Fuzzing SQL Stored Procedures
Another fun fuzzing target are SQL Stored Procedures. This was a hotbed for exploits a number of years ago and remains a hot topic thanks to the plethora of web applications providing a target rich environment. Oddly, there are few tools available for fuzzing stored procedure, most of which are simple one offs with limited abilities.
Peach see’s stored procedures as callable methods with parameters and possible return types. This allows creating anything from super simple to very complex state machines around your set of stored procedures. Additionally there is the typical rich set of data modeling tools available for specifying the parameter data.
The example provided in this article is taken from the SQL Stored Procedure Fuzzing Tutorial and uses MySQL v5.1 as the test database.
Example 1 – Simple Stored Procedure
Our first example is very simple, we will have a single stored procedure called “testproc†that accepts a single parameter “parameter1†that is typed as a “varchar(255).â€
The MySQL database schema looks like this:
create table if not exists testtable (
msg varchar(255) ); delimiter // CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255)) BEGIN insert into testtable (msg) values (parameter1); END; //
Next we need to create out Peach PIT file, this will contain a data model for our parameter, a state machine that calls our method, and finally a publisher configured to talk with MySQL.
<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">
<Include ns="default" src="file:defaults.xml"/>
<Include ns="pt" src="file:PeachTypes.xml"/>
<DataModel name="TheDataModel">
<String value="Peachy"/>
</DataModel>
<StateModel name="TheState" initialState="Initial">
<State name="Initial">
<Action type="call" method="call testproc(?)">
<Param name="p1" type="in">
<DataModel ref="TheDataModel"/>
</Param>
</Action>
</State>
</StateModel>
<Test name="TheTest">
<StateModel ref="TheState"/>
<Publisher class="sql.Odbc">
<Param name="dsn" value="TestMySql/root/password"/>
</Publisher>
</Test>
<Run name="DefaultRun">
<Test ref="TheTest"/>
</Run>
</Peach>
And thats it! Now, obviously there is little point to fuzzing our example method. The real targets for our fuzzing are the built in methods that ship with most SQL servers, or 3rd party “native†stored procedures (those written in languages like C, or C++).
Well, I hope this was a good introduction to fuzzing SQL stored procedures with Peach! If you have any questions please post them on the Peach mailing list.
Hello,Mr Eddington. I’m a student of Renmin University of China. Fuzzing on network protocol attract my attention. Testing HTTP is very easy for peach. However, I want to know whether peach could test protocol like ICMP or PIM? Another question is whether Peach,written by Python, supports raw socket so the packets generated are sent from NC?
Forther more, could you give me some papers about peach you’ve written? Thank you very much.
Peach can fuzz any data consumer. Peach includes a raw socket publisher and also allows for adding you’re own.
Hello,Mr Eddington. I’m a student of Renmin University of China. Fuzzing on network protocol attract my attention. Testing HTTP is very easy for peach. However, I want to know whether peach could test protocol like ICMP or PIM? Another question is whether Peach,written by Python, supports raw socket so the packets generated are sent from NC?
Forther more, could you give me some papers about peach you’ve written? Thank you very much.
Peach can fuzz any data consumer. Peach includes a raw socket publisher and also allows for adding you’re own.