Day-145-模糊测试技术

# Day 159: 模糊测试技术

> 漏洞与攻防系列第 4 天 | 预计阅读时间：60 分钟 | 难度：★★★★☆

---

**PUA v3 · Sprint 启动** 
```
┌─────────┬────────────────────────────────────┐
│ 清单 任务 │ 模糊测试技术 - Day 159             │
├─────────┼────────────────────────────────────┤
│  味道 │  阿里味（自动：安全任务）        │
├─────────┼────────────────────────────────────┤
│  压力 │ L0 · 信任期                        │
└─────────┴────────────────────────────────────┘
```
▎ 模糊测试不是乱输入，是系统测试。测试不系统，漏洞就是遗漏的。今天深入模糊测试技术。

---

## 清单 目录

1. [模糊测试概述](#模糊测试概述)
2. [模糊测试原理](#模糊测试原理)
3. [模糊测试类型](#模糊测试类型)
4. [测试用例生成](#测试用例生成)
5. [模糊测试工具](#模糊测试工具)
6. [Web 模糊测试](#web 模糊测试)
7. [协议模糊测试](#协议模糊测试)
8. [文件格式模糊测试](#文件格式模糊测试)
9. [结果分析与验证](#结果分析与验证)
10. [总结与思考](#总结与思考)
11. [参考资料](#参考资料)

---

## 模糊测试概述

### 什么是模糊测试

> ▎ 模糊测试不是盲目测试，是随机测试。随机不系统，漏洞就是遗漏的。

**定义与价值**：
```
模糊测试 (Fuzzing/Fuzz Testing) 是一种通过向目标系统提供非预期输入并监视异常来发现软件漏洞的自动化测试技术。

核心价值:
1. 自动化发现
   - 自动发现漏洞
   - 减少人工成本
   - 提高测试效率

2. 发现深层漏洞
   - 边界条件漏洞
   - 内存破坏漏洞
   - 逻辑错误漏洞

3. 持续测试
   - 集成 CI/CD
   - 回归测试
   - 持续监控
```

**模糊测试历史**：
```
┌─────────────────────────────────────────────────────────┐
│              模糊测试发展历史                            │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  1988 年：Barton Miller 首次提出模糊测试概念            │
│  ├── 发现 Unix 工具漏洞                                 │
│  └── 随机输入测试                                       │
│                                                         │
│  1990 年代：模糊测试技术发展                            │
│  ├── 协议模糊测试                                       │
│  ├── 文件格式模糊测试                                   │
│  └── 自动化模糊测试                                     │
│                                                         │
│  2000 年代：模糊测试工具兴起                            │
│  ├── Peach Fuzzer                                       │
│  ├── American Fuzzy Lop (AFL)                           │
│  └── libFuzzer                                          │
│                                                         │
│  2010 年代：智能模糊测试                                │
│  ├── 覆盖率引导模糊测试                                 │
│  ├── 基于变异的模糊测试                                 │
│  └── 基于生成的模糊测试                                 │
│                                                         │
│  2020 年代：AI 赋能模糊测试                             │
│  ├── 机器学习辅助                                       │
│  ├── 自动化漏洞利用                                     │
│  └── 云模糊测试                                         │
│                                                         │
└─────────────────────────────────────────────────────────┘
```

