Comments (11)
What do you mean multi-connect?
Take HTTP requests as an example, supposing you define 4 requests: login, req1, req2 and req3, you can connect them as follows.
session.connect(s_get("login"))
session.connect(s_get("login"), s_get("req1"), callback=handle_auth)
session.connect(s_get("login"), s_get("req2"), callback=handle_auth)
session.connect(s_get("login"), s_get("req3"), callback=handle_auth)
In my opinion, as for HTTP requests, these 3 requests (req1, req2, req3) have no explicit order. In addition, there might be a callback used to modify the auth cookie dynamically for next post-authenticated requests.
from boofuzz.
from boofuzz.
The auth information can be dynamically updated via callback automatically.
session.connect(s_get("req1"), callback=handle_auth)
Actually, the login request can be done in handle_auth
callback. And in this callback, you can access all the attributes of req1
request via node
parameter, also update the req1
request with values from login response.
def handle_auth(target, fuzz_data_logger, session, node, edge, *args, **kwargs):
global cookie
if not session.last_send or (session.last_recv and b'401 Not Authorized' in session.last_recv):
# send login request and set the correct cookie with value from login response
# ...
# update cookie attribute in req1 request dynamically
s_update(node.name + '.cookie', cookie)
return node.render()
from boofuzz.
My boofuzz is installed via pip;
In https://github.com/jtpereyda/boofuzz, there is no handle_auth in source code after search;
You mean that I manually added handle_auth function in session.py file ,and compile it myself?
from boofuzz.
Yeah, the handle_auth()
is the edge callback you need to implement by yourself. And the name doesn't matter, you can choose what you want.
No need to modify the session.py
, you can implement it in the same file where you initialize Session()
.
from boofuzz.
Thank you!
OK, I have added handle_auth() in my python scripy, as follows:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from boofuzz import *
def handle_auth(target, fuzz_data_logger, session, node, edge, *args, **kwargs):
global cookie
if not session.last_send or (session.last_recv and b'401 Not Authorized' in session.last_recv):
# send login request and set the correct cookie with value from login response
# ...
# update cookie attribute in req1 request dynamically
s_update(node.name + '.cookie', cookie)
return node.render()
def main():
session = Session(
target=Target(
connection=SocketConnection("192.168.237.236", 80, proto="tcp")
),
)
s_initialize(name="login")
#s_group("Method ", ["POST"])
s_static("POST ")
s_static("/HNAP1/ ")
s_static("HTTP/1.1\r\n")
s_static("Host: ")
s_static("192.168.237.236\r\n")
s_static("Content-Length: ")
s_static("430\r\n")
s_static("Accept: ")
s_static("*/*\r\n")
s_static("X-Requested-With: ")
s_static("XMLHttpRequest\r\n")
#s_static("\r\n")
s_static("HNAP_AUTH: ")
#s_static(":")
#s_static(" ")
s_static("6004097268C54FAB61FA79F6FD45DDC7 1670589351597\r\n")
s_static("SOAPAction: ")
s_static('"http://purenetworks.com/HNAP1/Login"\r\n')
s_static("User-Agent: ")
s_static("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\r\n")
s_static("Content-Type: ")
s_static("text/xml; charset=UTF-8\r\n")
#s_static("\r\n")
s_static("Origin: ")
s_static("http://192.168.237.236\r\n")
#s_static("\r\n")
s_static("Referer: ")
s_static("http://192.168.237.236/info/Login.html\r\n")
s_static("Accept-Encoding: ")
s_static("gzip, deflate\r\n")
s_static("Accept-Language: ")
s_static("zh-CN,zh;q=0.9,en;q=0.8\r\n")
s_static("Cookie")
s_static(":")
s_static(" ")
s_static("uid=QWYkCuuB")
s_static("\r\n")
s_static("Connection")
s_static(":")
s_static(" ")
s_static("close")
s_static("\r\n")
s_static("\r\n")
s_static('<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Login xmlns="http://purenetworks.com/HNAP1/"><Action>login</Action><Username>Admin</Username><LoginPassword>9DF796CEBD5CC64F0CD03FF37AF1A6CD</LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope>')
s_initialize(name="adduser")
#s_group("Method", ["POST"])
with s_block("adduser-header"):
s_static("POST ")
s_static("/HNAP1/ ")
s_static("HTTP/1.1\r\n")
s_static("Host: ")
s_static("192.168.237.236\r\n")
s_static("Content-Length: ")
s_size("data",output_format="ascii", fuzzable=True)
s_static("\r\n")
s_static("Accept: ")
s_static("*/*")
s_static("\r\n")
s_static("X-Requested-With: ")
s_static("XMLHttpRequest\r\n")
s_static("HNAP_AUTH: ")
s_static("6004097268C54FAB61FA79F6FD45DDC7 1670589351597\r\n")
s_static("SOAPAction: ")
s_string('"http://purenetworks.com/HNAP1/SetUsersSettings"')
s_static("\r\n")
s_static("User-Agent: ")
s_static("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\r\n")
s_static("HNAP_Content: ")
s_static("B387CD05F7B9C76D10D27094FF5B813F800B995AD1C10474B6FE061E014ACEED01D378F5FAEE013D293BDC1DD64303C901D378F5FAEE013D293BDC1DD64303C9")
s_static("\r\n")
s_static("Content-Type: ")
s_static("text/xml; charset=UTF-8\r\n")
