IOT安全研究&fuzzing(实验三)

哒哒哒哒,正在写

boofuzz,主要进行模糊测试协议,也就是一些web服务接口,这里主要以http进行记录

官方测试脚本分析
http_simply.py:

#!/usr/bin/env python3
# Designed for use with boofuzz v0.2.0

# More advanced request definitions can be found in the request_definitions directory.

from boofuzz import *


def main():
    session = Session(target=Target(connection=TCPSocketConnection("127.0.0.1", 80)),)

    s_initialize(name="Request")
    with s_block("Request-Line"):
        s_group("Method", ["GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE"])
        s_delim(" ", name="space-1")
        s_string("/index.html", name="Request-URI")
        s_delim(" ", name="space-2")
        s_string("HTTP/1.1", name="HTTP-Version")
        s_static("\r\n", name="Request-Line-CRLF")
        s_string("Host:", name="Host-Line")
        s_delim(" ", name="space-3")
        s_string("example.com", name="Host-Line-Value")
        s_static("\r\n", name="Host-Line-CRLF")
    s_static("\r\n", "Request-CRLF")

    session.connect(s_get("Request"))

    session.fuzz()


if __name__ == "__main__":
    main()

根据boofuzz测试第一步编写,第一步首先建立会话session,也就是连接目标url和端口,然后用s_initialize设置一个name,建立块s_block,s_group("Method",'POST']用来设置请求方式,s_delim这个应该是建立空格的一个格式,s_string是用来设置变异的,也就是进行测试的点,s_static用来固定一个发送方式,最后用connect和fuzz两个函数进行链接,这个是最基本的fuzz脚本的编写,也不难理解
hnap_soap.py:

#!/usr/bin/env python
# Designed for use with boofuzz v0.0.9
# coding=utf-8
from boofuzz import *


def post_test_callback(target, fuzz_data_logger, session, *args, **kwargs):
    target = target.recv(1000)
    buffer_overflow = "500 Internal Server Error"

    if buffer_overflow in target.decode():
        exit()

def main():
    session = Session(
        post_test_case_callbacks=[post_test_callback],
        target=Target(
            connection=SocketConnection("192.168.0.1", 80, proto='tcp'),
        ),
    )

    s_initialize(name="Request")
    with s_block("Request-Line"):
        # LINE 1
        s_static("POST", name="Method")
        # s_group("Method", ['POST'])
        s_static(" ", name='space-1')
        s_static("/HNAP1/")
        s_static(" ", name='space-2')
        s_static('HTTP/1.1', name='HTTP-Version')
        s_static("\r\n")

        # LINE 2
        s_static("Host", name="Host")
        s_static(":")
        s_static("192.168.0.1", name="ip")
        s_static("\r\n")

        s_static('Content-Length:',name="Content-Length-Header")
        s_size('hnapbody', output_format='ascii',fuzzable=False )
        s_static('\r\n')

        s_static("Content-Type:")
        s_static("text/xml")
        s_static("\r\n")

        # LINE 3
        s_static("SOAPACTION:")
        s_static("http://purenetworks.com/HNAP1/Login")
        s_static("\r\n")

        s_static('\r\n')


    with s_block('hnapbody'):
        s_static('<?xml version="1.0" encoding="UTF-8"?>')
        s_static('\r\n')
        s_static('<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">')
        s_static('<soap:Body>')
        s_static('<Login xmlns="http://purenetworks.com/HNAP1/">')
        s_static('<Action>request</Action>')
        s_static('<Username>Admin</Username>')
        s_static('<LoginPassword>123456</LoginPassword>')
        s_static('<Captcha>')
        s_string("s", max_len=3000)
        s_static('</Captcha>')
        s_static('</Login>')
        s_static('</soap:Body></soap:Envelope>')

    session.connect(s_get("Request"))

    session.fuzz()


if __name__ == "__main__":
    main()

这个是在实际固件当中进行测试的一个脚本,好像是DIR818固件,我们在头s_static('Content-Length:',name="Content-Length-Header") s_size('hnapbody', output_format='ascii',fuzzable=False ),进行一个长度设置,在body关键文字设置变异位置:s_string("s", max_len=3000)进行一个设置变异数据用来测试,这个脚本还有一个重要点就是callback,回调函数,post_test_callback,这个函数是用来当服务端响应500的时候,也就是一半我们的模糊fuzz测试出了一点成果,直接结合响应的位置源码进行简单的测试即可,因为模糊测试么,成功概率应该不是很大,所以进行一个模糊测试么
这就是boo fuzzing进行一个协议的模糊测试

AFL fuzzing:
网上有简单的案例,直接百度就行,这里我感觉在研究IOT安全的时候用的AFL fuzzing不多,基本上都是在用boofuzzing

总结:学到了fuzzing

本文链接:

http://azly.top/index.php/archives/40/
1 + 1 =
快来做第一个评论的人吧~