http与boofuzz融合

Question

我正在寻找一个模糊的库，我碰巧看到了“for”，尽管没有例子说明如何使用这个库来进行http模糊处理。

这是我在他们的github页面中看到的唯一代码，但是他们说它是从sulley (一个古老的模糊库)获取的：

import sys
sys.path.insert(0, '../')

from boofuzz.primitives import String, Static, Delim

class Group(object):
    blocks = []

    def __init__(self, name, definition=None):
        self.name = name
        if definition:
            self.definition = definition

    def add_definition(self, definition):
        assert isinstance(definition, (list, tuple)), "Definition must be a list or a tuple!"
        self.definition = definition

    def render(self):
        return "".join([x.value for x in self.definition])

    def exhaust(self):
        for item in self.definition:
            while item.mutate():
                current_value = item.value
                self.log_send(current_value)
                recv_data = self.send_buffer(current_value)
                self.log_recv(recv_data)

    def __repr__(self):
        return '<%s [%s items]>' % (self.__class__.__name__, len(self.definition))

    # noinspection PyMethodMayBeStatic
    def send_buffer(self, current_value):
        return "Sent %s!" % current_value

    def log_send(self, current_value):
        pass

    def log_recv(self, recv_data):
        pass
    s_static = Static
    s_delim  = Delim
    s_string = String

    CloseHeader = Group(
        "HTTP Close Header",
        definition=[
            # GET / HTTP/1.1\r\n
            s_static("GET / HTTP/1.1\r\n"),
            # Connection: close
            s_static("Connection"), s_delim(":"), s_delim(" "), s_string("close"),
            s_static("\r\n\r\n")
        ]
    )

    OpenHeader = Group(
        "HTTP Open Header",
        definition=[
            # GET / HTTP/1.1\r\n
            Static("GET / HTTP/1.1\r\n"),
            # Connection: close
            Static("Connection"), Delim(":"), Delim(" "), String("open"),
            Static("\r\n\r\n")
        ]
    )

    # CloseHeader = Group("HTTP Close Header")
    # CloseHeader.add_definition([
    #     # GET / HTTP/1.1\r\n
    #     s_static("GET / HTTP/1.1\r\n"),
    #     # Connection: close
    #     s_static("Connection"), s_delim(":"), s_delim(" "), s_string("close"),
    #     s_static("\r\n\r\n")
    # ])

如果是别人的库代码，他们为什么要发布呢？有一个很好的解释如何与波弗兹库工作吗？

Answer 1

如果你谷歌"http协议格式“，现在的第一个结果就是本HTTP教程。如果你在那里读了几页，你就可以很好地描述协议的格式。在此基础上，我编写了以下模糊脚本，这里的源代码

#!/usr/bin/env python
# Designed for use with boofuzz v0.0.9
from boofuzz import *


def main():
    session = Session(
        target=Target(
            connection=SocketConnection("127.0.0.1", 80, proto='tcp')
        ),
    )

    s_initialize(name="Request")
    with s_block("Request-Line"):
        s_group("Method", ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE'])
        s_delim(" ", name='space-1')
        s_string("/index.html", name='Request-URI')
        s_delim(" ", name='space-2')
        s_string('HTTP/1.1', name='HTTP-Version')
        s_static("\r\n", name="Request-Line-CRLF")
    s_static("\r\n", "Request-CRLF")

    session.connect(s_get("Request"))

    session.fuzz()


if __name__ == "__main__":
    main()

虽然我被绊倒了一段时间因为我只有一个CRLF。在检查RFC 2616 (第5条)之后，很明显，这个示例应该以两个CRLF结尾。

    Request       = Request-Line              ; Section 5.1
                    *(( general-header        ; Section 4.5
                     | request-header         ; Section 5.3
                     | entity-header ) CRLF)  ; Section 7.1
                    CRLF
                    [ message-body ]          ; Section 4.3

    [...]

    Request-Line   = Method SP Request-URI SP HTTP-Version CRLF

显然，这个模糊脚本并没有覆盖整个协议。只是一些可以添加的东西：

1. HTTP标头(有很多)
2. 每个HTTP方法的专用格式
3. 消息体(例如在邮件中)
4. 为特定目标服务器选择有效URI的一些方法
5. 基于服务器响应的报告警告(可能会引起噪音，但服务器错误往往表明.错误)