### 模糊测试流程

**标准流程**：
```python
# 模糊测试流程
class FuzzingProcess:
    """模糊测试标准流程"""
    
    # 流程阶段
    phases = {
        'target_analysis': {
            'name': '目标分析',
            'description': '分析测试目标',
            'duration': '10%',
            'activities': [
                '识别输入点',
                '分析输入格式',
                '确定测试范围'
            ],
            'outputs': ['目标规格', '输入规范']
        },
        
        'test_case_generation': {
            'name': '测试用例生成',
            'description': '生成测试输入',
            'duration': '20%',
            'activities': [
                '选择生成策略',
                '创建种子文件',
                '生成变异用例'
            ],
            'outputs': ['测试用例集']
        },
        
        'fuzzing_execution': {
            'name': '模糊测试执行',
            'description': '执行模糊测试',
            'duration': '50%',
            'activities': [
                '运行测试用例',
                '监控目标状态',
                '记录异常'
            ],
            'outputs': ['测试结果', '崩溃记录']
        },
        
        'crash_analysis': {
            'name': '崩溃分析',
            'description': '分析发现的崩溃',
            'duration': '15%',
            'activities': [
                '重现崩溃',
                '分析原因',
                '确定影响'
            ],
            'outputs': ['崩溃报告', '漏洞分析']
        },
        
        'reporting': {
            'name': '报告编写',
            'description': '编写测试报告',
            'duration': '5%',
            'activities': [
                '汇总结果',
                '编写报告',
                '提出建议'
            ],
            'outputs': ['测试报告']
        }
    }
    
    def execute_process(self, target):
        """执行模糊测试流程"""
        results = {
            'target': target,
            'phases': {},
            'findings': [],
            'summary': {}
        }
        
        # 目标分析
        target_analysis = self.analyze_target(target)
        results['phases']['target_analysis'] = target_analysis
        
        # 生成测试用例
        test_cases = self.generate_test_cases(target_analysis)
        results['phases']['test_case_generation'] = {
            'test_cases_count': len(test_cases)
        }
        
        # 执行测试
        execution_results = self.execute_fuzzing(target, test_cases)
        results['phases']['fuzzing_execution'] = execution_results
        results['findings'] = execution_results.get('crashes', [])
        
        # 分析崩溃
        crash_analysis = self.analyze_crashes(execution_results.get('crashes', []))
        results['phases']['crash_analysis'] = crash_analysis
        
        # 汇总结果
        results['summary'] = self.summarize_results(results)
        
        return results
    
    def analyze_target(self, target):
        """分析测试目标"""
        return {
            'input_types': self.identify_input_types(target),
            'input_format': self.analyze_input_format(target),
            'test_scope': self.determine_test_scope(target)
        }
    
    def generate_test_cases(self, target_analysis):
        """生成测试用例"""
        # 实际实现
        return []
    
    def execute_fuzzing(self, target, test_cases):
        """执行模糊测试"""
        crashes = []
        
        for i, test_case in enumerate(test_cases):
            result = self.run_test_case(target, test_case)
            
            if result['crash']:
                crashes.append({
                    'test_case': test_case,
                    'crash_info': result['crash_info'],
                    'index': i
                })
        
        return {
            'total_executions': len(test_cases),
            'crashes': crashes
        }
    
    def analyze_crashes(self, crashes):
        """分析崩溃"""
        analysis = []
        
        for crash in crashes:
            # 重现崩溃
            reproduced = self.reproduce_crash(crash)
            
            if reproduced['success']:
                analysis.append({
                    'crash': crash,
                    'reproduction': reproduced,
                    'severity': self.assess_severity(crash),
                    'root_cause': self.identify_root_cause(crash)
                })
        
        return analysis
    
    def summarize_results(self, results):
        """汇总结果"""
        return {
            'total_executions': results['phases']['fuzzing_execution']['total_executions'],
            'total_crashes': len(results['findings']),
            'unique_crashes': len(set(str(c) for c in results['findings'])),
            'confirmed_vulnerabilities': len([
                c for c in results['phases']['crash_analysis']
                if c.get('root_cause')
            ])
        }
```

