Update Fuzz_DSL.py

138ce79f · 尹启迪 · 34d4c597 · 138ce79f
Commit 138ce79f authored Aug 29, 2020 by 尹启迪
Hide whitespace changes
Inline Side-by-side

Showing with 76 additions and 17 deletions

Fuzz_DSL.py Fuzz_DSL.py +76 -17

No files found.
--- a/Fuzz_DSL.py
+++ b/Fuzz_DSL.py
@@ -2,32 +2,51 @@ from boofuzz import *
 from sys import exit
 from time import sleep

+my_key=""


-def get_banner(target, my_logger, session, *args, **kwargs):
-	name="<head></head>"
+def change_port(target, my_logger, session, *args, **kwargs):
 	while(1):
 		try:
-			sleep(0.5)
+			sleep(0.1)
 			banner = target.recv(10000)
 			if(len(banner)==0):
+				target.close()
+				target.open()
 				break
 		except:
 			break
+def get_sk(target, my_logger, session, *args, **kwargs):
+	global my_key
+	while(1):
+		try:
+			sleep(0.1)
+			banner = target.recv(10000)
+			if(len(banner)==0):
+				target.close()
+				target.open()
+				break
+			if("\r\n" in banner):
+				my_key = banner.split("\r\n")[-1]
+		except:
+			break
+	print my_key+"!!!!!!!!!!!!!!!!!!!!"

    

    
 def main():
+	global my_key
+	tar=Target(connection=TCPSocketConnection("192.168.1.1", 80))
 	session = Session(
-		target=Target(connection=SocketConnection("192.168.1.1", 80)),
+		target=tar,
 		receive_data_after_each_request=True,
 		)
 	
 	s_initialize(name="Login")
 	# with s_block("Post-Line"):
 	# s_static("GET /cgi-bin/Login.asp?User=admin&Pwd=admin&_=1598500049569 HTTP/1.1")
-	s_static("GET /cgi-bin/Login.asp HTTP/1.1")
+	s_static("GET /cgi-bin/Login.asp?User=admin&Pwd=admin&_=1598531547960 HTTP/1.1")
 	s_static("\r\n")

 	s_static("Host: 192.168.1.1")
@@ -48,7 +67,7 @@ def main():
 	s_static("X-Requested-With: XMLHttpRequest")
 	s_static("\r\n")

-	s_static("Connection: close")
+	s_static("Connection: keep-alive")
 	s_static("\r\n")

 	s_static("Referer: http://192.168.1.1/cgi-bin/Login.asp")
@@ -88,9 +107,45 @@ def main():
 	s_static("Referer: http://192.168.1.1/cgi-bin/New_GUI/Diagnostics.asp")
 	s_static("\r\n")
 	s_static("\r\n")
-	s_string("test")
 	s_static("\r\n")

+
+
+	
+
+	# s_static("GET /cgi-bin/Login.asp?User=admin&Pwd=admin&_=1598531547960 HTTP/1.1")
+	# s_static("\r\n")
+
+	# s_static("Host: 192.168.1.1")
+	# s_static("\r\n")
+
+	# s_static("User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0")
+	# s_static("\r\n")
+
+	# s_static("Accept: */*")
+	# s_static("\r\n")
+
+	# s_static("Accept-Language: en-US,en;q=0.5")
+	# s_static("\r\n")
+
+	# s_static("Accept-Encoding: gzip, deflate")
+	# s_static("\r\n")
+
+	# s_static("X-Requested-With: XMLHttpRequest")
+	# s_static("\r\n")
+
+	# s_static("Connection: keep-alive")
+	# s_static("\r\n")
+
+	# s_static("Referer: http://192.168.1.1/cgi-bin/Login.asp")
+	# s_static("\r\n")
+
+	# s_static("Upgrade-Insecure-Requests: 1")
+	# s_static("\r\n")
+	# s_static("\r\n")
+	# s_string("j", max_len=5)
+	# s_static("\r\n")
+
 	s_initialize(name="Post")
 	# with s_block("Post-Line"):
 	s_static("POST /cgi-bin/New_GUI/Set/Diagnostics.asp HTTP/1.1")
@@ -117,29 +172,32 @@ def main():
 	s_static("X-Requested-With: XMLHttpRequest")
 	s_static("\r\n")

-	s_static("Content-Length: 45")
+	s_static("Content-Length: ")
+	s_size('data', output_format='ascii', fuzzable=True)
 	s_static("\r\n")

 	s_static("Origin: http://192.168.1.1")
 	s_static("\r\n")

-	s_static("Connection: close")
+	s_static("Connection: keep-alive")
 	s_static("\r\n")

 	s_static("Referer: http://192.168.1.1/cgi-bin/New_GUI/Diagnostics.asp")
 	s_static("\r\n")
-
-	s_static("")
 	s_static("\r\n")

-	s_static("Type=p&sessionKey=424238335&Addr=")
-	s_string("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", max_len=1024)
-
+	with s_block("data"):
+		s_static("Type=p&sessionKey=")
+		s_static(my_key)
+		s_static("&Addr=")
+		s_static("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
+		s_string("hello", max_len=10)
 	session.connect(s_get("Login"))
-	session.connect(s_get("Login"), s_get("Get_key"), callback=get_banner)
-	session.connect(s_get("Get_key"), s_get("Post"), callback=get_banner)
-	# session.connect(s_get("Login"), s_get("Get_key"), callback=get_banner)
+	session.connect(s_get("Login"), s_get("Get_key"), callback=change_port)
+	my_edge=session.connect(s_get("Get_key"), s_get("Post"), callback=get_sk)
+	# session.connect(s_get("Post"), callback=get_banner)
 	# session.connect(s_get("Get_key"), s_get("Post"), callback=get_banner)
+	# session.transmit_normal(tar, s_get("Get_key"), my_edge)
 	session.fuzz()
 if __name__ == '__main__':
 	main()
\ No newline at end of file