Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Firebasky/CodeqlLearn
记录学习codeql的过程
https://github.com/Firebasky/CodeqlLearn
codeql
Last synced: 21 days ago
JSON representation
记录学习codeql的过程
- Host: GitHub
- URL: https://github.com/Firebasky/CodeqlLearn
- Owner: Firebasky
- Created: 2022-01-02T09:37:04.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-06-09T09:09:25.000Z (over 1 year ago)
- Last Synced: 2024-08-05T17:40:46.155Z (4 months ago)
- Topics: codeql
- Homepage:
- Size: 143 KB
- Stars: 347
- Watchers: 8
- Forks: 52
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - Firebasky/CodeqlLearn - 记录学习codeql的过程 (Others)
README
# CodeqlLearn
>在safe6sec师傅的基础上修改的,更加适合自己
# AST
https://www.jianshu.com/p/ff8ec920f5b9
https://www.jianshu.com/p/4bd5dc13f35a
https://www.jianshu.com/p/68fcbc154c2f
# 学习过程
自己学习codeql 看过的一些文章
- [CodeQL从入门到放弃](https://www.freebuf.com/articles/web/283795.html) :heavy_check_mark:
- [codeQL入门](https://me.xxf.world/post/codeql-huan-jing-da-jian/) :heavy_check_mark:
- [Codeql 入门2](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==&mid=2247485016&idx=1&sn=983c23cd5cff4310ee233b21444815f4&chksm=c053fd72f72474647ba9d70e23ba81196f01055550d6b8ead0eebb67df7dc7aac15cda6ae05b&mpshare=1&scene=23&srcid=1229z6KsvgKYZRrPzIwGONPb&sharer_sharetime=1640768952290&sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd) :heavy_check_mark:
- [CodeQL笔记](https://lfysec.top/2020/06/03/CodeQL%E7%AC%94%E8%AE%B0/) :heavy_check_mark:
- [代码分析引擎 CodeQL 初体验](https://paper.seebug.org/1078) :heavy_check_mark:
- [codeql学习笔记](https://zhuanlan.zhihu.com/p/354275826) :heavy_check_mark:
- [CodeQL学习——CodeQl数据流分析 - bamb00 - 博客园](https://www.cnblogs.com/goodhacker/p/13583650.html) :heavy_check_mark:
- [原创 |CodeQL与AST之间联系](https://mp.weixin.qq.com/s?__biz=MzI4Mzc0MTI0Mw==&mid=2247493662&idx=2&sn=8cead6291bb8f3c130093e6006089b5d&chksm=eb84b54adcf33c5c6ef57c685d221fda68e0cedba2a59b886f3079d4d50884b70689c31d43b8&mpshare=1&scene=23&srcid=0501LyVqcDU5vQ7Izenx2oim&sharer_sharetime=1651408304150&sharer_shareid=d74249cca329fbfc7dc218e59f3897aa#rd) :heavy_check_mark:
- [使用静态代码检测微服务越权、未授权访问漏洞](https://mp.weixin.qq.com/s?__biz=MzA4NzA5OTYzNw==&mid=2247484233&idx=1&sn=dec528945d54fe94c6492c3b774b5d81&chksm=903fd2d3a7485bc569a3ea4bc9ea8d2837224389e8c6351c99c0aba815270e2c84f528cfa6ba&mpshare=1&scene=23&srcid=07081Nc37ZXSTAMgk5b7cpG0&sharer_sharetime=1657244441300&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd) :heavy_check_mark:
- [微服务下用静态代码扫描越权漏洞](https://mp.weixin.qq.com/s/3rxGuOBsbD9ZZT8fihsyzg) :heavy_check_mark:
- [CodeQL for Golang Practise(3)](http://f4bb1t.com/post/2020/12/16/codeql-for-golang-practise3/)
- [CodeQL静态代码扫描之实现关联接口、入参、和危险方法并自动化构造payload及抽象类探究](https://mp.weixin.qq.com/s/Rqo12z9mapwlj6wGHZ1zZA)
- [Codeql分析Vulnerability-GoApp - FreeBuf网络安全行业门户](https://www.freebuf.com/articles/web/253491.html)
- [codeql反序列化分析](https://github.com/githubsatelliteworkshops/codeql)
- [[原创\]58集团白盒代码审计系统建设实践2:深入理解SAST-业务安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com](https://bbs.pediy.com/thread-266995.htm#msg_header_h1_4)