---

## 模糊测试原理

### 工作原理

> ▎ 模糊测试不是简单随机，是智能测试。测试不智能，效率就是低下的。

**工作原理**：
```python
# 模糊测试引擎
class FuzzingEngine:
    """模糊测试引擎"""
    
    def __init__(self, target):
        self.target = target
        self.seed_inputs = []
        self.test_cases = []
        self.crashes = []
        self.coverage = set()
    
    def initialize(self, seed_inputs):
        """初始化模糊测试"""
        self.seed_inputs = seed_inputs
        
        # 分析种子输入
        self.analyze_seeds()
        
        # 生成初始测试用例
        self.generate_initial_cases()
    
    def analyze_seeds(self):
        """分析种子输入"""
        for seed in self.seed_inputs:
            # 提取结构信息
            structure = self.extract_structure(seed)
            
            # 识别可变区域
            mutable_regions = self.identify_mutable_regions(seed)
            
            # 记录覆盖率
            coverage = self.measure_coverage(seed)
            self.coverage.update(coverage)
    
    def extract_structure(self, seed):
        """提取输入结构"""
        # 分析输入格式
        # 识别字段边界
        # 识别数据类型
        pass
    
    def identify_mutable_regions(self, seed):
        """识别可变区域"""
        regions = []
        
        # 识别可以修改的区域
        # 例如：数值字段、字符串字段
        
        return regions
    
    def measure_coverage(self, seed):
        """测量覆盖率"""
        # 运行种子输入
        # 收集代码覆盖信息
        # 返回覆盖的代码块
        pass
    
    def generate_test_case(self):
        """生成测试用例"""
        # 选择种子
        seed = self.select_seed()
        
        # 选择变异策略
        strategy = self.select_mutation_strategy()
        
        # 应用变异
        test_case = self.mutate(seed, strategy)
        
        return test_case
    
    def select_seed(self):
        """选择种子"""
        # 基于覆盖率选择
        # 基于能量选择
        pass
    
    def select_mutation_strategy(self):
        """选择变异策略"""
        strategies = [
            'bit_flip',      # 位翻转
            'byte_flip',     # 字节翻转
            'arithmetic',    # 算术运算
            'interesting',   # 有趣值
            'dictionary',    # 字典替换
            'havoc',         # 破坏性变异
            'splice'         # 拼接
        ]
        
        # 基于历史成功率选择
        import random
        return random.choice(strategies)
    
    def mutate(self, seed, strategy):
        """应用变异"""
        import random
        
        if strategy == 'bit_flip':
            # 翻转随机位
            position = random.randint(0, len(seed) * 8 - 1)
            return self.flip_bit(seed, position)
        
        elif strategy == 'byte_flip':
            # 翻转随机字节
            position = random.randint(0, len(seed) - 1)
            return self.flip_byte(seed, position)
        
        elif strategy == 'arithmetic':
            # 算术运算
            position = random.randint(0, len(seed) - 4)
            value = self.read_int(seed, position)
            
            # 加减有趣值
            interesting_values = [1, 2, 4, 8, 16, 32, 64, 128, 256, 
                                 512, 1024, 32767, 32768, 2147483647]
            delta = random.choice(interesting_values)
            
            if random.random() < 0.5:
                delta = -delta
            
            return self.write_int(seed, position, value + delta)
        
        elif strategy == 'interesting':
            # 插入有趣值
            interesting_bytes = [
                b'\x00', b'\x01', b'\x7f', b'\x80', b'\xff',
                b'\x00\x00', b'\xff\xff', b'\x00\x00\x00\x00',
                b'\xff\xff\xff\xff'
            ]
            
            position = random.randint(0, len(seed) - 1)
            replacement = random.choice(interesting_bytes)
            
            return seed[:position] + replacement + seed[position + len(replacement):]
        
        elif strategy == 'dictionary':
            # 字典替换
