add stop_if_match/mismatch

zan8in · zan8in · commit 8afb897bc661 · 2022-04-05T11:46:58.000+08:00
diff --git a/pkg/core/checker.go b/pkg/core/checker.go
@@ -34,19 +34,18 @@ func (c *Checker) Check(target string, pocItem poc.Poc) (err error) {
 	c.FastClient.DialTimeout = c.Options.Config.ConfigHttp.DialTimeout
 	c.FastClient.UserAgent = c.Options.Config.ConfigHttp.UserAgent
 
-	pocHandler := ""
+	matchCondition := ""
 	if strings.Contains(pocItem.Expression, "&&") && !strings.Contains(pocItem.Expression, "||") {
-		pocHandler = poc.ALLAND
+		matchCondition = poc.STOP_IF_FIRST_MISMATCH
 	}
 	if strings.Contains(pocItem.Expression, "||") && !strings.Contains(pocItem.Expression, "&&") {
-		pocHandler = poc.ALLOR
+		matchCondition = poc.STOP_IF_FIRST_MATCH
 	}
 
 	if !strings.HasPrefix(target, "http://") && !strings.HasPrefix(target, "https://") {
 		target = "http://" + target
 	}
 
-	// original request
 	c.OriginalRequest, err = http.NewRequest("GET", target, nil)
 	if err != nil {
 		log.Log().Error(fmt.Sprintf("rule map originalRequest err, %s", err.Error()))
@@ -76,67 +75,56 @@ func (c *Checker) Check(target string, pocItem poc.Poc) (err error) {
 		k := ruleMap.Key
 		rule := ruleMap.Value
 
-		utils.RandSleep(500) // firewall just test.
+		utils.RandSleep(500)
 
-		err = c.FastClient.HTTPRequest(c.OriginalRequest, rule, c.VariableMap)
-		if err != nil {
-			log.Log().Error(fmt.Sprintf("rule map fasthttp.HTTPRequest err, %s", err.Error()))
-			c.CustomLib.WriteRuleFunctionsROptions(k, false)
-			continue
-		}
-
-		// run cel expression
-		isVul, err := c.CustomLib.RunEval(rule.Expression, c.VariableMap)
-		if err != nil {
-			log.Log().Error(fmt.Sprintf("rule map RunEval err, %s", err.Error()))
-			c.CustomLib.WriteRuleFunctionsROptions(k, false)
-			continue // not return, because may be need test next pocItem. ？？？
+		isMatch := false
+		if err = c.FastClient.HTTPRequest(c.OriginalRequest, rule, c.VariableMap); err == nil {
+			evalResult, _ := c.CustomLib.RunEval(rule.Expression, c.VariableMap)
+			isMatch = evalResult.Value().(bool)
 		}
 
-		// set result function eg: r1() r2()
-		c.CustomLib.WriteRuleFunctionsROptions(k, isVul.Value().(bool))
+		c.CustomLib.WriteRuleFunctionsROptions(k, isMatch)
 
-		// update output cel and variableMap
 		if len(rule.Output) > 0 {
 			c.UpdateVariableMap(rule.Output)
 		}
 
-		c.Result.AllPocResult = append(c.Result.AllPocResult, &PocResult{IsVul: isVul.Value().(bool), ResultRequest: c.VariableMap["request"].(*proto.Request), ResultResponse: c.VariableMap["response"].(*proto.Response)})
+		c.Result.AllPocResult = append(c.Result.AllPocResult,
+			&PocResult{IsVul: isMatch, ResultRequest: c.VariableMap["request"].(*proto.Request), ResultResponse: c.VariableMap["response"].(*proto.Response)})
 
-		if rule.Request.Todo == poc.TODO_FAILURE_NOT_CONTINUE && !isVul.Value().(bool) {
+		if rule.StopIfMismatch && !isMatch {
 			c.Result.IsVul = false
 			c.Options.ApiCallBack(c.Result)
 			return err
 		}
 
-		if rule.Request.Todo == poc.TODO_SUCCESS_NOT_CONTINUE && isVul.Value().(bool) {
+		if rule.StopIfMatch && isMatch {
 			c.Result.IsVul = true
 			c.Options.ApiCallBack(c.Result)
 			return err
 		}
 
-		if pocHandler == poc.ALLOR && isVul.Value().(bool) {
-			c.Result.IsVul = true
+		if matchCondition == poc.STOP_IF_FIRST_MISMATCH && !isMatch {
+			c.Result.IsVul = false
 			c.Options.ApiCallBack(c.Result)
 			return err
 		}
-		if pocHandler == poc.ALLAND && !isVul.Value().(bool) {
-			c.Result.IsVul = false
+
+		if matchCondition == poc.STOP_IF_FIRST_MATCH && isMatch {
+			c.Result.IsVul = true
 			c.Options.ApiCallBack(c.Result)
 			return err
 		}
 	}
 
