0f2cf80085
* nits * first steps * different approach * fixes * remove temps * remove temp * initial import * more tests * bug hunt * cleanup * yaml function target 0x.... support * final * update doc * other work * Clippy, fmt * Removed lazystatic dependency * More small cleanups * optimize to_lowercase * move funtionality to libafl_qemu * add missing file * ready * remove qemu_injections * move test files to test directory * doc update * add todos * fixes * add file comment * add test and other platform support * fix clippy * Replace Emulator::new_empty by Emulator::get. Fix visibility identifier. * clippy * let's try this * cpu_target? * fmt * cleanup build system, enable missing fuzzers * fix qemu_launcher * enable hexagon in qemu_launcher * Removed useless `any` predicate in cfg attribute. Replaced wrong types in `syscall_hook` signature. * format * move to read_function_argument * add hexagon injections support * enable injections fuzzing everywhere * unify error msg * Fix build, add initial toml support * intermediate push, wip * fix build * More WIP * Fix build * Clippy * fix qemu * Fix arm * fix more wrong things * fix testcase * try to fix it again? * more release? * make makefile independent of dev/release * trying more fix? * More ugly more works * more trying to fix the testcase * allow yml as filename too * more docs --------- Co-authored-by: Dominik Maier <dmnk@google.com> Co-authored-by: Romain Malmain <romain.malmain@pm.me> Co-authored-by: Dominik Maier <domenukk@gmail.com>
64 lines
1.9 KiB
TOML
64 lines
1.9 KiB
TOML
# The TOML Structure:
|
|
#
|
|
# You can specify multiple different injection types if you want.
|
|
# [name] # any name you want, it is not important
|
|
# tokens = ["a string", ...] # an injection string to add to the tokens list
|
|
# matches = ["a string", ...] # if on of these substrings (case insensitive) is found
|
|
# # in the parameter of the function then crash!
|
|
# # note that this is not a regex.
|
|
#
|
|
# [name.functions]
|
|
# # multiple function targets to hook can be defined
|
|
# function_name = # name of the function you want to hook.
|
|
# # if the function name starts with 0x then
|
|
# # this is the QEMU Guest address of a
|
|
# # function you want to hook that does not
|
|
# # have a symbol.
|
|
# {param = number} # which parameter to the function contains the string
|
|
# # 0 = first, 1 = second, ... 0-5 are supported (depending on architecture)
|
|
|
|
[sql]
|
|
tokens = [ "'\"\"'\"\n", "\"1\" OR '1'=\"1\"" ]
|
|
matches = [ "'\"\"'\"", "1\" OR '1'=\"1" ]
|
|
|
|
[sql.functions]
|
|
sqlite3_exec = {param = 1}
|
|
PQexec = {param = 1}
|
|
PQexecParams = {param = 1}
|
|
mysql_query = {param = 1}
|
|
mysql_send_query = {param = 1}
|
|
|
|
|
|
# Command injection. Note that for most you will need a libc with debug symbols
|
|
# We do not need this as we watch the SYS_execve syscall, this is just an
|
|
# example.
|
|
[cmd]
|
|
tokens = [
|
|
"'\"FUZZ\"'",
|
|
"\";FUZZ;\"",
|
|
"';FUZZ;'",
|
|
"$(FUZZ)",
|
|
]
|
|
matches = ["'\"FUZZ\"'"]
|
|
|
|
[cmd.functions]
|
|
popen = {param = 0}
|
|
system = {param = 0}
|
|
|
|
# LDAP injection tests
|
|
[ldap]
|
|
tokens = ["*)(FUZZ=*))(|"]
|
|
matches = ["*)(FUZZ=*))(|"]
|
|
|
|
[ldap.functions]
|
|
ldap_search_ext = {param = 3}
|
|
ldap_search_ext_s = {param = 3}
|
|
|
|
# XSS injection tests
|
|
# This is a minimal example that only checks for libxml2
|
|
[xss]
|
|
tokens = ["'\"><FUZZ"]
|
|
matches = ["'\"><FUZZ"]
|
|
[xss.functions]
|
|
htmlReadMemory = {param = 0}
|