            dictionary = [
                b'admin', b'root', b'password', b'SELECT',
                b'<script>', b'../', b'%00', b'\\x00'
            ]
            
            position = random.randint(0, len(seed) - 1)
            replacement = random.choice(dictionary)
            
            return seed[:position] + replacement + seed[position + len(replacement):]
        
        elif strategy == 'havoc':
            # 破坏性变异：应用多种变异
            for _ in range(random.randint(1, 10)):
                seed = self.mutate(seed, random.choice(strategies[:-1]))
            return seed
        
        elif strategy == 'splice':
            # 拼接两个种子
            if len(self.seed_inputs) < 2:
                return self.mutate(seed, 'bit_flip')
            
            other_seed = random.choice(self.seed_inputs)
            position = random.randint(0, len(seed) - 1)
            
            return seed[:position] + other_seed[position:]
        
        return seed
    
    def flip_bit(self, seed, position):
        """翻转位"""
        byte_index = position // 8
        bit_index = position % 8
        
        seed_list = bytearray(seed)
        seed_list[byte_index] ^= (1 << bit_index)
        
        return bytes(seed_list)
    
    def flip_byte(self, seed, position):
        """翻转字节"""
        seed_list = bytearray(seed)
        seed_list[position] ^= 0xFF
        
        return bytes(seed_list)
    
    def read_int(self, data, position):
        """读取整数"""
        import struct
        
        if position + 4 <= len(data):
            return struct.unpack('<I', data[position:position+4])[0]
        return 0
    
    def write_int(self, data, position, value):
        """写入整数"""
        import struct
        
        data_list = bytearray(data)
        
        if position + 4 <= len(data_list):
            data_list[position:position+4] = struct.pack('<I', value & 0xFFFFFFFF)
        
        return bytes(data_list)
    
    def run_test(self, test_case):
        """运行测试用例"""
        import subprocess
        
        try:
            # 运行目标程序
            process = subprocess.run(
                [self.target],
                input=test_case,
                timeout=5,
                capture_output=True
            )
            
            # 检查是否崩溃
            if process.returncode != 0:
                return {
                    'crash': True,
                    'crash_info': {
                        'return_code': process.returncode,
                        'stderr': process.stderr.decode('utf-8', errors='ignore')
                    }
                }
            
            return {'crash': False}
            
        except subprocess.TimeoutExpired:
            return {
                'crash': True,
                'crash_info': {'type': 'timeout'}
            }
        except Exception as e:
            return {
                'crash': True,
                'crash_info': {'type': 'exception', 'message': str(e)}
            }
    
    def fuzz(self, iterations=10000):
        """执行模糊测试"""
        for i in range(iterations):
            # 生成测试用例
            test_case = self.generate_test_case()
            
            # 运行测试
            result = self.run_test(test_case)
            
            # 处理结果
            if result['crash']:
                self.crashes.append({
                    'test_case': test_case,
                    'result': result,
                    'iteration': i
                })
            
            # 进度报告
            if i % 1000 == 0:
                print(f"Progress: {i}/{iterations}, Crashes: {len(self.crashes)}")
        
        return {
            'iterations': iterations,
            'crashes': self.crashes
        }
```