- [楼兰#CodeQL](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=Mzg4ODU4ODYzOQ==&action=getalbum&album_id=1970201600723910658&scene=173&from_msgid=2247484983&from_itemidx=1&count=3&nolastread=1#wechat_redirect)
- [CodeQL学习笔记 | Gamous'Site](http://blog.gamous.cn/post/codeql/)
- [language:go - Search - LGTM](https://lgtm.com/search?q=language%3Ago&t=rules)
- [CodeQL 和代码扫描简介 - GeekMasher 的博客](https://geekmasher.dev/posts/sast/codeql-introduction)
- [CVE-2018-11776: 如何使用CodeQL发现5个 Apache Struts RCEs](https://mp.weixin.qq.com/s/LmOFGAhqAKiO8VDQW4vvLg)
- [CodeQL静态代码扫描规则编写之RemoteFlowSource](https://mp.weixin.qq.com/s/jVZ3Op8FYBmiFAV3p0li3w)
- [CodeQL静态代码扫描之抽象类探究](https://mp.weixin.qq.com/s/KQso2nvWx737smunUHwXag)
- [Codeql规则编写入门](https://mp.weixin.qq.com/s/sAUSgRAohFlmzwSkkWjp9Q)
- [About LGTM - Help - LGTM](https://lgtm.com/help/lgtm/about-lgtm)
- [LGTM help & documentation](https://help.semmle.com/home/help/home.html)
- [Capture the flag | GitHub Security Lab](https://securitylab.github.com/ctf/)
- [分类: codeql - 食兔人的博客](https://blog.ycdxsb.cn/categories/research/codeql/)
- [CodeQL - butter-fly](https://yourbutterfly.github.io/note-site/module/semmle-ql/codeql/)
- [表达式](https://www.4hou.com/posts/lM11)
- [mark/CodeQL-数据流在Java中的使用.md at master · haby0/mark](https://github.com/haby0/mark/blob/master/articles/2021/CodeQL-数据流在Java中的使用.md)
- [github/securitylab: Resources related to GitHub Security Lab](https://github.com/github/securitylab)
- [codeql挖掘React应用的XSS实践 | Image's blog](https://hexo.imagemlt.xyz/post/javascript-codeql-learning/)
- [SummerSec/learning-codeql: CodeQL Java 全网最全的中文学习资料](https://github.com/SummerSec/learning-codeql)
- [CodeQL query help for Go — CodeQL query help documentation](https://codeql.github.com/codeql-query-help/go/#)
- [codeql使用指南_zzzzfeng的博客-CSDN博客_codeql使用](https://blog.csdn.net/haoren_xhf/article/details/115064677)
- [Apache Dubbo:条条大路通RCE | GitHub 安全实验室](https://securitylab.github.com/research/apache-dubbo/)
- [南大软件分析课程](https://space.bilibili.com/2919428?share_medium=iphone&share_plat=ios&share_session_id=6851D997-0AC6-4C67-B858-BD1E6258C548&share_source=COPY&share_tag=s_i×tamp=1639480132&unique_k=8wQBAkV)
- [各种语言危险sink](https://github.com/haby0/sec-note)
# 环境搭建
- [编译OpenJDK8并生成CodeQL数据库](https://blog.csdn.net/mole_exp/article/details/122330521) :heavy_check_mark: **对jdk进行ql用处多多。。**
# 真实例子
- [如何利用CodeQL挖掘CVE-2020-10199](https://www.anquanke.com/post/id/202987) :heavy_check_mark: **可以使用污点跟踪TaintTracking::Configuration 并且添加isAdditionalTaintStep**
- [利用CodeQL分析并挖掘Log4j漏洞](https://mp.weixin.qq.com/s/JYco8DysQNszMohH6zJEGw)
- [使用codeql 挖掘 ofcms](https://www.anquanke.com/post/id/203674) :heavy_check_mark:
- [使用codeql挖掘fastjson利用链](https://xz.aliyun.com/t/7482) :heavy_check_mark:
- [用codeql分析grafana最新任意文件读取]() :heavy_check_mark:
- [codeql学习——污点分析](https://xz.aliyun.com/t/7789) :heavy_check_mark:
- [CodeQL从0到1(内附Shiro检测demo)](https://www.anquanke.com/post/id/255721) :heavy_check_mark:
