Compile php fuzzer for automatic WEB vulnerability Mining

Vulnerability.
"% U5c00 % u2700 ","/",".. /",". /... /. /","/% 2e/"," % 2e "," % 5C "," % s ","","",""",
"% ","!!!!!!!!!!!!!!!!!! "," # "," % 5C27 "," % 5C % 56 "," "," \ ",;,"; a "," | ",
"?> "," % A0 ");
"<Script> alert (cookies, y + document. cookie); </script> ");
To open stream: "," internal server error "," there was an error when processing
This directive. "," http/1.1 400 "," http/1.1 403 "," http/1.1 500 "," gateway
Error "," command not found "," file not found ");
$ Flags [1] = array ("[obdc", "mysql error", "you have an error in your SQL
Syntax "," odbc drivers error "," [microsoft SQL ",);
$ Flags [2] = array ("javascript: alert (string. fromcharcode (65,66, 67 ))",
"<Script> alert (cookies, y + document. cookie); </script> ");
Now that we know what requests should be constructed and the returned output results, we can write a PHP code used to construct malicious requests to query the HTTP server. In this example, we only construct GET requests, but it is easy to modify if you want to construct other HTTP request methods.
Function MakeRequest ($ url, $ method = "GET "){
$ Url = str_replace ("", "% 20", $ url );
If ($ method = "GET "){
$ Host = substr ($ url, strpos ($ url, ": //") + 3); $ host = substr ($ host,
0, strpos ($ host ,"/"));
$ Request = substr ($ url, strpos ($ host ,"/"));
If (! $ Fp ){
Echo "ERROR. $ url $ errstr ($ errno) $ newline ";
} Else {
$ Out = "GET $ request HTTP/1.1 ";
$ Out. = "Host: $ host ";
$ Out. = "Connection: Close ";
Fwrite ($ fp, $ out );
While (! Feof ($ fp )){
$ Buf. = fgets ($ fp );
}
Fclose ($ fp );
}
}
Return $ buf;
}
By maliciously constructing requests, we can get the results returned by the HTTP server. Next we need to use a function to scan the error code in the list above. If the variable $ result contains content that matches the $ flags array element, the following function returns true.
Function TestResult ($ result ){
Global $ flags;
$ Result = strtolower ($ result );
For ($ I = 0; $ I <count ($ flags); $ I ++ ){
For ($ o = 0; $ o <count ($ flags); $ o ++ ){
If (! (Strpos ($ result, $ flags [$ I] [$ o]) === false )){
Return 1;
}
}
}
Return 0;
}
Everything is ready! Now it's time for us to write code so that we can connect everything. The following code uses the $ lists array to include all URL addresses used for detection.
If ($ localonly = true AND (substr ($ list [$ inc], 0, 17 )! =
"Http: // localhost/" AND substr ($ list [$ inc], 0, 17 )! = "Http: // 127.0.0.1 /"))
Die ("Sorry, this script can only be tested against localhost .");
// SetUpParameters is used to analyze each GET parameter in the URL address and store it in the array $ get and $ getvalues
If (trim ($ url )! = ""){
Echo "$ newline $ url $ newline ";
// Test each possible Vulnerability
For ($ vulni = 0; $ vulni <count ($ vulnchars); $ vulni ++ ){
Switch ($ vulni ){
Case 0: echo "* General web vulnerabilities $ newline"; break;
Case 1: echo "* SQL vulnerabilities $ newline"; break;
Case 2: echo "* XSS vulnerabilities $ newline"; break;
}
// Check every GET parameter in the URL
For ($ o = 0; $ o <count ($ get); $ o ++ ){
For ($ I = 0; $ I <count ($ vulnchars [$ vulni]); $ I ++ ){
// Construct URL addresses through the Vulnerability Detection table
$ Whichparam = $ get [$ o];
$ Testing = $ url ."? ";
// Default values of all other parameters in the combined script
If ($ get [$ z]! = $ Whichparam)
$ Testing. = "&". $ get [$ z]. "=". $ getvalue [$ z];
}
$ Testing. = "&". $ whichparam. "=". $ vulnchars [$ vulni] [$ I];

$ Fun = MakeRequest ($ testing );
If ($ parseforlinks = true) ParseForLinks ($ fun );
$ Error = TestResult ($ fun );
If ($ error! = 0)
Echo "FLAG! ... $ Testing $ newline ";
If ($ error = 0 and $ verbose = true)
Echo "OK .. $ testing $ newline ";
}
}
}
}
}
 
Add the http: // $ host/"> flag to the $ list array. You can also add other request methods, such as POST, SSL, cookie, and file upload vulnerabilities. Writing a web fuzzer is a worthwhile programming task, but it may be an endless task.