mirror of
https://github.com/lunchcat/sif.git
synced 2026-06-12 19:11:25 -07:00
test: add fuzz tests for LFI detection, SQL patterns, version parsing
fuzz targets: DetectLFIFromResponse, isAdminPanel, databaseErrorPatterns, isValidVersionString, ExtractVersionOptimized - should bump the scorecard fuzzing check. Signed-off-by: vmfunc <celeste@linux.com>
This commit is contained in:
vmfunc
@@ -0,0 +1,46 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2025 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package frameworks
|
||||
|
||||
import "testing"
|
||||
|
||||
func FuzzIsValidVersionString(f *testing.F) {
|
||||
f.Add("1.0")
|
||||
f.Add("1.0.0")
|
||||
f.Add("10.2.3.4")
|
||||
f.Add("999.999.999")
|
||||
f.Add("")
|
||||
f.Add("abc")
|
||||
f.Add("1.")
|
||||
f.Add(".1")
|
||||
f.Add("1.2.3.4.5")
|
||||
f.Add("aaaaaaaaaaaaaaaaaaaaaaaaa")
|
||||
|
||||
f.Fuzz(func(t *testing.T, v string) {
|
||||
// should never panic
|
||||
isValidVersionString(v)
|
||||
})
|
||||
}
|
||||
|
||||
func FuzzExtractVersionOptimized(f *testing.F) {
|
||||
f.Add("<meta name=\"generator\" content=\"WordPress 6.4.2\">", "WordPress")
|
||||
f.Add("Laravel v10.0.1", "Laravel")
|
||||
f.Add("<html>nothing</html>", "Django")
|
||||
f.Add("", "unknown")
|
||||
f.Add("X-Powered-By: Express/4.18.2", "Express")
|
||||
|
||||
f.Fuzz(func(t *testing.T, body string, framework string) {
|
||||
// should never panic
|
||||
ExtractVersionOptimized(body, framework)
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,63 @@
|
||||
/*
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
: :
|
||||
: █▀ █ █▀▀ · Blazing-fast pentesting suite :
|
||||
: ▄█ █ █▀ · BSD 3-Clause License :
|
||||
: :
|
||||
: (c) 2022-2025 vmfunc, xyzeva, :
|
||||
: lunchcat alumni & contributors :
|
||||
: :
|
||||
·━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━·
|
||||
*/
|
||||
|
||||
package scan
|
||||
|
||||
import "testing"
|
||||
|
||||
func FuzzDetectLFIFromResponse(f *testing.F) {
|
||||
f.Add("root:x:0:0:root:/root:/bin/bash")
|
||||
f.Add("<html><body>Hello World</body></html>")
|
||||
f.Add("[boot loader]\ntimeout=30")
|
||||
f.Add("DOCUMENT_ROOT=/var/www/html")
|
||||
f.Add("<?php echo 'hello'; ?>")
|
||||
f.Add("127.0.0.1 localhost")
|
||||
f.Add("")
|
||||
f.Add("PD9waHAgZWNobyAnaGVsbG8nOyA/Pg==")
|
||||
|
||||
f.Fuzz(func(t *testing.T, body string) {
|
||||
// should never panic
|
||||
DetectLFIFromResponse(body)
|
||||
})
|
||||
}
|
||||
|
||||
func FuzzIsAdminPanel(f *testing.F) {
|
||||
f.Add("<html>phpMyAdmin</html>", "phpMyAdmin")
|
||||
f.Add("<html>adminer</html>", "Adminer")
|
||||
f.Add("<html>pgadmin</html>", "pgAdmin")
|
||||
f.Add("<html>nothing here</html>", "phpMyAdmin")
|
||||
f.Add("", "unknown")
|
||||
f.Add("<html>database query mysql</html>", "generic")
|
||||
|
||||
f.Fuzz(func(t *testing.T, body string, panelType string) {
|
||||
// should never panic
|
||||
isAdminPanel(body, panelType)
|
||||
})
|
||||
}
|
||||
|
||||
func FuzzDatabaseErrorPatterns(f *testing.F) {
|
||||
f.Add("you have an error in your sql syntax")
|
||||
f.Add("Warning: mysql_fetch_array()")
|
||||
f.Add("postgresql error at character 42")
|
||||
f.Add("ORA-12345: some oracle error")
|
||||
f.Add("sqlite3_prepare_v2 failed")
|
||||
f.Add("document bson error in mongodb")
|
||||
f.Add("<html>normal page</html>")
|
||||
f.Add("")
|
||||
|
||||
f.Fuzz(func(t *testing.T, body string) {
|
||||
// should never panic on any input
|
||||
for _, pattern := range databaseErrorPatterns {
|
||||
pattern.pattern.MatchString(body)
|
||||
}
|
||||
})
|
||||
}
|
||||
Reference in New Issue
Block a user