- [Codeql分析Vulnerability-GoApp](https://www.freebuf.com/articles/web/253491.html) :heavy_check_mark: (go语言)
- [如何用CodeQL数据流复现 apache kylin命令执行漏洞 - 先知社区](https://xz.aliyun.com/t/8240) :heavy_check_mark:
- [从Java反序列化漏洞题看CodeQL数据流](https://www.anquanke.com/post/id/256967) :heavy_check_mark:
- [CodeQL 学习小记](https://www.buaq.net/go-98696.html) :heavy_check_mark:
- [使用codeql挖掘fastjson利用链](https://xz.aliyun.com/t/7482) :heavy_check_mark:
# 下载
文档: https://codeql.github.com/docs/codeql-cli/
二进制:https://github.com/github/codeql-cli-binaries
现成项目:https://github.com/github/vscode-codeql-starter
数据库下载,在线查询,规则搜索:https://lgtm.com/
# 生成数据库
第一步、创建索引代码数据库。得有数据库才能开始查询。
```
codeql database create --language=
```
支持的语言及language对应关系如下
| Language | Identity |
| --------------------- | ---------- |
| C/C++ | cpp |
| C# | csharp |
| Go | go |
| Java | java |
| javascript/Typescript | javascript |
| Python | python |
| Ruby | Ruby |
1、生成代码扫描数据库(java)
```
codeql database create D:\codeqldb/javasec --language=java --command="mvn clean install --file pom.xml -Dmaven.test.skip=true" --source-root=./javasec
```
注:source-root 为源码路径,默认为当前目录,可不指定
一些常用命令
```
跳过测试,构建
--command="mvn clean install --file pom.xml -Dmaven.test.skip=true"
无论项目结果如何,构建从不失败
--command="mvn -fn clean install --file pom.xml -Dmaven.test.skip=true"
```
包含xml文件https://github.com/github/codeql/issues/3887
```
codeql database init --source-root= --language java
codeql database trace-command --working-dir=
codeql database index-files --language xml --include-extension .xml --working-dir=
codeql database finalize
```
将上面的命令拆分为如下4条命令,在index-files中将xml文件添加到CodeQL的数据库中CodeQL将XML文件包含到CodeQL数据库
第二种方案是在codeql-cli/java/tools/pre-finalize.cmd文件中插入--include "**/resources/**/*.xml"
2、更新数据库
```
codeql database upgrade database/javasec
```
参考:https://help.semmle.com/lgtm-enterprise/admin/help/prepare-database-upload.html
### 编译与非编译
对于编译型语言来说,需要在创建索引数据库的时候增加编译的功能,主要是针对java,对于非编译性的语言来说,直接扫描吧
对于go来说,可编译也可不编译
## 基础查询
### 过滤 Method
#### 根据Method name查询
```java
import java
from Method method
where method.hasName("toObject")
select method
```
把这个方法的`class` `name`也查出来
```java
import java
from Method method
where method.hasName("toObject")
select method, method.getDeclaringType()
```
#### 根据Method name 和 interface name 查询
比如我想查询`ContentTypeHandler` 的所有子类`toObject`方法
```java
import java
from Method method
where method.hasName("toObject") and method.getDeclaringType().getASupertype().hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler")
select method
```
#### Call和Callable
Callable表示可调用的方法或构造器的集合。
Call表示调用Callable的这个过程(方法调用,构造器调用等等)
过滤 方法调用
### MethodAccess
一般是先查`method`,与`MethodAccess.getMethod()` 进行比较。
比如查`ContentTypeHandler` 的 `toObject()` 方法的调用。
```java
import java
from MethodAccess call, Method method
where method.hasName("toObject") and method.getDeclaringType().getASupertype().hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler") and call.getMethod() = method
select call
```
上面这种查询方式不行,只能查到`JsonLibHandler` 这样显式定义的。
怎么改进呢?