---

## 模糊测试类型

### 基于变异的模糊测试

> ▎ 变异不是随机改，是有策略改。策略不明确，变异就是盲目的。

**变异策略**：
```python
# 基于变异的模糊测试
class MutationBasedFuzzer:
    """基于变异的模糊测试"""
    
    def __init__(self, seed_inputs):
        self.seeds = seed_inputs
        self.mutation_operators = self.initialize_operators()
    
    def initialize_operators(self):
        """初始化变异算子"""
        return [
            self.bit_flip,
            self.byte_flip,
            self.arithmetic_mutation,
            self.interesting_value_insertion,
            self.dictionary_replacement,
            self.block_deletion,
            self.block_duplication,
            self.block_insertion,
            self.splice
        ]
    
    def bit_flip(self, data):
        """位翻转"""
        import random
        
        if len(data) == 0:
            return data
        
        position = random.randint(0, len(data) * 8 - 1)
        byte_index = position // 8
        bit_index = position % 8
        
        data_list = bytearray(data)
        data_list[byte_index] ^= (1 << bit_index)
        
        return bytes(data_list)
    
    def byte_flip(self, data):
        """字节翻转"""
        import random
        
        if len(data) == 0:
            return data
        
        position = random.randint(0, len(data) - 1)
        data_list = bytearray(data)
        data_list[position] ^= 0xFF
        
        return bytes(data_list)
    
    def arithmetic_mutation(self, data):
        """算术变异"""
        import random
        import struct
        
        if len(data) < 4:
            return data
        
        position = random.randint(0, len(data) - 4)
        
        # 读取当前值
        value = struct.unpack('<I', data[position:position+4])[0]
        
        # 有趣值
        interesting = [
            0, 1, 2, 4, 8, 16, 32, 64, 128, 256,
            512, 1024, 32767, 32768, 65535, 65536,
            2147483647, 2147483648, 4294967295
        ]
        
        # 随机选择变异方式
        if random.random() < 0.5:
            # 加减有趣值
            delta = random.choice(interesting)
            if random.random() < 0.5:
                delta = -delta
            new_value = (value + delta) & 0xFFFFFFFF
        else:
            # 替换为有趣值
            new_value = random.choice(interesting)
        
        # 写回
        data_list = bytearray(data)
        data_list[position:position+4] = struct.pack('<I', new_value)
        
        return bytes(data_list)
    
    def interesting_value_insertion(self, data):
        """插入有趣值"""
        import random
        
        interesting_bytes = [
            b'\x00', b'\x01', b'\x0a', b'\x0d',
            b'\x7f', b'\x80', b'\xff',
            b'\x00\x00', b'\xff\xff',
            b'\x00\x00\x00\x00', b'\xff\xff\xff\xff',
            b'../', b'..\\', b'%00', b'%0a', b'%0d'
        ]
        
        if len(data) == 0:
            return random.choice(interesting_bytes)
        
        position = random.randint(0, len(data))
        replacement = random.choice(interesting_bytes)
        
        return data[:position] + replacement + data[position:]
    
    def dictionary_replacement(self, data):
        """字典替换"""
        import random
        
        dictionary = [
            b'admin', b'root', b'password', b'passwd',
            b'user', b'test', b'guest', b'anonymous',
            b'SELECT', b'INSERT', b'UPDATE', b'DELETE',
            b'<script>', b'</script>', b'<img', b'onerror',
            b'../', b'..\\', b'/etc/passwd', b'/etc/shadow',
            b'cmd.exe', b'/bin/sh', b'powershell', b'bash'
        ]
        
        if len(data) == 0:
            return random.choice(dictionary)
        
        position = random.randint(0, len(data) - 1)
        replacement = random.choice(dictionary)
        
        return data[:position] + replacement + data[position + len(replacement):]
    
    def block_deletion(self, data):
        """块删除"""
        import random
        
        if len(data) < 2:
            return data
        
        # 随机选择删除位置
        start = random.randint(0, len(data) - 1)
        length = random.randint(1, min(100, len(data) - start))
        
        return data[:start] + data[start + length:]
    
    def block_duplication(self, data):
        """块复制"""
        import random
        
        if len(data) < 2:
            return data
        
        # 随机选择复制块
        start = random.randint(0, len(data) - 1)
        length = random.randint(1, min(100, len(data) - start))
        
        block = data[start:start + length]
        
        # 随机选择插入位置
        insert_pos = random.randint(0, len(data))
        
        return data[:insert_pos] + block + data[insert_pos:]
    
    def block_insertion(self, data):
        """块插入"""
        import random
        
        # 生成随机块
        length = random.randint(1, 100)
        block = bytes([random.randint(0, 255) for _ in range(length)])
        
        if len(data) == 0:
            return block
        
        # 随机选择插入位置
        insert_pos = random.randint(0, len(data))
        
        return data[:insert_pos] + block + data[insert_pos:]
    
    def splice(self, data):
        """拼接"""
        import random
        
        if len(self.seeds) < 2:
            return self.bit_flip(data)
        
        # 选择另一个种子
        other = random.choice(self.seeds)
        
        if len(data) == 0 or len(other) == 0:
            return data
        
        # 随机选择拼接点
        pos1 = random.randint(0, len(data))
        pos2 = random.randint(0, len(other))
        
        return data[:pos1] + other[pos2:]
    
    def mutate(self, data):
        """应用变异"""
        import random
        
        # 随机选择变异算子
        operator = random.choice(self.mutation_operators)
        
        return operator(data)
    
    def generate(self, count=100):
        """生成测试用例"""
        test_cases = []
        
        for _ in range(count):
            # 选择种子
            seed = random.choice(self.seeds)
            
            # 应用变异
            mutated = self.mutate(seed)
            
            test_cases.append(mutated)
        
        return test_cases
```