s_static("Origin: ")
s_string("http://192.168.237.236")
s_static("\r\n")
s_static("Referer: ")
s_string("http://192.168.237.236/UserAndDevice.html")
s_static("\r\n")
s_static("Accept-Encoding: ")
s_static("gzip, deflate\r\n")
s_static("Accept-Language: ")
s_static("zh-CN,zh;q=0.9,en;q=0.8\r\n")
s_static("Cookie: ")
s_static("uid=QWYkCuuB")
s_static("\r\n")
s_static("Connection: ")
s_static("close")
s_static("\r\n")
s_static("\r\n")
with s_block('data'):
s_static('<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetUsersSettings')
s_string('xmlns="http://purenetworks.com/HNAP1/">')
s_string("<StorageUsersLists><StorageUser><Enabled>true</Enabled><UserName>Admin</UserName><Password>A95785DFD7509D3B613F120EBE7D3B59</Password><ServiceInfoLists><ServiceInfo><Enabled>false</Enabled><ServiceName>VPN</ServiceName><AccessPath></AccessPath><Permission>true</Permission></ServiceInfo></ServiceInfoLists></StorageUser><StorageUser><Enabled>true</Enabled><UserName>123</UserName><Password>")
s_static("07db78f5fdee0108293be01dd6b103c901d378f5faee013d293bdc1dd64303c901d378f5faee013d293bdc1dd64303c901d378f5faee013d293bdc1dd64303c9")
s_string("</Password><ServiceInfoLists><ServiceInfo><Enabled>false</Enabled><ServiceName>VPN</ServiceName><AccessPath></AccessPath><Permission>true</Permission></ServiceInfo></ServiceInfoLists></StorageUser></StorageUsersLists></SetUsersSettings></soap:Body></soap:Envelope>")
session.connect(s_get("login"))
session.connect(s_get("login"), s_get("adduser"),callback=handle_auth)
session.fuzz()
if __name__ == "__main__":
main()
However, after running python3 xxx.py, I can not prove that handle_auth works;
At first, s_get("login") has correct cookie,one hour later,response of “login” is failed,and boofuzz is still runting with s_get("req1"),so, without handle_auth, s_get("req1") still works.
from boofuzz.
According to your code, you did nothing in the handle_auth()
callback. The handle_auth()
shown is just an empty template, you should implement your actual logic to update auth information inside it. In addition, based on your login
and adduser
request, it seems these requests may be for some D-Link routers. These information in request headers like uid
, HNAP_AUTH
are all related to authentication, therefore you should update them dynamically.
At first, s_get("login") has correct cookie,one hour later,response of “login” is failed
Since you have written these parameters as fixed values, after the session timeout, it will fail of course. Similarly, you can add another edge callback to update related parameters dynamically.
and boofuzz is still runting with s_get("req1"),so, without handle_auth, s_get("req1") still works.
The edge callback handle_auth()
is just used for updating authentication if necessary. Yeah, boofuzz
is still running with s_get("adduser")
, however the requests sent will be discarded because of "Not Authorized".
from boofuzz.
Thank you so much!
Yes,my device is dir-x1860.
Actually,I have no idea how to fill the empty template to dynamically update cookie、password、hnap_auth.
from boofuzz.
The clue is already in the handle_auth()
. s_update()
can be used to achieve it.
In the handle_auth()
callback, you need
- send a normal login request, and parse its response to get the right
uid
,hnap_auth
and so on; - update the corresponding value defined in requests using
s_update()
By the way, to get yourself farmilar with the boofuzz
, in my opinion, try to debug it is always a good choice. With debugging, you can find which functions or attributes are available, and know what you can do with them.
from boofuzz.
Thank you!
from boofuzz.
Thanks for the support @cq674350529!
Closing for now.
from boofuzz.
Related Issues (20)
- Problem with web interface (port: 26000) HOT 8
- Mirror primitive always returns the default value of the target primitive HOT 2
- How to use s_from_file()?It will cause some errors HOT 2
- How can I run boofuzz with 0.0.0.0 host IP HOT 2
- `Session.fuzz()` options to minimize redundant testcases HOT 3
- No boo utility HOT 2
- boofuzz/sessions.py is too long and complicated, let's fix that. HOT 8
- Session.fuzz_by_name is deprecated in favor of Session.fuzz(name=name). HOT 1
- "Aligned" definition function's implementation is incorrect,modify the encode method HOT 3
- Replace deprecated PyDbg library with a Python 3-based debugger
- Block "dep_value" Request is type bytes HOT 1
- usage for s_bits() HOT 4
- Test failure HOT 3
- ChildProcessError: [Errno 10] No child processes and module 'os' has no attribute 'WCOREDUMP' HOT 4
- The callback can not capture response when fuzzing http , because the boofuzz send tcp-fin before response . HOT 5
- Potential bug fix in session.py
- Group primitive: Value of default_value cannot be used in fuzzing HOT 1
- AttributeError: 'bytes' object has no attribute 'encode'. Did you mean: 'decode'?
- How to calculate the checksum for ICMPv6 protocol during fuzz testing?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from boofuzz.