IOT安全研究&fuzzing(实验三)
哒哒哒哒,正在写
boofuzz,主要进行模糊测试协议,也就是一些web服务接口,这里主要以http进行记录
官方测试脚本分析
http_simply.py:
#!/usr/bin/env python3
# Designed for use with boofuzz v0.2.0
# More advanced request definitions can be found in the request_definitions directory.
from boofuzz import *
def main():
session = Session(target=Target(connection=TCPSocketConnection("127.0.0.1", 80)),)
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", ["GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE"])
s_delim(" ", name="space-1")
s_string("/index.html", name="Request-URI")
s_delim(" ", name="space-2")
s_string("HTTP/1.1", name="HTTP-Version")
s_static("\r\n", name="Request-Line-CRLF")
s_string("Host:", name="Host-Line")
s_delim(" ", name="space-3")
s_string("example.com", name="Host-Line-Value")
s_static("\r\n", name="Host-Line-CRLF")
s_static("\r\n", "Request-CRLF")
session.connect(s_get("Request"))
session.fuzz()
if __name__ == "__main__":
main()根据boofuzz测试第一步编写,第一步首先建立会话session,也就是连接目标url和端口,然后用s_initialize设置一个name,建立块s_block,s_group("Method",'POST']用来设置请求方式,s_delim这个应该是建立空格的一个格式,s_string是用来设置变异的,也就是进行测试的点,s_static用来固定一个发送方式,最后用connect和fuzz两个函数进行链接,这个是最基本的fuzz脚本的编写,也不难理解
hnap_soap.py:
#!/usr/bin/env python
# Designed for use with boofuzz v0.0.9
# coding=utf-8
from boofuzz import *
def post_test_callback(target, fuzz_data_logger, session, *args, **kwargs):
target = target.recv(1000)
buffer_overflow = "500 Internal Server Error"
if buffer_overflow in target.decode():
exit()
def main():
session = Session(
post_test_case_callbacks=[post_test_callback],
target=Target(
connection=SocketConnection("192.168.0.1", 80, proto='tcp'),
),
)
s_initialize(name="Request")
with s_block("Request-Line"):
# LINE 1
s_static("POST", name="Method")
# s_group("Method", ['POST'])
s_static(" ", name='space-1')
s_static("/HNAP1/")
s_static(" ", name='space-2')
s_static('HTTP/1.1', name='HTTP-Version')
s_static("\r\n")
# LINE 2
s_static("Host", name="Host")
s_static(":")
s_static("192.168.0.1", name="ip")
s_static("\r\n")
s_static('Content-Length:',name="Content-Length-Header")
s_size('hnapbody', output_format='ascii',fuzzable=False )
s_static('\r\n')
s_static("Content-Type:")
s_static("text/xml")
s_static("\r\n")
# LINE 3
s_static("SOAPACTION:")
s_static("http://purenetworks.com/HNAP1/Login")
s_static("\r\n")
s_static('\r\n')
with s_block('hnapbody'):
s_static('<?xml version="1.0" encoding="UTF-8"?>')
s_static('\r\n')
s_static('<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">')
s_static('<soap:Body>')
s_static('<Login xmlns="http://purenetworks.com/HNAP1/">')
s_static('<Action>request</Action>')
s_static('<Username>Admin</Username>')
s_static('<LoginPassword>123456</LoginPassword>')
s_static('<Captcha>')
s_string("s", max_len=3000)
s_static('</Captcha>')
s_static('</Login>')
s_static('</soap:Body></soap:Envelope>')
session.connect(s_get("Request"))
session.fuzz()
if __name__ == "__main__":
main()这个是在实际固件当中进行测试的一个脚本,好像是DIR818固件,我们在头s_static('Content-Length:',name="Content-Length-Header") s_size('hnapbody', output_format='ascii',fuzzable=False ),进行一个长度设置,在body关键文字设置变异位置:s_string("s", max_len=3000)进行一个设置变异数据用来测试,这个脚本还有一个重要点就是callback,回调函数,post_test_callback,这个函数是用来当服务端响应500的时候,也就是一半我们的模糊fuzz测试出了一点成果,直接结合响应的位置源码进行简单的测试即可,因为模糊测试么,成功概率应该不是很大,所以进行一个模糊测试么
这就是boo fuzzing进行一个协议的模糊测试
AFL fuzzing:
网上有简单的案例,直接百度就行,这里我感觉在研究IOT安全的时候用的AFL fuzzing不多,基本上都是在用boofuzzing
总结:学到了fuzzing