安全-使用sulley 进行fuzzing
2018-04-11 本文已影响26人
yunpiao
使用 sulley 进行fuzzing测试
enter description here
1. 使用sulley 进行 fuzzing测试 python .server
- Fuzzing 对象 : python 中的 http.server 模块
- 环境: deepin 15.4
- 工具: sulley 框架
第一步. 构造fuzz数据文件
采用sulley 默认的http_get.py 数据文件进行 Fuzzing
from sulley import *
"""
sess.connect(s_get("HTTP VERBS"))
sess.connect(s_get("HTTP METHOD"))
sess.connect(s_get("HTTP REQ"))
"""
########################################################################################################################
# Fuzz all the publicly avalible methods known for HTTP Servers
########################################################################################################################
s_initialize("HTTP VERBS")
s_group("verbs", values=["GET", "HEAD", "POST", "OPTIONS", "TRACE", "PUT", "DELETE", "PROPFIND","CONNECT","PROPPATCH",
"MKCOL","COPY","MOVE","LOCK","UNLOCK","VERSION-CONTROL","REPORT","CHECKOUT","CHECKIN","UNCHECKOUT",
"MKWORKSPACE","UPDATE","LABEL","MERGE","BASELINE-CONTROL","MKACTIVITY","ORDERPATCH","ACL","PATCH","SEARCH","CAT"])
if s_block_start("body", group="verbs"):
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_int(1,format="ascii")
s_delim(".")
s_int(1,format="ascii")
s_static("\r\n\r\n")
s_block_end()
########################################################################################################################
# Fuzz the HTTP Method itself
########################################################################################################################
s_initialize("HTTP METHOD")
s_string("FUZZ")
s_static(" /index.html HTTP/1.1")
s_static("\r\n\r\n")
########################################################################################################################
# Fuzz this standard multi-header HTTP request
# GET / HTTP/1.1
# Host: www.google.com
# Connection: keep-alive
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Encoding: gzip,deflate,sdch
# Accept-Language: en-US,en;q=0.8
# Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
########################################################################################################################
s_initialize("HTTP REQ")
s_static("GET / HTTP/1.1\r\n")
# Host: www.google.com
s_static("Host")
s_delim(":")
s_delim(" ")
s_string("www.google.com")
s_static("\r\n")
# Connection: keep-alive
s_static("Connection")
s_delim(":")
s_delim(" ")
s_string("Keep-Alive")
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1
s_static("User-Agent")
s_delim(":")
s_delim(" ")
s_string("Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1")
s_static("\r\n")
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
s_static("Accept")
s_delim(":")
s_delim(" ")
s_string("text")
s_delim("/")
s_string("html")
s_delim(",")
s_string("application")
s_delim("/")
s_string("xhtml")
s_delim("+")
s_string("xml")
s_delim(",")
s_string("application")
s_delim("/")
s_string("xml")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(9,format="ascii")
s_delim(",")
s_string("*")
s_delim("/")
s_string("*")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(8,format="ascii")
s_static("\r\n")
# Accept-Encoding: gzip,deflate,sdch
s_static("Accept-Encoding")
s_delim(":")
s_delim(" ")
s_string("gzip")
s_delim(",")
s_string("deflate")
s_delim(",")
s_string("sdch")
s_static("\r\n")
# Accept-Language: en-US,en;q=0.8
s_static("Accept-Language")
s_delim(":")
s_delim(" ")
s_string("en-US")
s_delim(",")
s_string("en")
s_delim(";")
s_string("q")
s_delim("=")
s_string("0.8")
s_static("\r\n")
# Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
s_static("Accept-Charset")
s_delim(":")
s_delim(" ")
s_string("ISO")
s_delim("-")
s_int(8859,format="ascii")
s_delim("-")
s_int(1,format="ascii")
s_delim(",")
s_string("utf-8")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(7,format="ascii")
s_delim(",")
s_string("*")
s_delim(";")
s_string("q")
s_delim("=")
s_int(0,format="ascii")
s_delim(".")
s_int(3,format="ascii")
s_static("\r\n\r\n")
第二步. 构造session
#coding:utf-8
from sulley import *
#from primitives import *
from requests import http_get
def do_fuzz():
sess = sessions.session(session_filename ="tmp.log")
target = sessions.target("127.0.0.1",8000)
#使用procmon监控fuzzing
target.procmon = pedrpc.client("127.0.0.1",26002)
target.procmon_options = \
{
"proc_name":"War-ftpd"
}
sess.add_target(target)
# 首先启动 process_monitor.py -c audits\war-ftp.crashbin -p war-ftpd.exe
# sess.pre_send = bind
# sess.connect(s_get("test"))
# sess.connect(s_get("test"))
sess.connect(s_get("HTTP VERBS"))
sess.connect(s_get("HTTP METHOD"))
sess.connect(s_get("HTTP REQ"))
sess.fuzz()
print "done fuzzing..."
if 1:
do_fuzz()
第三步. 启动用于 fuzzing测试的 http.server 程序
> python http.server
第四步. 开启网络监控
> python network_monitor.py -d 1 -f "src or dst port 21" -P net_log
- -d 指定使用的网络接口 1在我电脑上表示eth0
- -f 过滤 -f "src or dst port 8000" 表示只显示 8000 端口的信息
- -p 指定log保存的文件夹
第五步: 开始Fuzing
> python session.py
session 显示如下 表示已经开始 fuzzing
[2017-05-08 15:16:12,396] [ERROR] -> current fuzz path: -> HTTP VERBS
[2017-05-08 15:16:12,396] [ERROR] -> fuzzed 0 of 114866 total cases
[2017-05-08 15:16:12,495] [ERROR] -> fuzzing 11018 of 82491
[2017-05-08 15:16:12,498] [ERROR] -> xmitting: [1.11018]
[2017-05-08 15:16:12,499] [WARNING] -> sleeping for 1.000000 seconds
[2017-05-08 15:16:13,518] [ERROR] -> fuzzing 11019 of 82491
[2017-05-08 15:16:13,527] [ERROR] -> xmitting: [1.11019]
[2017-05-08 15:16:13,528] [WARNING] -> sleeping for 1.000000 seconds
[2017-05-08 15:16:14,554] [ERROR] -> fuzzing 11020 of 82491
[2017-05-08 15:16:14,558] [ERROR] -> xmitting: [1.11020]
[2017-05-08 15:16:14,559] [WARNING] -> sleeping for 1.000000 seconds
[2017-05-08 15:16:14,727] [CRITICAL] -> SIGINT received ... exiting
参考网址
http://blog.sina.com.cn/s/blog_714c124f0101548r.html
https://wizardforcel.gitbooks.io/grey-hat-python/content/36.html
http://bbs.pediy.com/thread-135764.htm
http://www.xlgps.com/article/400245.html
