def main() -> None:
"""Run the fuzzer"""
port = 80
host = "192.168.99.100"
protocol = "tcp"
csv_log = open("fuzz_results_easyshare.csv", "w")
my_logger = [bf.FuzzLoggerCsv(file_handle=csv_log)]
target = bf.Target(
connection=bf.SocketConnection(host, port, proto=protocol))
session = bf.Session(target=target)
# FUZZING PARAMETERS
bf.s_initialize(name="Request")
with bf.s_block("Request-Line"):
bf.s_group("Method", [
'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS',
'TRACE'
])
bf.s_delim(" ", name='space-1')
bf.s_string("/index.html", name='Request-URI')
bf.s_delim(" ", name='space-2')
bf.s_string('HTTP/1.1', name='HTTP-Version')
bf.s_static("\r\n", name="Request-Line-CRLF")
bf.s_static("\r\n", "Request-CRLF")
session.connect(bf.s_get("Request"))
session.sleep_time = 1.0
session.fuzz()
def run():
session = initfuzz()
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", [
'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS',
'TRACE'
])
s_delim(" ", name='space-1')
s_string("/get", name='Request-URI')
s_delim(" ", name='space-2')
s_string('HTTP/1.1', name='HTTP-Version')
s_static("\r\n", name="Request-Line-CRLF")
s_string("Host:", name="Host-Line")
s_delim(" ", name="space-3")
s_string("example.com", name="Host-Line-Value")
s_static("\r\n", name="Host-Line-CRLF")
s_string("Connection:", name="Connection-Line")
s_delim(" ", name="space-4")
s_string("Keep-Alive", name="Connection-Line-Value")
s_static("\r\n", name="Connection-Line-CRLF")
s_string("User-Agent:", name="User-Agent-Line")
s_delim(" ", name="space-5")
s_string(
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1",
name="User-Agent-Line-Value")
s_static("\r\n", name="User-Agent-Line-CRLF")
s_static("\r\n", "Request-CRLF")
session.connect(s_get("Request"))
session.fuzz(max_depth=1)
def run():
session = initfuzz()
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", [
"GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS",
"TRACE", "PURGE"
])
s_delim(" ", name="space-1")
s_string("/post", name="Request-URI")
s_delim(" ", name="space-2")
s_string("HTTP/1.1", name="HTTP-Version")
s_static("\r\n", name="Request-Line-CRLF")
s_string("Host:", name="Host-Line")
s_delim(" ", name="space-3")
s_string("127.0.0.1:9080", name="Host-Line-Value")
s_static("\r\n", name="Host-Line-CRLF")
s_static('User-Agent', name='User-Agent-Header')
s_delim(':', name='User-Agent-Colon-1')
s_delim(' ', name='User-Agent-Space-1')
s_string(
'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3223.8 Safari/537.36',
name='User-Agent-Value')
s_static('\r\n', name='User-Agent-CRLF'),
s_static('Accept', name='Accept-Header')
s_delim(':', name='Accept-Colon-1')
s_delim(' ', name='Accept-Space-1')
s_string(
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
name='Accept-Value')
s_static('\r\n', name='Accept-CRLF')
s_static("Content-Length:", name="Content-Length-Header")
s_delim(" ", name="space-4")
s_size("Body-Content",
output_format="ascii",
name="Content-Length-Value")
s_static("\r\n", "Content-Length-CRLF")
s_static('Connection', name='Connection-Header')
s_delim(':', name='Connection-Colon-1')
s_delim(' ', name='Connection-Space-1')
s_group('Connection-Type', ['keep-alive', 'close'])
s_static('\r\n', 'Connection-CRLF')
s_static('Content-Type', name='Content-Type-Header')
s_delim(':', name='Content-Type-Colon-1')
s_delim(' ', name='Content-Type-Space-1')
s_string('application/x-www-form-urlencoded',
name='Content-Type-Value')
s_static('\r\n', name='Content-Type-CRLF')
s_static("\r\n", "Request-CRLF")
with s_block("Body-Content"):
s_string('{"a":"b"}', name="Body-Content-Value")
session.connect(s_get("Request"))
session.fuzz(max_depth=1)
def test_foo_bar(self):
session = Session(target=Target(connection=UDPSocketConnection(
recv_timeout=1,
host="172.26.87.144",
port=6234,
bind=("0.0.0.0", 12345),
), ),
keep_web_open=False)
s_initialize("foo")
s_group("version", values=["\x06"])
session.connect(s_get("foo"))
session.fuzz()
self.open("http://localhost:26000")
self.assert_text("boofuzz Fuzz Control", "div.main-title")
def s_http_general(value,
payloads,
fuzzable=True,
encoding: EncodingTypes = EncodingTypes.ascii,
name=None,
add_quotation_marks=False):
# Encode all payloads
encoded_payloads: List[bytes] = []
for payload in payloads:
encoded = Encoder.encode_string(payload, encoding)
if add_quotation_marks:
encoded = Encoder.get_ascii_encoded_quotation_mark(
) + encoded + Encoder.get_ascii_encoded_quotation_mark()
encoded_payloads.append(encoded)
# Encode default value
default_value = Encoder.encode_string(value, encoding)
if fuzzable:
# noinspection PyTypeChecker
s_group(name, encoded_payloads, default_value)
else:
s_static(default_value)
s_word(1, name="Questions", endian='>')
s_word(0, name="Answer", endian='>')
s_word(1, name="Authority", endian='>')
s_word(0, name="Additional", endian='>')
# ######## Queries ################
if s_block_start("query"):
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName")
s_group("end", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing
s_word(0xc, name="Type", endian='>')
s_word(0x8001, name="Class", endian='>')
s_block_end()
s_repeat("query", 0, 1000, 40, name="queries")
######## Authorities ############
if s_block_start("auth_nameserver"):
if s_block_start("name_chunk_auth"):
s_size("string_auth", length=1)
if s_block_start("string_auth"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk_auth", min_reps=2, max_reps=4, step=1, fuzzable=True, name="aName_auth")
# ######## Queries ################
if s_block_start("query"):
if s_block_start("name_chunk"):
s_size("string", length=1)
if s_block_start("string"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk",
min_reps=2,
max_reps=4,
step=1,
fuzzable=True,
name="aName")
s_group("end", values=["\x00", "\xc0\xb0"]) # very limited pointer fuzzing
s_word(0xc, name="Type", endian='>')
s_word(0x8001, name="Class", endian='>')
s_block_end()
s_repeat("query", 0, 1000, 40, name="queries")
######## Authorities ############
if s_block_start("auth_nameserver"):
if s_block_start("name_chunk_auth"):
s_size("string_auth", length=1)
if s_block_start("string_auth"):
s_string("A" * 10)
s_block_end()
s_block_end()
s_repeat("name_chunk_auth",
min_reps=2,