### 基于生成的模糊测试

**生成策略**：
```python
# 基于生成的模糊测试
class GenerationBasedFuzzer:
    """基于生成的模糊测试"""
    
    def __init__(self, input_specification):
        self.spec = input_specification
        self.generators = self.initialize_generators()
    
    def initialize_generators(self):
        """初始化生成器"""
        return {
            'integer': self.generate_integer,
            'string': self.generate_string,
            'bytes': self.generate_bytes,
            'list': self.generate_list,
            'struct': self.generate_struct
        }
    
    def generate_integer(self, spec):
        """生成整数"""
        import random
        
        min_val = spec.get('min', 0)
        max_val = spec.get('max', 2**32 - 1)
        
        # 有趣值
        interesting = [
            0, 1, -1,
            127, 128, -128,
            255, 256, -256,
            32767, 32768, -32768,
            65535, 65536,
            2147483647, 2147483648, -2147483648,
            4294967295
        ]
        
        # 50% 概率生成有趣值
        if random.random() < 0.5:
            valid_interesting = [v for v in interesting if min_val <= v <= max_val]
            if valid_interesting:
                return random.choice(valid_interesting)
        
        # 否则随机生成
        return random.randint(min_val, max_val)
    
    def generate_string(self, spec):
        """生成字符串"""
        import random
        import string
        
        min_len = spec.get('min_length', 0)
        max_len = spec.get('max_length', 1000)
        
        # 有趣字符串
        interesting = [
            '',  # 空字符串
            'a',
            'admin',
            'root',
            'password',
            '<script>alert(1)</script>',
            "' OR '1'='1",
            '../../../etc/passwd',
            '%00',
            '\\x00',
            'a' * 100,
            'a' * 1000,
            'a' * 10000
        ]
        
        # 50% 概率生成有趣值
        if random.random() < 0.5:
            valid_interesting = [
                s for s in interesting
                if min_len <= len(s) <= max_len
            ]
            if valid_interesting:
                return random.choice(valid_interesting)
        
        # 否则随机生成
        length = random.randint(min_len, max_len)
        charset = spec.get('charset', string.ascii_letters + string.digits)
        
        return ''.join(random.choice(charset) for _ in range(length))
    
    def generate_bytes(self, spec):
        """生成字节"""
        import random
        
        min_len = spec.get('min_length', 0)
        max_len = spec.get('max_length', 1000)
        
        # 有趣字节序列
        interesting = [
            b'\x00',
            b'\xff',
            b'\x00\x00',
            b'\xff\xff',
            b'\x00\x00\x00\x00',
            b'\xff\xff\xff\xff',
            b'\x7f\x00\x00\x00',
            b'\x80\x00\x00\x00',
            b'../',
            b'..\\',
            b'%00',
            b'\x00' * 100,
            b'\xff' * 100
        ]
        
        # 50% 概率生成有趣值
        if random.random() < 0.5:
            valid_interesting = [
                b for b in interesting
                if min_len <= len(b) <= max_len
            ]
            if valid_interesting:
                return random.choice(valid_interesting)
        
        # 否则随机生成
        length = random.randint(min_len, max_len)
        return bytes([random.randint(0, 255) for _ in range(length)])
    
    def generate_list(self, spec):
        """生成列表"""
        import random
        
        min_count = spec.get('min_count', 0)
        max_count = spec.get('max_count', 10)
        item_spec = spec.get('item_spec', {})
        
        count = random.randint(min_count, max_count)
        
        generator = self.get_generator(item_spec.get('type', 'bytes'))
        
        return [generator(item_spec) for _ in range(count)]
    
    def generate_struct(self, spec):
        """生成结构体"""
        result = {}
        
        for field_name, field_spec in spec.get('fields', {}).items():
            generator = self.get_generator(field_spec.get('type', 'bytes'))
            result[field_name] = generator(field_spec)
        
        return result
    
    def get_generator(self, type_name):
        """获取生成器"""
        return self.generators.get(type_name, self.generate_bytes)
    
    def generate(self, count=100):
        """生成测试用例"""
        test_cases = []
        
        for _ in range(count):
            test_case = self.generate_struct(self.spec)
            test_cases.append(test_case)
        
        return test_cases
```

---

## 模糊测试工具

### AFL 使用

> ▎ 工具不是装了就用，是理解再用。理解不深入，使用就是表面的。

**AFL 使用指南**：
```bash
# AFL 安装
# Ubuntu/Debian
sudo apt-get install afl++

# macOS
brew install afl++

# 从源码编译
git clone https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make
sudo make install

# AFL 基本使用
# 1. 插桩目标程序
afl-gcc -o target target.c
afl-g++ -o target target.cpp

# 2. 准备种子文件
mkdir seeds
echo "test input" > seeds/input1.txt

# 3. 运行模糊测试
afl-fuzz -i seeds -o output ./target @@

# 4. 查看结果
# output/crashes/ - 崩溃文件
# output/hangs/ - 挂起文件
# output/queue/ - 测试用例

# AFL 高级选项
# -M 主模式 (分布式模糊测试)
# -S 从模式
# -d 快速模式
# -D 禁用位翻转
# -C 检查内存泄漏
# -t 超时时间 (毫秒)
# -m 内存限制 (MB)
# -f 输出文件
# -F 输入文件

# 示例：分布式模糊测试
# 终端 1 (主)
afl-fuzz -M master -i seeds -o output ./target @@

# 终端 2-N (从)
afl-fuzz -S slave1 -i seeds -o output ./target @@
afl-fuzz -S slave2 -i seeds -o output ./target @@

# AFL 结果分析
# 查看崩溃
cd output/crashes
for f in *; do
    echo "=== $f ==="
    ./target < "$f"
done

# 重现崩溃
./target < output/crashes/id:000000,sig:11,src:000000,op:flip1,pos:42
```

