Kunlun-M php_unserialize_chain_tools 不支持参数中的类变量

System and Python Environment

Item	Tooltip	Value
System	`uname -a`	Linux airsky 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2 (2017-06-12) x86_64 GNU/Linux
Python	`python -V`	Python 3.8.0
Cobra	`python kunlun.py`	v2.6.4.2

Description

使用php_unserialize_chain_tools查找shopwind反序列化利用链时爆错

Steps to Reproduce

python3.8 kunlun.py plugin php_unserialize_chain_tools -t ./yii2-shopwind/

Expected behavior: 完成

Actual behavior:

 [10:13:40] [PhpUnSerChain] call new method Variable-$this->normalizeFormat('Variable-$format',)
 [10:13:40] [PhpUnSerChain] Too much deepth. return.
 [10:13:40] Traceback (most recent call last):
  File "/root/Kunlun-M/core/__init__.py", line 155, in main
    plugins.PLUGIN_DICT[args.plugin_name](parser, parser_group_plugin)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 78, in __init__
    self.main()
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 82, in main
    self.get_destruct()
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 101, in get_destruct
    status = self.deep_search_chain(method_nodes, class_locate, unserchain)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 748, in deep_search_chain
    status = self.deep_search_chain(nmnodes, class_locate, unserchain, define_param=define_param, deepth=deepth, parent_method=new_source_node)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 727, in deep_search_chain
    status = self.get_any_methodcall(method_name, call_params, unserchain=unserchain, define_param=define_param, deepth=deepth)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 292, in get_any_methodcall
    status = self.deep_search_chain(method_nodes, class_locate, newunserchain, define_param=define_param,
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 748, in deep_search_chain
    status = self.deep_search_chain(nmnodes, class_locate, unserchain, define_param=define_param, deepth=deepth, parent_method=new_source_node)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 820, in deep_search_chain
    if self.check_dynamic_class_var_exist(node_right, node):
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 657, in check_dynamic_class_var_exist
    return self.check_param_controllable(var_node_left, now_node)
  File "/root/Kunlun-M/core/plugins/phpunserializechain/main.py", line 574, in check_param_controllable
    arraylist = ast.literal_eval(param_name[6:])
  File "/usr/local/lib/python3.8/ast.py", line 59, in literal_eval
    node_or_string = parse(node_or_string, mode='eval')
  File "/usr/local/lib/python3.8/ast.py", line 47, in parse
    return compile(source, filename, mode, flags,
  File "<unknown>", line 1
    ['Variable-$this
                   ^
SyntaxError: EOL while scanning string literal

Apr 21 '22 10:04 AirSkye

看上去是有不支持的语法啊，很怪

Apr 22 '22 07:04 LoRexxar

看上去是有不支持的语法啊，很怪

这个插件能不能搞个多线程，从前天晚上跑到现在，一直Found New Method... 这一个项目目测要跑至少一周还多啊

Sep 01 '22 03:09 MyPuppet

Kunlun-M Kunlun-M copied to clipboard

php_unserialize_chain_tools 不支持参数中的类变量

System and Python Environment

Description

Steps to Reproduce

Kunlun-M
Kunlun-M copied to clipboard