Steps to fuzz an PHP application:
a. Have the static analysis models in hand. (change the directory of the model files in line730 of nextToFuzz.py)
b. Have the static analysis satpath in hand. (change the directory of the satpath file in line854 of nextToFuzz.py)
c. Instrument the target application
- Assume the name of the appication is schoolmate
- Install the application properly. Make sure it can be reached from web server.
- Copy the whole application to /PROJECT_ROOT/PHP_Fuzzer
- Run the following command to instrument the target application python3 instrument.py ./schoolmate
- A new folder named schoolmate_ins will be created in the same folder
- Move the new folder to /var/www/html and rename it to schoolmate
d. Create the database which saves the trace infomation
- Modify the DB info of your own in the file /PROJECT_ROOT/AFL/AFL/create_database.py
- Run the file in step a to create the table which saves the trace infomation
e. Start fuzzing
- compile AFL in directory /PROJECT_ROOT/AFL/AFL do: make install
- Use the script /PROJECT_ROOT/AFL/AFL/nextToFuzz.py as the entry point to start fuzzing python3 nextToFuzz.py
- Do the fuzzing process according to the logs
Errors you might see:
a. AFL fuzzer failer related to the core. run the script /PROJECT_ROOT/AFL/AFL/modifyCore.sh to pass
File explaination:
- test_log_*: file names start with test_log_ is files that used for testing
- http.c and http.h contains the HTTP methods in C
- mutation.c contains the customized mutation methods (modity line 5334 in afl-fuzz.c as well)
- afl-fuzz.c is the file that mostly modified in original AFL