In [1]:
from fuzzingbook.GreyboxFuzzer import GreyboxFuzzer, FunctionCoverageRunner, Mutator, PowerSchedule, http_program
# 1. 设置初始种子输入 
seed_input = "http://www.google.com/search?q=fuzzing"
seeds = [seed_input]

# 2. 使用库中定义好的类
mutator = Mutator()
schedule = PowerSchedule()

# 3. 初始化灰盒模糊测试器
greybox_fuzzer = GreyboxFuzzer(
   seeds=seeds,
   mutator=mutator, 
   schedule=schedule
)

# 4. 使用库中的示例HTTP程序
http_runner = FunctionCoverageRunner(http_program)

# 5. 运行模糊测试
outcomes = greybox_fuzzer.runs(http_runner, trials=10000)

# 6. 查看结果
print("Fuzzing completed!")
print(f"Number of tests executed: {len(outcomes)}")
print(f"Final population size: {len(greybox_fuzzer.population)}")

Fuzzing completed!
Number of tests executed: 10000
Final population size: 84


In [6]:
greybox_fuzzer.population[:20]

[http://www.google.com/search?q=fuzzing,
 http:./www.gooXgle,com/serCh?q=fuzzuio3g,
 hVt:./w7m%ww.c0mox|e,#	co/sdr*?=&wzZzuio3gP,
 httmp//www.google.am/suarch?6q=OfuzXzing,
 htt://www.googlecom/search;q=fuzzLing,
 htxtt"://www.googl.+a?om/search?q=fuzzping,
 hVt./w7m%ww>c0mox|e,#	co/sr*?=&wzZzui2o3gP,
 hpt:./gww.gooXflecom/ser_Ch?q=fuzui^o3g,
 xttt#a2Ba?/wvw:gmogl.ka?#o//saach?q=fu,~zpImngg',
 vt:.gu.goXfleWaom/sgrCh=q<fuui^3g,
 (tx4t&}/:/wgwgogL;.I+a?{m/s$#echq=Vzzpng,
 http://sww.goowle.cOm/se.achqfuzzin,
 htP//swwGoowle.cOmse.aRchqRfuTzfzio,
 (tYx4t&}/8/wgwgk/&gL;.I+a?{m/s$es0h=RzzpE,
 Htxtt://wwCw.gRog]l.
 aF?oM/each?q=fuzz>%ing,
 Htxtt://wwCw.Rog_l.aF?oM/eac(?q=fuzz>%ing,
 htt2//www.googlecom/serch;q=fuzzLing,
 http://swxwS.gowde.cOse.bichqfuzzin,
 hvtp://swXwS.gowecOse.bichqfuzzin,
 tHtmp;-j/www.*x7goghlEpm`mgO/uach{?qOfzXig]

除了简单的 `PowerSchedule`，我们还可以使用一些高级的能量调度：

* `AFLFastSchedule` 为不经常执行的"不寻常"路径分配高能量。
* `AFLGoSchedule` 为接近未覆盖程序位置的路径分配高能量。
`AFLGoSchedule` 类的构造函数需要一个从每个节点到目标位置的 `distance` 度量，这个度量是通过分析程序代码来确定的。详细信息请参阅本章内容。

`PowerSchedule`其中的一个基础就是让random.choices按照每个值的权重来选择，即可以通过每个值的能量来控制其被选择的概率。

In [3]:
import random

mylist = ["apple", "banana", "cherry"]

print(random.choices(mylist, weights = [10, 1, 1], k = 3))


['apple', 'apple', 'apple']