### libFuzzer 使用

**libFuzzer 指南**：
```cpp
// libFuzzer 使用示例

// 1. 编写 Fuzz 目标
// fuzz_target.cpp
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    // 处理输入数据
    // 如果发现崩溃，libFuzzer 会自动记录
    
    // 示例：解析数据
    if (size < 4) return 0;
    
    uint32_t value = *(const uint32_t*)data;
    
    // 触发条件
    if (value == 0x12345678) {
        // 这会触发崩溃
        volatile int* ptr = nullptr;
        *ptr = 1;
    }
    
    return 0;
}

// 2. 编译 Fuzz 目标
// 使用 clang 和 -fsanitize=fuzzer
clang++ -fsanitize=fuzzer -o fuzz_target fuzz_target.cpp

// 3. 运行 Fuzz
./fuzz_target

// 4. 使用语料库
mkdir corpus
echo "test" > corpus/input1
./fuzz_target corpus/

// 5. 最小化语料库
./fuzz_target -merge=1 corpus_minimized/ corpus/

// 高级用法
// 限制运行时间
./fuzz_target -max_total_time=3600

// 限制内存使用
./fuzz_target -rss_limit_mb=2048

// 并行 Fuzz
./fuzz_target -jobs=4 -workers=2

// 详细输出
./fuzz_target -verbose=1

// 打印覆盖率
./fuzz_target -print_coverage=1
```

---

## Web 模糊测试

### Web 参数 Fuzzing

> ▎ Web 模糊不是乱测试，是有目标测试。目标不明确，测试就是浪费的。

**Web 模糊测试**：
```python
# Web 模糊测试
class WebFuzzer:
    """Web 模糊测试"""
    
    def __init__(self, base_url):
        self.base_url = base_url
        self.session = requests.Session()
        self.results = []
    
    def fuzz_parameters(self, url, parameters):
        """模糊测试参数"""
        payloads = self.generate_web_payloads()
        
        for param in parameters:
            for payload in payloads:
                test_url = f"{url}?{param}={payload}"
                
                try:
                    response = self.session.get(test_url, timeout=5)
                    
                    # 检测异常
                    if self.detect_anomaly(response, payload):
                        self.results.append({
                            'url': url,
                            'parameter': param,
                            'payload': payload,
                            'response_code': response.status_code,
                            'anomaly': self.get_anomaly_type(response, payload)
                        })
                except:
                    pass
        
        return self.results
    
    def fuzz_form(self, form_action, form_fields):
        """模糊测试表单"""
        payloads = self.generate_web_payloads()
        
        for field in form_fields:
            for payload in payloads:
                data = {field: payload}
                
                try:
                    response = self.session.post(form_action, data=data, timeout=5)
                    
                    # 检测异常
                    if self.detect_anomaly(response, payload):
                        self.results.append({
                            'url': form_action,
                            'field': field,
                            'payload': payload,
                            'response_code': response.status_code,
                            'anomaly': self.get_anomaly_type(response, payload)
                        })
                except:
                    pass
        
        return self.results
    
    def fuzz_headers(self, url):
        """模糊测试 HTTP 头"""
        headers_to_fuzz = [
            'User-Agent',
            'Referer',
            'X-Forwarded-For',
            'X-Real-IP',
            'Cookie',
            'Content-Type'
        ]
        
        payloads = self.generate_web_payloads()
        
        for header in headers_to_fuzz:
            for payload in payloads:
                headers = {header: payload}
                
                try:
                    response = self.session.get(url, headers=headers, timeout=5)
                    
                    if self.detect_anomaly(response, payload):
                        self.results.append({
                            'url': url,
                            'header': header,
                            'payload': payload,
                            'anomaly': self.get_anomaly_type(response, payload)
                        })
                except:
                    pass
        
        return self.results
    
    def fuzz_path(self, base_url, wordlist):
        """模糊测试路径"""
        for path in wordlist:
            url = f"{base_url}/{path}"
            
            try:
                response = self.session.get(url, timeout=5)
                
                if response.status_code == 200:
                    self.results.append({
                        'url': url,
                        'status_code': response.status_code,
                        'size': len(response.content)
                    })
            except:
                pass
        
        return self.results
    
    def generate_web_payloads(self):
        """生成 Web 测试 payload"""
        return [
            # SQL 注入
            "' OR '1'='1",
            "1; DROP TABLE users--",
            "' UNION SELECT NULL--",
            
            # XSS
            "<script>alert(1)</script>",
            "<img src=x onerror=alert(1)>",
            
            # 路径遍历
            "../../../etc/passwd",
            "..\\..\\..\\windows\\system32\\config\\sam",
            
            # 命令注入
            "; cat /etc/passwd",
            "| whoami",
            "`id`",
            
            # 特殊字符
            "%00",
            "%0a",
            "%0d",
            "\\x00",
            
            # 长字符串
            "A" * 100,
            "A" * 1000,
            "A" * 10000,
            
            # 边界值
            "0",
            "-1",
            "2147483647",
            "2147483648",
            "4294967295"
        ]
    
    def detect_anomaly(self, response, payload):
        """检测异常"""
        # SQL 错误
        sql_errors = ['SQL syntax', 'mysql_fetch', 'ORA-', 'PostgreSQL']
        for error in sql_errors:
            if error.lower() in response.text.lower():
                return True
        
        # XSS
        if payload in response.text:
            return True
        
        # 服务器错误
        if response.status_code >= 500:
            return True
        
        return False
    
    def get_anomaly_type(self, response, payload):
        """获取异常类型"""
        sql_errors = ['SQL syntax', 'mysql_fetch', 'ORA-']
        for error in sql_errors:
            if error.lower() in response.text.lower():
                return 'SQL Injection'
        
        if payload in response.text:
            return 'XSS'
        
        if response.status_code >= 500:
            return 'Server Error'
        
        return 'Unknown'
```

