xiphosresearch / phuzz Goto Github PK
View Code? Open in Web Editor NEWFind exploitable PHP files by parameter fuzzing and function call tracing
License: Other
Find exploitable PHP files by parameter fuzzing and function call tracing
License: Other
While analysing lots of files we found a situation where Phuzz would hang indefinitely because of ... shrug some combination of PHP and TCP sockets.
There needs to be an enforced time-out, so Phuzz will kill PHP after 10 seconds of no response, or 60 seconds overall (both configurable).
Tracing must resume afterwards.
With results of the traces we should be able to determine which category of bug it is. A classifier needs to match function calls and parameters, then output appropriate Tags. e.g.
This fits into the project because it will form the basis of the analyser and exploiter in the level above, e.g. 'LocalFile+CodeExecution' - RCE. The tags will be used to determine what modifications to make to the input parameters to verify the level of control over them, see if there's filtering etc.
Implement using http://www.howzatt.demon.co.uk/NtTrace/ or http://intellectualheaven.com/default.asp?BH=StraceNT
Too much effort at the moment
A "hard problem" (which may be out of scope) to solve is the issue with dynamic web apps that have a fuck tonne of dependencies and rely on a database.
An example of this is the vast majority of wordpress plugins.
It would be interesting to be able to point phuzz at the webroot of an installed/configured Wordpress/whatever instance (with whatever plugins) and let it rip. Hooking calls to the database would also help with detecting SQLi, etc.
This functionality may already be possible in the applications current state, I'll have to run some tests later.
I have no idea why this bug is still cropping up... Backtrace below.
# python -m phuzz -o output/ -t tests/ -d
DEBUG:phuzz:Waiting for server...
PHP 5.6.4-4ubuntu6.4 Development Server started at Sun Sep 18 14:47:57 2016
Listening on http://127.0.0.1:25581
Document root is /scratch/skyhigh/wordpress-research/phuzz/tests
Press Ctrl-C to quit.
[Sun Sep 18 14:47:57 2016] 127.0.0.1:50010 Invalid request (Unexpected EOF)
INFO:phuzz:SyscallTracer started, pid: 14257
INFO:__main__:Scanning all files in tests/
DEBUG:phuzz:Retrieving 'http://127.0.0.1:25581afu1.php'
ERROR:__main__:FAIL...
Traceback (most recent call last):
File "/scratch/skyhigh/wordpress-research/phuzz/phuzz/__main__.py", line 41, in main
worker.run_file(os.path.join(path, filename))
File "phuzz/__init__.py", line 415, in run_file
return self.run_path(webpath)
File "phuzz/__init__.py", line 420, in run_path
return self.run(url)
File "phuzz/__init__.py", line 428, in run
trace = self.trace(url, state)
File "phuzz/__init__.py", line 381, in trace
resp = self._request_for_state(url, state)
File "phuzz/__init__.py", line 374, in _request_for_state
allow_redirects=False)
File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/sessions.py", line 454, in request
prep = self.prepare_request(req)
File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/sessions.py", line 388, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/models.py", line 293, in prepare
self.prepare_url(url, params)
File "/home/skyhighatrist/.local/lib/python2.7/site-packages/requests/models.py", line 347, in prepare_url
raise InvalidURL(*e.args)
InvalidURL: Failed to parse: 127.0.0.1:25581afu1.php
DEBUG:phuzz:SyscallTracer stopped, pid: 14257
A nice addition for usability would be to have a progress indicator for when large amounts of files are being scanned. Even something as simple as "X/Y Files Scanned - Z% Complete" would be decent.
A further enhancement to this would be a "time elapsed/estimated time remaining" counter.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.