0

我正在寻找一个模糊测试库,但我碰巧看到了“boofuzz”,尽管没有关于如何使用该库进行 http 模糊测试的示例。

这是我在他们的 github 页面上看到的唯一代码,但他们说它取自 sulley(一个旧的模糊测试库):

import sys
sys.path.insert(0, '../')

from boofuzz.primitives import String, Static, Delim

class Group(object):
    blocks = []

    def __init__(self, name, definition=None):
        self.name = name
        if definition:
            self.definition = definition

    def add_definition(self, definition):
        assert isinstance(definition, (list, tuple)), "Definition must be a list or a tuple!"
        self.definition = definition

    def render(self):
        return "".join([x.value for x in self.definition])

    def exhaust(self):
        for item in self.definition:
            while item.mutate():
                current_value = item.value
                self.log_send(current_value)
                recv_data = self.send_buffer(current_value)
                self.log_recv(recv_data)

    def __repr__(self):
        return '<%s [%s items]>' % (self.__class__.__name__, len(self.definition))

    # noinspection PyMethodMayBeStatic
    def send_buffer(self, current_value):
        return "Sent %s!" % current_value

    def log_send(self, current_value):
        pass

    def log_recv(self, recv_data):
        pass
    s_static = Static
    s_delim  = Delim
    s_string = String

    CloseHeader = Group(
        "HTTP Close Header",
        definition=[
            # GET / HTTP/1.1\r\n
            s_static("GET / HTTP/1.1\r\n"),
            # Connection: close
            s_static("Connection"), s_delim(":"), s_delim(" "), s_string("close"),
            s_static("\r\n\r\n")
        ]
    )

    OpenHeader = Group(
        "HTTP Open Header",
        definition=[
            # GET / HTTP/1.1\r\n
            Static("GET / HTTP/1.1\r\n"),
            # Connection: close
            Static("Connection"), Delim(":"), Delim(" "), String("open"),
            Static("\r\n\r\n")
        ]
    )

    # CloseHeader = Group("HTTP Close Header")
    # CloseHeader.add_definition([
    #     # GET / HTTP/1.1\r\n
    #     s_static("GET / HTTP/1.1\r\n"),
    #     # Connection: close
    #     s_static("Connection"), s_delim(":"), s_delim(" "), s_string("close"),
    #     s_static("\r\n\r\n")
    # ])

如果它是另一个库代码,他们为什么要发布它?对于如何使用 boofuzz 库有很好的解释吗?

4

1 回答 1

1

如果你谷歌“http 协议格式”,现在的第一个结果就是这个 HTTP 教程。如果您在那里阅读了几页,您可以获得对协议格式的非常好的描述。基于此,我编写了以下模糊脚本,源代码在这里

#!/usr/bin/env python
# Designed for use with boofuzz v0.0.9
from boofuzz import *


def main():
    session = Session(
        target=Target(
            connection=SocketConnection("127.0.0.1", 80, proto='tcp')
        ),
    )

    s_initialize(name="Request")
    with s_block("Request-Line"):
        s_group("Method", ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE'])
        s_delim(" ", name='space-1')
        s_string("/index.html", name='Request-URI')
        s_delim(" ", name='space-2')
        s_string('HTTP/1.1', name='HTTP-Version')
        s_static("\r\n", name="Request-Line-CRLF")
    s_static("\r\n", "Request-CRLF")

    session.connect(s_get("Request"))

    session.fuzz()


if __name__ == "__main__":
    main()

虽然我被绊倒了一段时间,因为我只有一个 CRLF。在检查RFC 2616 (Section 5)之后,很明显这个例子应该以两个 CRLF 结尾。

    Request       = Request-Line              ; Section 5.1
                    *(( general-header        ; Section 4.5
                     | request-header         ; Section 5.3
                     | entity-header ) CRLF)  ; Section 7.1
                    CRLF
                    [ message-body ]          ; Section 4.3

    [...]

    Request-Line   = Method SP Request-URI SP HTTP-Version CRLF

显然,这个模糊脚本并没有接近覆盖整个协议。只是可以添加一些东西:

  1. HTTP标头(有很多)
  2. 每种 HTTP 方法的专用格式
  3. 消息正文(例如在 POST 上)
  4. 为特定目标服务器选择有效 URI 的某种方式
  5. 根据服务器响应报告警告(可能会变得嘈杂,但服务器错误确实往往表明......错误)
于 2017-10-25T06:22:05.793 回答