ChatGPT，未来可期

之前直播或者私信很多人问我：黑哥，AI你怎么看？每次这种情况我都会提到2018年看到一个关于“区块链”的图

实际上这个图也适用于AI，当然这里我有必要强调下我不是说我鄙视这些。我想表达的是很多时候你的问题或者你的场景很可能是用不到这些所谓先进概念的，很可能一个正则表达式就能完胜所谓的“机器学习”带来的效果。换个角度来说当你遇到的场景及问题在现有的传统模式可能不太好解决，或者解决的成本非常高，或者效果瓶颈等，这个时候去试一试AI，试一试机器学习可能会有新的突破，所以AI技术更加适合于具体的应用场景！

在本周OpenAI发布了一个全新的机器人模型ChatGPT，得到广泛关注，也有一些媒体用了一些夸张的标题及描叙：

行走的代码生成器：chatGPT要让谷歌和程序员“下岗”了https://m.huxiu.com/article/731833.html

于是就想着玩一下，当然我平时是不太喜欢折腾这些东西，基本都只是个“玩具”，不过通过今天测试来看虽然不能彻底洗刷在我心里“玩具”的标签，但确实让我改观了不少，甚至可能在日后很好的融入到我的一些工作里！

注册

ChatGPT https://chat.openai.com/ 

我直接注册是没成功的，问了下404的小伙伴说需要国外的手机号才行，所以我就找小伙伴白嫖了一个账号试用。

试用

这里就说一下比较有意思的点：

1、支持中文

因为受到推特的用户及经验主义影响，自然而然的觉得应该不支持中文，所以开始使用都用Google翻译成英文去提问，结果到我输入法切换问题，直接输入了个“你好”，然后居然给了我中文的回应 如下图

所以大家玩的时候可以考虑输入中文，但是可能因为是语法训练及翻译本身的原因，可能导致你可能是同一个问题的表述，得到的结果中英文可能不匹配：

2、相比漏洞它更懂代码意图

从虎啸的那个文章及推特上的一些用户说它能找漏洞，我随手输入的了个简单的PHP代码：

Is there a bug in this code? <?php echo("$_GET['abc']")?>

得到的回复如下：

It is difficult to determine if there is a bug in this code without more information. The code you provided is a PHP script that uses the $_GET variable to access a value passed to the script through a URL query string parameter called abc. This value is then passed to the echo() function, which outputs the value to the screen.

One potential issue with this code is that it does not properly escape the $_GET variable when it is passed to the echo() function. This could allow a malicious user to insert arbitrary code into the abc parameter, which could be executed by the PHP script. To avoid this issue, the $_GET variable should be properly escaped using the htmlspecialchars() function before being passed to the echo() function.

虽然它开头说很难判断是不是存在bug，但是很明显在后面的回复里它看到这个代码的安全漏洞！当然我觉得这个代码太简单，于是找404的小伙们提供了不少CTF的题目进行测试：

问题：

HttpServer srv = HttpServer.create(new InetSocketAddress(9000), 0);
srv.createContext("/", new HttpHandler() {    @Override    public void handle(HttpExchange he) throws IOException {        String ret = "<!DOCTYPE html><html><head><title>Comments</title></head><body><table>";        try {            ResultSet rs = statement.executeQuery("select * from comments");            while (rs.next()) {                String comment = rs.getString("comment").replace("<", "&lt;").replace(">", "&gt;");                ret += "<tr><td>" + Normalizer.normalize(comment, Normalizer.Form.NFKC) + "</td></tr>n";            }            Main.response(he, 200, ret + "</table></body></html>");        } catch (Exception exp) {            System.out.println(exp);            Main.response(he, 500, "Internal Server Error");        }    }});

srv.createContext("/comment", new HttpHandler() {    @Override    public void handle(HttpExchange he) throws IOException {        try {            JSONObject jsonObject = (JSONObject)(new JSONParser()).parse(new InputStreamReader(he.getRequestBody(), "UTF-8"));            PreparedStatement stmt = finalConnection.prepareStatement("insert into comments values(?)");            stmt.setString(1, (String)jsonObject.get("comment"));            stmt.executeUpdate();            Main.response(he, 200, "Ok");        } catch (Exception exp) {            Main.response(he, 500, "Internal Server Error");        }    }});srv.start();

Is there a vulnerability in this code?

回复如下：

It is difficult to determine if there are vulnerabilities in this code without more information. The code you provided is a Java server that uses the HttpServer class from the Java SE com.sun.net.httpserver package to create an HTTP server that listens on port 9000. The server defines two HTTP contexts: “/” and “/comment”.