也可以使用`getAnAncestor()` 或者`getASupertype()*`
```java
import java
from MethodAccess call, Method method
where method.hasName("toObject") and method.getDeclaringType().getAnAncestor().hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler") and call.getMethod() = method
select call
```
# 数据流跟踪
Local Data Flow分析SPEL
本地数据流
本地数据流是单个方法(一旦变量跳出该方法即为数据流断开)或可调用对象中的数据流。本地数据流通常比全局数据流更容易、更快、更精确。
```
import java
import semmle.code.java.frameworks.spring.SpringController
import semmle.code.java.dataflow.TaintTracking
from Call call,Callable parseExpression,SpringRequestMappingMethod route
where
call.getCallee() = parseExpression and
parseExpression.getDeclaringType().hasQualifiedName("org.springframework.expression", "ExpressionParser") and
parseExpression.hasName("parseExpression") and
TaintTracking::localTaint(DataFlow::parameterNode(route.getARequestParameter()),DataFlow::exprNode(call.getArgument(0)))
select route.getARequestParameter(),call
```
全局数据流分析要继承`DataFlow::Configuration` 这个类,然后重载`isSource` 和`isSink` 方法
```
class MyConfig extends DataFlow::Configuration {
MyConfig() { this = "Myconfig" }
override predicate isSource(DataFlow::Node source) {
....
}
override predicate isSink(DataFlow::Node sink) {
....
}
}
```
# 污点跟踪
全局污点跟踪分析要继承`TaintTracking::Configuration` 这个类,然后重载`isSource` 和`isSink` 方法
```
import semmle.code.java.dataflow.TaintTracking
import java
class VulConfig extends TaintTracking::Configuration {
VulConfig() { this = "myConfig" }
override predicate isSource(DataFlow::Node source) {
}
override predicate isSink(DataFlow::Node sink) {
}
}
from VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "source are"
```
# 白盒扫描
ql库集成了许多常见的安全漏洞,可以直接拿来扫描项目源码
https://codeql.github.com/codeql-query-help/java/
下面是写好的
java
1、zip slip(zip解压覆盖任意文件)
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
2、命令注入
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
3、cookie安全
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
4、XSS
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-079/XSS.ql
5、依赖漏洞
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
6、反序列化
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
7、http头注入
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
8、url跳转
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
9、ldap注入
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
10、sql注入
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
11、file权限&目录注入
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
12、xml注入
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXE.ql
13、SSL校验
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
14、弱加密
https://github.com/github/codeql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
15、随机数种子可预测
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
codeql analyze命令可以执行单个ql文件,目录下所有ql文件,和查询suite(.qls)
白盒扫描使用如下命令(执行所有漏洞类查询)
```
codeql database analyze source_database_name qllib/java/ql/src/codeql-suites/java-security-extended.qls --format=csv --output=java-results.csv
```
如果是自己写可用于analyze的必须按规范写,包含元数据@kind,如下这种
```
/**
* @name Incomplete regular expression for hostnames
* @description Matching a URL or hostname against a regular expression that contains an unescaped
* dot as part of the hostname might match more hostnames than expected.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.8
* @precision high
* @id go/incomplete-hostname-regexp
* @tags correctness
* security
* external/cwe/cwe-20
*/
```
# 文章推荐
- https://github.com/SummerSec/learning-codeql
- https://www.anquanke.com/post/id/203674
- https://fynch3r.github.io/tags/CodeQL/
- https://www.freebuf.com/articles/web/283795.html