的使用方法就是这样了,需要注意的是,Seay的功能不限于此,比如说全局搜索,以shell_exec为例
可以帮助我们列出容易造成漏洞的函数,再快速定位到可能存在漏洞的文件
再比如说审计插件
可以自己开发一些插件用于审计,作者也已经内置了几款,比如信息泄露插件,可以快速审计可能存在的信息泄露风险,在站点地址输入路径以后就可以自动审计了
还有很多其他功能,请自行探索使用。
事实上Seay进行审计最主要的方法就是正则匹配,就是用一些容易造成漏洞的函数语句去匹配源码中是否存在,由于这种审计机制,所以也存在一定的误报率。工具毕竟只是一方面,更重要的是人工来判断。
代码审计比较流行的两款工具已经介绍完了,在后续的实验中,我们将会开始实战一些小型的cms。