One potential issue with this code is that it does not properly validate or sanitize user input. The handle() method of the HttpHandler implementation for the “/comment” context parses a JSON object from the request body and inserts it into the comments table of a database. However, the code does not check the contents of the “comment” field of the JSON object to ensure that it does not contain any potentially malicious code. This could allow a malicious user to insert arbitrary SQL code into the comments table, potentially compromising the security of the database. To avoid this issue, the code should properly validate and sanitize user input before inserting it into the database.

在代码意图上还是表现不错的，不过漏洞识别就不太那么给力了，或者这个是java模型问题，我们换了几个其他的问题

问：

<?php  $text = $_GET["text"];$file = $_GET["file"];$password = $_GET["password"];if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";    if(preg_match("/flag/",$file)){        echo "Not now!";        exit();     }else{        include($file);  //useless.php        $password = unserialize($password);        echo $password;    }}else{    highlight_file(__FILE__);}?>Is there a vulnerability in this code?

答：

It is difficult to determine if there are vulnerabilities in this code without more information. The code you provided is a PHP script that uses the $_GET superglobal variable to access query string parameters passed to the script. The script then performs a series of checks on the values of these parameters and takes different actions based on the results of those checks.

One potential issue with this code is that it does not properly validate or sanitize user input. The script includes a file whose name is specified by the file parameter of the query string, and echoes the value of the password parameter without any validation or sanitization. This could allow a malicious user to insert arbitrary code into the file parameter, potentially compromising the security of the server. Additionally, echoing the password parameter without proper validation or sanitization could expose sensitive information. To avoid these issues, the code should properly validate and sanitize user input before using it.

从这个回复来看可以说识别了一半，对于反序的问题没有识别出来，由此可见这个的训练安全模型里应该是不支持反序问题。

我们又实验了下c语言的CTF题目：

#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>

char* Note[10];void init_buf(){    setbuf(stdin, 0);    setbuf(stdout, 0);    setbuf(stderr, 0);}

unsigned long get_number(){    unsigned long re = 0;    scanf("%lu", &re);

    return re;}

void menu(){    printf("1. Add Noten");    printf("2. Delete Noten");    printf("3. Show Noten");    printf("4. Exitn");    printf("5. Edit Namen");    printf("Choice > ");}void Add_note(){    printf("Index: ");    unsigned int index = get_number();    if (index < 9)    {        printf("Size: ");        unsigned int size = get_number();        char* temp = (char*)malloc(size);        if (temp)        {            printf("Context: ");            Note[index] = temp;            read(0, Note[index], size);        }    }}void Del_note(){    printf("Index: ");    unsigned long index = get_number();    free(Note[index]);    Note[index]=0;}void Show_note(){    printf("Index: ");    unsigned int index = get_number();    if (index < 9 && Note[index])    {        printf("Context: %s", Note[index]);    }}

void Edit_show_name(char *name){        read(0,name,0x30);        printf("Hello,%sn",name);        return;}

int main(void){    init_buf();    char name[0x30];    while (1)    {        menu();        switch (get_number())        {        case 1:            Add_note();            break;        case 2:            Del_note();            break;        case 3:            Show_note();            break;        case 4:            goto exit_tag;            break;        case 5:            Edit_show_name(name);            break;        default:            puts("Error Input.");            break;        }    }exit_tag:    return 0;}

Is there a vulnerability in this code?

回答：

It is difficult to determine if there are vulnerabilities in this code without more information. The code you provided is a C program that implements a simple menu-driven application for managing notes. The program defines several functions for adding, deleting, and displaying notes, as well as a function for editing the user’s name.

One potential issue with this code is that it does not properly validate user input. The get_number() function uses the scanf() function to read an unsigned long integer from standard input without any bounds checking. This could allow a malicious user to supply a large number that could cause a buffer overflow or other issues. Additionally, the Add_note() function does not check the size of the user-supplied buffer before allocating memory for it and reading input into it. This could allow a malicious user to allocate a large amount of memory, potentially leading to a denial of service attack. To avoid these issues, the code should properly validate user input to ensure that it is within the expected range and does not exceed any allocated buffers.

对程序的功能意图还是有非常好的理解，只是在漏洞上来看它发现了一个bug点，但是没有发现漏洞点，所以结合上面的例子来看，目前这个模型主要还是读懂理解代码上，对于安全漏洞模型相比还不太够。

当然我们还做了很多的提交，在php的方面表现还是非常不错的，比如：

<?php $__=('>'>'<')+('>'>'<'); $_=$__/$__; $____=''; $___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__}); $_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_}); $_=$$_____; $____($_[$__]);

回复如下：

This code is using a combination of variable names, string concatenation, and the eval() function to execute code. It is difficult to determine the exact purpose or behavior of this code without more context.