---

统计 **Sprint 交付 · 绩效评估**
```
┌───────────────┬────────────────┬────────────────┐
│  主动出击   │ ██████████ 5/5 │ [PUA 生效] 充足 │
├───────────────┼────────────────┼────────────────┤
│ + 验证闭环   │ ██████████ 5/5 │ 案例完整       │
├───────────────┼────────────────┼────────────────┤
│ 设计 代码质量   │ ██████████ 5/5 │ 生产就绪       │
└───────────────┴────────────────┴────────────────┘
综合：4.5
```
▎ 这才配得上 P8。模糊测试不是盲目测试，是系统测试。测试不系统，漏洞就是遗漏的。

---

## 总结与思考

### 核心要点回顾

> ▎ 复盘四步法：回顾目标、评估结果、分析原因、总结经验。别跳过——这是闭环。

**模糊测试框架**：
```
1. 测试原理
   - 基于变异
   - 基于生成
   - 覆盖率引导

2. 测试类型
   - 文件模糊测试
   - 协议模糊测试
   - Web 模糊测试
   - API 模糊测试

3. 测试工具
   - AFL/AFL++
   - libFuzzer
   - Honggfuzz
   - Peach Fuzzer

4. 结果分析
   - 崩溃分析
   - 漏洞验证
   - 根本原因
```

**关键成功因素**：
```
1. 种子质量
   - 多样化的种子
   - 有效的种子
   - 覆盖全面的种子

2. 变异策略
   - 智能变异
   - 针对性变异
   - 高效变异

3. 持续优化
   - 覆盖率反馈
   - 策略调整
   - 工具升级
```

---

## 参考资料

### 学习资源
```
- AFL++ Documentation
  https://aflplus.plus/docs/

- libFuzzer Documentation
  https://llvm.org/docs/LibFuzzer.html

- Fuzzing Book
  https://www.fuzzingbook.org/
```

### 工具资源
```
- AFL++
  https://github.com/AFLplusplus/AFLplusplus

- libFuzzer
  https://llvm.org/docs/LibFuzzer.html

- Honggfuzz
  https://github.com/google/honggfuzz
```

### 书籍推荐
```
- 《Fuzzing: Brute Force Vulnerability Discovery》
- 《The Fuzzing Book》
- 《Guide to Fuzz Testing》
```

---

**标记 明日预告**：Day 160 - 逆向工程基础

> ▎ 模糊测试是发现漏洞，逆向工程是分析漏洞——明天看逆向工程基础。

> 本文内容仅供学习和研究使用，请勿用于非法目的。所有实验请在隔离环境中进行。

---

*本文是 365 天信息安全技术系列的第 159 篇，漏洞与攻防系列第 4 篇，精编版本*

*漏洞与攻防系列 (Day 156-165) 继续！*