Jul 15
Fuzzing SQL Stored Procedures
Another fun fuzzing target are SQL Stored Procedures. This was a hotbed for exploits a number of years ago and remains a hot topic thanks to the plethora of web applications providing a target rich environment. Oddly, there are few tools available for fuzzing stored procedure, most of which are simple one offs with limited abilities.
Peach see’s stored procedures as callable methods with parameters and possible return types. This allows creating anything from super simple to very complex state machines around your set of stored procedures. Additionally there is the typical rich set of data modeling tools available for specifying the parameter data.
The example provided in this article is taken from the SQL Stored Procedure Fuzzing Tutorial and uses MySQL v5.1 as the test database. ?????? ????? ????
Example 1 – Simple Stored Procedure
Our first example is very simple, we will have a single stored procedure called “testproc” that accepts a single parameter “parameter1” that is typed as a “varchar(255).”
The MySQL database schema looks like this:
create table if not exists testtable ( msg varchar(255) ); delimiter // CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255)) BEGIN insert into testtable (msg) values (parameter1); END; //
Next we need to create out Peach PIT file, this will contain a data model for our parameter, a state machine that calls our method, and finally a publisher configured to talk with MySQL.
<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">
<Include ns="default" src="file:defaults.xml"/>
<Include ns="pt" src="file:PeachTypes.xml"/>
<DataModel name="TheDataModel">
<String value="Peachy"/>
</DataModel>
<StateModel name="TheState" initialState="Initial">
<State name="Initial">
<Action type="call" method="call testproc(?)">
<Param name="p1" type="in">
<DataModel ref="TheDataModel"/>
</Param>
</Action>
</State>
</StateModel>
<Test name="TheTest">
<StateModel ref="TheState"/>
<Publisher class="sql.Odbc">
<Param name="dsn" value="TestMySql/root/password"/>
</Publisher>
</Test>
<Run name="DefaultRun">
<Test ref="TheTest"/>
</Run>
</Peach>
?????? ????? ???? ?????? ????? ????
And that’s it! Now, obviously there is little point to fuzzing our example method. The real targets for our fuzzing are the built in methods that ship with most SQL servers, or 3rd party “native” stored procedures (those written in languages like C, or C++).
Well, I hope this was a good introduction to fuzzing SQL stored procedures with Peach! If you have any questions please post them on the Peach mailing list.
No commentsJul 11
Changing Defaults for Data Elements
One feature that has been much requested for Peach is the ability to change data element defaults, for example the default byte order for numbers, or string type (wchar, char, utf8, etc). Now in Peach 2.3 this is possible by using the top level <Defaults> element. ?????? ????? ???? ????? ????? ?????
???? ??????? ????? ??????????? ???? ?????? ???
To change the defaults for the Number element so they are unsigned and big endian you would use the following XML: ?????? ???????
<Defaults> <Number signed=”false” endian=”big” /> </Defaults> ???? ?a????????? ?????No comments
Jul 10
Fuzzing Shared Libraries
Fuzzing shared libraries is not the most common of tasks, but is a useful tool to have available. Many times methods exposed by scripting languages such as JavaScript, PHP, etc are simply methods exposed by a shared library (DLL for you windows peeps).
Sadly most fuzzers do not support fuzzing shared libraries directly, so typically one was stuck dusting off something like SPIKE, or some other framework and writing some custom code to drive everything. Things can get even more complicated if the exposed methods you are fuzzing take complex types comprised of structures with pointers to other structures, etc.
Enter Peach. Peach has always been capable of loading shared libraries and making function calls, however not until version 2.3 has Peach supported complex structure types and pointers.
Lets take a look at a few samples to get an idea of how easy this is with Peach.
Use Case #1 – Non-complex data types ?????????????? ? ??????????
Out first example will emulate the follow code:
mydll.Initialize(); mydll.DoCoolThings( char* s );
First we will need to create a quick data model for our “s” parameter:
<DataModel name=”s”> <String value=”Hello World!” /> </DataModel>
Next is the state model that will have the method calls:
<StateModel name=”TheStateModel” initialState=”State1”>
<State name=”State1”>
<Action type=”call” method=”Initialize” />
<Action type=”call” method=”DoCoolThings”>
<Param name=”s” type=”in”>
<DataModel ref=”s” />
</Param>
</Action>
</State>
</StateModel>
And finally we will need to configure a publisher:
??? ??????? ?????????? ???????? ?????
<Publisher class=”dll.Dll”> <Param name=”library” value=”mydll.dll” /> </Publisher>
And that’s it!
Use Case #2 – Complex data types
Now, lets change to the definition of DoCoolThings to this:
struct otherstruct
{
int a;
int b;
};
struct mystruct
{
struct otherstruct * val;
};
mydll.DoCoolThings( struct mystruct *s);
First we will need data models:
<DataModel name=”otherstruct”> <Number name=”a” size=”32” value=”0” /> <Number name=”b” size=”32” value=”0” /> </DataModel> <DataModel name=”mystruct” pointer=”true”> <Block ref=”otherstruct” pointer=”true” /> </DataModel>
Next we need the sate model:
<StateModel name=”TheStateModel” initialState=”State1”>
<State name=”State1”>
<Action type=”call” method=”Initialize” />
<Action type=”call” method=”DoCoolThings”>
<Param name=”s” type=”in”>
<DataModel ref=”mystruct” />
</Param>
</Action>
</State>
</StateModel>
And finally we will need to configure a publisher:
<Publisher class=”dll.Dll”> <Param name=”library” value=”mydll.dll” /> </Publisher>
And there you go. Easy! I hope this was a good introduction to fuzzing shared libraries with Peach.
2 commentsJan 29
Peach Dojo @ CanSecWest 2009
CanSecWest 2009 is coming up in March and we are offering a two day Peach Dojo! For more information and pricing check out the CanSecWest website.
Ghosts of Mars divx download Owning Mahowny movie
No comments
Jan 29
Still Alive!
Yes, even though there has been much silence recently, this blog is still alive and kicking. I’ve been spending all my time working on Peach 2.3 and related things.
The Contract Killer film The first beta of Peach 2.3 should hit sourceforge this week, it’s currently undergoing it’s first major rollout for testing. With the new I’ll be posting up a number of what’s new how too’s.
Also look for a series of "Advanced Peach" articles that will cover some of the advanced uses of Peach for complex file types and network protocols.
A Dennis the Menace Christmas dvdrip
Funny Games U.S. rip wanted dvd Tirante el Blanco divx
No comments
May 25
Peach @ PH-Neutral 0×7d8
The past ph-neutral security conferences in 
Berlin I have attended were all very fun, laid back, and informative. The European security “underground” scene is highly refreshing after so many high cost US conferences. Additionally the people are excellent and provide for good conversations. This years ph-neutral was no exception and was held at an Island club, providing more space for this ever growing conference. This year was packed as usual with a record high of 450 pre-registrations.
Sophies Choice buy Revolution Summer full I originally wrote Peach 1 at ph-neutral 4 or 5 years ago, so it seemed fitting to come back and talk about Peach 2. I had a blast and look forward to next year.
Teaching Mrs. Tingle ipod Shrek 2 ipod
Balls of Fury dvd download Flight of the Phoenix movie
ph-neutral Catch a Fire movie download
No comments