使用sulley 进行fuzzing

使用 sulley 进行fuzzing测试

enter description here

1. 使用sulley 进行 fuzzing测试 python .server

  • Fuzzing 对象 : python 中的 http.server 模块
  • 环境: deepin 15.4
  • 工具: sulley 框架

第一步. 构造fuzz数据文件

采用sulley 默认的http_get.py 数据文件进行 Fuzzing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
from sulley import *
"""
sess.connect(s_get("HTTP VERBS"))
sess.connect(s_get("HTTP METHOD"))
sess.connect(s_get("HTTP REQ"))
"""
########################################################################################################################
# Fuzz all the publicly avalible methods known for HTTP Servers
########################################################################################################################
s_initialize("HTTP VERBS")
s_group("verbs", values=["GET", "HEAD", "POST", "OPTIONS", "TRACE", "PUT", "DELETE", "PROPFIND","CONNECT","PROPPATCH",
"MKCOL","COPY","MOVE","LOCK","UNLOCK","VERSION-CONTROL","REPORT","CHECKOUT","CHECKIN","UNCHECKOUT",
"MKWORKSPACE","UPDATE","LABEL","MERGE","BASELINE-CONTROL","MKACTIVITY","ORDERPATCH","ACL","PATCH","SEARCH","CAT"])
if s_block_start("body", group="verbs"):
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_int(1,format="ascii")
s_delim(".")
s_int(1,format="ascii")
s_static("\r\n\r\n")
s_block_end()
########################################################################################################################
# Fuzz the HTTP Method itself
########################################################################################################################
s_initialize("HTTP METHOD")
s_string("FUZZ")
s_static(" /index.html HTTP/1.1")
s_static("\r\n\r\n")
########################################################################################################################
# Fuzz this standard multi-header HTTP request
# GET / HTTP/1.1
# Host: www.google.com
# Connection: keep-alive
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Encoding: gzip,deflate,sdch
# Accept-Language: en-US,en;q=0.8
# Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
########################################################################################################################
s_initialize("HTTP REQ")
s_static("GET / HTTP/1.1\r\n")
# Host: www.google.com
s_static("Host")
s_delim(":")
s_delim(" ")
s_string("www.google.com")
s_static("\r\n")
# Connection: keep-alive
s_static("Connection")
s_delim(":")
s_delim(" ")
s_string("Keep-Alive")
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1
s_static("User-Agent")
s_delim(":")
s_delim(" ")
s_string("Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1")
s_static("\r\n")
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
s_static("Accept")
s_delim(":")
s_delim(" ")
s_string("text")
s_delim("/")
s_string("html")
s_delim(",")
s_string("application")
s_delim("/")
s_string("xhtml")
s_delim("+")
s_string("xml")
s_delim(",")
s_string("application")
s_delim("/")
s_string("xml")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(9,format="ascii")
s_delim(",")
s_string("*")
s_delim("/")
s_string("*")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(8,format="ascii")
s_static("\r\n")
# Accept-Encoding: gzip,deflate,sdch
s_static("Accept-Encoding")
s_delim(":")
s_delim(" ")
s_string("gzip")
s_delim(",")
s_string("deflate")
s_delim(",")
s_string("sdch")
s_static("\r\n")
# Accept-Language: en-US,en;q=0.8
s_static("Accept-Language")
s_delim(":")
s_delim(" ")
s_string("en-US")
s_delim(",")
s_string("en")
s_delim(";")
s_string("q")
s_delim("=")
s_string("0.8")
s_static("\r\n")
# Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
s_static("Accept-Charset")
s_delim(":")
s_delim(" ")
s_string("ISO")
s_delim("-")
s_int(8859,format="ascii")
s_delim("-")
s_int(1,format="ascii")
s_delim(",")
s_string("utf-8")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(7,format="ascii")
s_delim(",")
s_string("*")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(3,format="ascii")
s_static("\r\n\r\n")

第二步. 构造session

session.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#coding:utf-8
from sulley import *
#from primitives import *
from requests import http_get
def do_fuzz():
sess = sessions.session(session_filename ="tmp.log")
target = sessions.target("127.0.0.1",8000)
#使用procmon监控fuzzing
target.procmon = pedrpc.client("127.0.0.1",26002)
target.procmon_options = \
{
"proc_name":"War-ftpd"
}
sess.add_target(target)
# 首先启动 process_monitor.py -c audits\war-ftp.crashbin -p war-ftpd.exe
# sess.pre_send = bind
# sess.connect(s_get("test"))
# sess.connect(s_get("test"))
sess.connect(s_get("HTTP VERBS"))
sess.connect(s_get("HTTP METHOD"))
sess.connect(s_get("HTTP REQ"))
sess.fuzz()
print "done fuzzing..."
if 1:
do_fuzz()

第三步. 启动用于 fuzzing测试的 http.server 程序

> python http.server

第四步. 开启网络监控

> python network_monitor.py -d 1 -f "src or dst port 21" -P net_log

  • -d 指定使用的网络接口 1在我电脑上表示eth0
  • -f 过滤 -f “src or dst port 8000” 表示只显示 8000 端口的信息
  • -p 指定log保存的文件夹

第五步: 开始Fuzing

> python session.py

session 显示如下 表示已经开始 fuzzing

1
2
3
4
5
6
7
8
9
10
11
12
[2017-05-08 15:16:12,396] [ERROR] -> current fuzz path: -> HTTP VERBS
[2017-05-08 15:16:12,396] [ERROR] -> fuzzed 0 of 114866 total cases
[2017-05-08 15:16:12,495] [ERROR] -> fuzzing 11018 of 82491
[2017-05-08 15:16:12,498] [ERROR] -> xmitting: [1.11018]
[2017-05-08 15:16:12,499] [WARNING] -> sleeping for 1.000000 seconds
[2017-05-08 15:16:13,518] [ERROR] -> fuzzing 11019 of 82491
[2017-05-08 15:16:13,527] [ERROR] -> xmitting: [1.11019]
[2017-05-08 15:16:13,528] [WARNING] -> sleeping for 1.000000 seconds
[2017-05-08 15:16:14,554] [ERROR] -> fuzzing 11020 of 82491
[2017-05-08 15:16:14,558] [ERROR] -> xmitting: [1.11020]
[2017-05-08 15:16:14,559] [WARNING] -> sleeping for 1.000000 seconds
[2017-05-08 15:16:14,727] [CRITICAL] -> SIGINT received ... exiting

参考网址

http://blog.sina.com.cn/s/blog_714c124f0101548r.html
https://wizardforcel.gitbooks.io/grey-hat-python/content/36.html
http://bbs.pediy.com/thread-135764.htm
http://www.xlgps.com/article/400245.html