One potential issue with this code is that it uses the eval() function, which is often considered a security vulnerability because it allows arbitrary code to be executed. Using the eval() function can make it difficult to ensure that the code being executed is safe, and it can potentially expose the server to attacks. Additionally, the code uses a series of complex and obfuscated variable assignments and string concatenations to construct the input to the eval() function, which makes it difficult to understand and analyze the code. To avoid these issues, it is generally recommended to avoid using the eval() function, and to use safer alternatives like include() or require() to execute external PHP code. It is also recommended to write code in a clear and readable manner to make it easier to understand and analyze.

单从这个能识别出来代码执行上来看就可以说是非常不错的表现，这个实际上完全可以用到WebShell的检测上面的。

3、能关联前后文

在以往的一些项目里比如啥子微软bing的小冰啥的，国内的那些啥子小爱同学啥的智能音箱啥的都基本上算一个问题一个问题，它们不会去关联上下文，但是OpenAI这个就很明显，比如前面因为测试漏洞检测，提交了太多的PHP代码，于是我在测试代码生成的时候，它就默认给我输出了PHP的代码 …

还有在前面我提到了一个IP地址是测试另外的问题的，然后在后面输出的代码案例里，它自动就使用了前面提到的这个IP地址作为例子, 由此可见你输入的这些测试问题，都已经在不断进入学习流程。

4、“面向黑哥编程”得到解放

在外面404里面很多小伙伴都遇到一个的“艰难”的问题，就是面向“黑哥编程”，因为我经常性的有一些临时需求写一些小脚本，虽然脚本简单有时候可能因为沟通理解上的问题也非常难缠，以至于在我们小伙在写招聘启事里都写名：面向黑哥编程 …

在我今天几个测试里，OpenAI的表现还是非常不熟的，尤其是针对我这种不太懂编程，甚至是之前没掌握的语言，又临时需要搞点小脚本的情况下，使用OpenAI就非常有用，单从这点来说就不能用“玩具”来标签了！

还有一个问题就是对于我这种半吊子正则很多时候都是噩梦般的存在，平时都靠baid/google搜索然后各种测试，往往找到的还那么不尽人意，而我测试几个小例子，直接输出代码还能直接运行，如下图：

当然这个例子没有说明是py2还是py3，要不是我机智，差点我就给它差评了！哈哈 果然还是我最聪明 …

在这个例子上很显然OpenAI理解输入的需求描叙，也完成了对应代码输出，可以说几乎完美！！！

5、不要把它当成查询工具

可能是因为Chat形式，很自然的联系到那种机器人查询功能的那种场景，所以会提一些查询类的问题，经过我测试比如我输入某个IP，某个CVE编号人家都反馈不支持，如下图：

当然当我输入三上悠亚的时候，人家肯定说不认识了，如下图：

不过对于一些知名网站域名还是可以的：

6、OpenAI本身的漏洞

我平时不太喜欢的搞安全的人一些装x陋习，比如不管是啥场景，啥地点，去干啥一看到有一个屏幕的自助机，就想去弹个啥软键盘出来，还要拍个照发个朋友圈的行为（我只是说我不太喜欢，大家不要对号入座 哈哈）

所以我看到很多推特上也有不少去测试的，比如说让OpenAI通过Curl去访问一个IP并得到返回的，说发现了一个ssrf，还有比如让它直接执行命令成功的，当然还有一些打开etc/passwd的，不过这些我测试，我都没有成功触发，并明确告诉你不支持，当然这很可能被fixed了，这个就不得而知了!

另外一个点就是污染的问题，这个有点类似Google翻译那种事情，是不是也可以通过大量提交污染的答案，就需要大家的测试了，当然如果真的存在，日后在这种OpenAI写的代码里植入点后门啥的 或许也有这种可能性？

7、令人惊艳的回答

赛博空间与网络空间的区别这个问题，我之前一直在纠结（有机会我会写一篇详细的问题来阐述），因为很多时候在翻译上是等同的，之前也没有找到谁能有直观了当的描叙，于是我提交给了chatGPT，虽然它的回复我也不是完全认同的，但是确实惊艳到了我：

最后

整体上对于我来说这次对chatGPT的体验还是非常不错的，虽然没有彻底洗刷“玩具”的标签，但是也确实看到了实际应用的场景及可能。当然这些都局限在我认知及熟悉的领域，不能代表其他任何人！

chatGPT，未来可期！

原文始发于微信公众号（黑哥虾撩）：ChatGPT，未来可期