-	// run final cel expression
 	isVul, err := c.CustomLib.RunEval(pocItem.Expression, c.VariableMap)
 	if err != nil {
-		log.Log().Error(fmt.Sprintf("final RunEval err, %s", err.Error()))
+		log.Log().Error(fmt.Sprintf("Final RunEval Error: %s", err.Error()))
 		c.Result.IsVul = false
 		c.Options.ApiCallBack(c.Result)
 		return err
 	}
 
-	// save final result
 	c.Result.IsVul = isVul.Value().(bool)
 	c.Options.ApiCallBack(c.Result)
 
diff --git a/pkg/poc/poc.go b/pkg/poc/poc.go
@@ -13,10 +13,8 @@ import (
 // Rule有序，参考：https://github.com/WAY29/pocV/blob/main/pkg/xray/structs/poc.go
 
 const (
-	ALLOR                     = "allor"
-	ALLAND                    = "alland"
-	TODO_FAILURE_NOT_CONTINUE = "TODO_FAILURE_NOT_CONTINUE" // 请求失败不继续
-	TODO_SUCCESS_NOT_CONTINUE = "TODO_SUCCESS_NOT_CONTINUE" // 请求成功不继续
+	STOP_IF_FIRST_MATCH    = "STOP_IF_FIRST_MATCH"
+	STOP_IF_FIRST_MISMATCH = "STOP_IF_FIRST_MISMATCH"
 )
 
 type Poc struct {
@@ -47,24 +45,27 @@ type RuleMap struct {
 // 用于帮助yaml解析，保证Rule有序
 type RuleMapSlice []RuleMap
 type Rule struct {
-	Request    RuleRequest   `yaml:"request"`
-	Expression string        `yaml:"expression"`
-	Output     yaml.MapSlice `yaml:"output"`
-	order      int
+	Request        RuleRequest   `yaml:"request"`
+	Expression     string        `yaml:"expression"`
+	Output         yaml.MapSlice `yaml:"output"`
+	StopIfMatch    bool          `yaml:"stop_if_match"`
+	StopIfMismatch bool          `yaml:"stop_if_mismatch"`
+	order          int
 }
 
 type ruleAlias struct {
-	Request    RuleRequest   `yaml:"request"`
-	Expression string        `yaml:"expression"`
-	Output     yaml.MapSlice `yaml:"output"`
+	Request        RuleRequest   `yaml:"request"`
+	Expression     string        `yaml:"expression"`
+	Output         yaml.MapSlice `yaml:"output"`
+	StopIfMatch    bool          `yaml:"stop_if_match"`
+	StopIfMismatch bool          `yaml:"stop_if_mismatch"`
 }
 
 // http/tcp/udp cache 是否使用缓存的请求，如果该选项为 true，那么如果在一次探测中其它脚本对相同目标发送过相同请求，那么便使用之前缓存的响应，而不发新的数据包
 // content 用于tcp/udp请求，请求内容，比如：content: "request"
 // read_timeout 用于tcp/udp请求，发送请求之后的读取超时时间（注 实际是一个 int， 但是为了能够变量渲染，设置为 string）
 // connection_id 用于tcp/udp请求，连接 id ,同一个连接 id 复用连接(注 不允许用0； cache 为 true 的时候可能会导致请求不会发送，所以如果有特殊需求记得 cache: false)
 type RuleRequest struct {
-	Cache           bool              `yaml:"cache"`
 	Content         string            `yaml:"content"`       // tcp/udp专用
 	ReadTimeout     string            `yaml:"read_timeout"`  // tcp/udp专用
 	ConnectionId    string            `yaml:"connection_id"` // tcp/udp专用
@@ -73,7 +74,6 @@ type RuleRequest struct {
 	Headers         map[string]string `yaml:"headers"`
 	Body            string            `yaml:"body"`
 	FollowRedirects bool              `yaml:"follow_redirects"`
-	Todo            string            `yaml:"todo"`
 }
 
 // 以下开始是 信息部分
@@ -162,6 +162,8 @@ func (r *Rule) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	r.Request = tmp.Request
 	r.Expression = tmp.Expression
 	r.Output = tmp.Output
+	r.StopIfMatch = tmp.StopIfMatch
+	r.StopIfMismatch = tmp.StopIfMismatch
 	r.order = order
 
 	order += 1
diff --git a/pocs/stop_if_match_test.yaml b/pocs/stop_if_match_test.yaml
@@ -0,0 +1,25 @@
+id: stop_if_match_test
+
+info:
+  name: Stop if match test
+  author: zan8in
+  severity: info
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /
+    expression: response.status==200
+    stop_if_match: true
+  r1:
+    request:
+      method: GET
+      path: /test1.php
+    expression: response.status == 200
+  r2:
+    request:
+      method: GET
+      path: /test1.php
+    expression: response.status == 200
+expression: r0() && (r1() || r2())
