Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    dion
    @User-debbie
    image.png
    Just like this~
    Tresvian
    @Tresvian
    using regex is probably a very slow method
    dion
    @User-debbie
    I can try BLOB
    but I haven't tried this logger yet
    The logger is on by default (boofuzz-results directory)
    apt install sqlitebrowser if you want to view the database
    keep in mind that the logger that does stdout and the logger for the sqlite database are different things
    dion
    @User-debbie
    Thanks! I see things in my data field is 'POST HTTP/1.1 xxxxx'
    Tresvian
    @Tresvian
    Yep! That's it
    dion
    @User-debbie
    So I used regex to extract the data
    Tresvian
    @Tresvian
    SELECT data FROM steps Will likely give you the data you want
    a sql query can give it to you programmatically
    dion
    @User-debbie
    But I found that s_string primitive is not relevant to my default value?
    Tresvian
    @Tresvian
    I haven't used the s_x primitives, so I can't give you a good answer
    dion
    @User-debbie
    Thanks~You means using sqsl query instead of regex, right?
    Tresvian
    @Tresvian
    yeah
    dion
    @User-debbie
    It seems to be the most direct way!
    Tresvian
    @Tresvian
    At least from your sqlite database from boofuzz-results. You can open that file up with sqlitebrowser and make a query directly for that data. Then dump into a file or some other thing
    Or you can keep the database to send off somewhere, and they can connect to the data themselves
    so you don't have a giant pile of data
    Or better yet, make a new sqlite database with only a row for each data entry
    dion
    @User-debbie
    I'll try String() primitive, to see if it is relevant to the default value
    yeah
    make a new sqlite database with only a row for each data entry is the best way
    Tresvian
    @Tresvian
    As long as you keep the truncation in mind, it should all be good binary data
    dion
    @User-debbie
    Let's say the default value is boofuzz , is it possible it can generate value like 'bxxfuzz' or 'bfuzz' or 'booooofuzzz'?
    Time to have lunch~Thanks again for your brilliant idea
    Hope to see you again~
    Tresvian
    @Tresvian
    I don't know if boofuzz does smart mutation like AFL, but I would imagine it be a little dumber haha
    so likely default value is used once, and that's it
    take care
    dion
    @User-debbie
    Another kind person on GitHub says I should try RADAMSA
    Tresvian
    @Tresvian
    Yeah so the difference between boofuzz and other mutators is that boofuzz is a network based fuzzer. It's priority is generating data that a server needs to be able to parse in order to get to a fuzzable location. In comparison to mutators that blindly change things that might never reach a branch of code that you want
    AFL is a (mostly) blind fuzzer that does a similar thing. It does random mutations until it reaches a point in the code (branches) that is unique than its previous fuzzing. However, this can take a HORRIBLY long time to reach if it's a complex server
    Other mutators that simply generate data are even dumber than AFL. They have no introspection to see where they reached in code.
    However, AFL also requires you to bake in its special sauce at compile time so AFL can recognize when these branches get hit.
    Tresvian
    @Tresvian
    The only way to get other programs to smartly reach the fuzzable code you want is by seeding programs like AFL with pre-generated data that is oriented correctly like a packet while also having its correct special sauce baked in. But you'd also have to generate every orientation of seeds otherwise it needs to blindly figure it out. I spent a long time trying all these out, and boofuzz is the only one that smartly orients the data to be acceptable to black box fuzzing.
    dion
    @User-debbie
    Hi~I am back, thanks for the detailed explaination on Fuzzing !
    Yesterday I was wondering why generated test case are all like %01%02%03@%04%0a%0d%0aADSF or &reboot, which is not relevant to the default value I gave. Now I know after reading the definition of primitive string, I found _fuzz_library in it! Does that mean if I need the test cases to mutate base on the default value, I should add this default value in the _fuzz_library?
    dion
    @User-debbie
    I tried, but I didn't get what I wanted.
    dion
    @User-debbie
    Is there any way I can get boofuzz mutate data base on the value I gave?
    dion
    @User-debbie
    I did some reserch, learnt that there are two ways of fuzzing, generation based and mutation based? boofuzz would be a generation based fuzzer, is that right?
    Tresvian
    @Tresvian
    @User-debbie I'm pretty sure there's methods of modifying its mutations, but you'd likely have to add it yourself
    dion
    @User-debbie
    Thanks~I think I need to go through string.py to find out how boofuzz mutations work.
    Katharina Bogad
    @mistressofjellyfish
    @jtpereyda would it be possible to enable the discussions feature in the github repo? I just had a look through the issues and many of them are questions on how to use boofuzz, not exactly bug reports
    I usually ignore help requests until I have time, but then won't notice actual problems I caused at one point :'D
    Maximilian Lindner
    @SR4ven
    @mistressofjellyfish I agree, I thought about that too. Discussions might help to separate problems/requests from questions.
    Maximilian Lindner
    @SR4ven
    @User-debbie interesting use case you have there. You're right, boofuzz is a generation based fuzzer, so we take some common values known to cause problems, long strings and boundaries of bit fields and modify them a little. About using the fuzzed data outside of boofuzz, if I were you I'd write a connection class that simply saves the data to a file or database. Alternatively scrape together the code you need in your own script.