search

nikic / PHP-Fuzzer

Experimental fuzzer for PHP libraries
MIT License
416 stars 16 forks source link

Usage fails with undefined variable #14

Closed ulmemxpoc closed 1 year ago

ulmemxpoc commented 1 year ago

How can I use this PHP fuzzer on Linux OS?

The steps I used

  1. install PHP 8.1
  2. download php-fuzzer.phar (v0.0.7)
  3. rename php-fuzzer.phar to php-fuzzer
  4. chmod +x php-fuzzer (to set executable bit)
  5. ./php-fuzzer --help (help text is shown properly, php-fuzzer confirmed working)
  6. download target_simple.php
  7. ./php-fuzzer fuzz target_simple.php

target_simple.php

<?php

/** @var PhpFuzzer\Config $config */
$config->setTarget(function(string $input) {
    if (strlen($input) >= 4 && $input[0] == 'z' && $input[3] == 'k') {
        throw new Error('Bug!');
    }
});

Error

./php-fuzzer fuzz target_simple.php:

Fatal error: Uncaught Error: [8] Undefined variable: config in /home/my_username/target_simple.php on line 4 in phar:///php-fuzzer/src/Fuzzer.php:435
Stack trace:
#0 /home/my_username/target_simple.php(4): _HumbugBox923d3ce06112\PhpFuzzer\Fuzzer->_HumbugBox923d3ce06112\PhpFuzzer\{closure}(8, 'Undefined varia...', '/home/my_username/target_simple.php', 4, Array)
#1 phar:///php-fuzzer/src/Fuzzer.php(79): require('/home/my_username/target_simple.php')
#2 phar:///php-fuzzer/src/Fuzzer.php(80): _HumbugBox923d3ce06112\PhpFuzzer\Fuzzer::_HumbugBox923d3ce06112\PhpFuzzer\{closure}(Object(_HumbugBox923d3ce06112\PhpFuzzer\Fuzzer))
#3 phar:///php-fuzzer/src/Fuzzer.php(370): _HumbugBox923d3ce06112\PhpFuzzer\Fuzzer->loadTarget('/home/my_username/target_simple.php')
#4 phar:///php-fuzzer/bin/php-fuzzer(15): _HumbugBox923d3ce06112\PhpFuzzer\Fuzzer->handleCliArgs()
#5 /php-fuzzer(14): require('phar:///php-fuz...')
#6 {main}
  thrown in phar:///php-fuzzer/src/Fuzzer.php on line 435

Fatal error: Uncaught TypeError: Argument 1 passed to _HumbugBox923d3ce06112\PhpFuzzer\CorpusEntry::__construct() must be of the type string, null given, called in phar:///php-fuzzer/src/Fuzzer.php on line 448 and defined in phar:///php-fuzzer/src/CorpusEntry.php:14
Stack trace:
#0 phar:///php-fuzzer/src/Fuzzer.php(448): _HumbugBox923d3ce06112\PhpFuzzer\CorpusEntry->__construct(NULL, Array, 'Fatal error: Un...')
#1 [internal function]: _HumbugBox923d3ce06112\PhpFuzzer\Fuzzer->_HumbugBox923d3ce06112\PhpFuzzer\{closure}()
#2 {main}
  thrown in phar:///php-fuzzer/src/CorpusEntry.php on line 14

Help text

./php-fuzzer --help:

Operand target is required

Usage: ./php-fuzzer <command> [options] <target> [operands]

Options:
  -h, --help                  Display this help
  --dict <file>               Use dictionary file
  --max-runs <num>            Limit maximum target executions
  --timeout <seconds>         Timeout for one target execution
  --len-control-factor <num>  A higher value will increase the maximum length more slowly

Commands:
  fuzz             Fuzz the target to find bugs
  minimize-crash   Reduce the size of a crashing input
  run-single       Run single input through target
  report-coverage  Generate a HTML coverage report
nikic commented 1 year ago

I just released a new version that should fix this error: https://github.com/nikic/PHP-Fuzzer/releases/tag/v0.0.8

Alternatively, you can replace $config with $fuzzer.