What is Peach
Installing
Tutorials
Methodology
Introduction
FAQ
Peach 3
Peach Pits
 General Conf
 Data Modeling
 State Modeling
 Agents
  Monitors
 Test
  Publishers
  Loggers
Running
Minset
Peach 2.3
License

SQL Stored Procedure Fuzzing

First Install MySQL v5.1+

Configure with:

create table if not exists testtable (
   msg varchar(255)
);

delimiter //
CREATE PROCEDURE testproc(IN parameter1 VARCHAR(255))
BEGIN
   insert into testtable (msg) values (parameter1);
END;
//

Create an ODBC DSN

Created an ODBC DSN called "TestMySql" that connects to your MySQL instance and correct database.

Update PIT

Update this pit with correct DSN, user, and password.

<?xml version="1.0" encoding="utf-8"?>
<Peach xmlns="http://phed.org/2008/Peach"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://phed.org/2008/Peach /peach/peach.xsd">

       <Include ns="default" src="file:defaults.xml"/>
       <Include ns="pt" src="file:PeachTypes.xml"/>

       <DataModel name="TheDataModel">
               <String value="Peachy"/>
       </DataModel>

       <StateModel name="TheState" initialState="Initial">

               <State name="Initial">
                       <Action type="call" method="call testproc(?)">
                               <Param name="p1" type="in">
                                       <DataModel ref="TheDataModel"/>
                               </Param>
                       </Action>
               </State>
       </StateModel>

       <Test name="TheTest">
               <StateModel ref="TheState"/>

               <Publisher class="sql.Odbc">
                       <Param name="dsn" value="TestMySql/root/password"/>
               </Publisher>
       </Test>

       <Run name="DefaultRun">
               <Test ref="TheTest"/>
       </Run>
</Peach>

Run!

C:\peach>peach -1 test.xml

] Peach 2.3 MS Runtime
] Copyright (c) Michael Eddington

[*] Performing single iteration
Warning: Run 'DefaultRun' does not have logging configured!
[*] Starting run "DefaultRun"
[-] Test: "TheTest" (None)
[1:?:?] Running test with mutator N/A
-- Completed our iteration range, exiting
[-] Test "TheTest" completed
[*] Run "DefaultRun" completed
C:\peach>

My MySQL table looked like this:

mysql> select * from testtable;
+-------------+
| msg         |
+-------------+
| Peachy      |
+-------------+
2 rows in set (0.00 sec)

Next Steps

From here you would want to configure and agent to attach a debugger to your SQL server executable and monitor for crashes. Good targets are native stored procedures exposed by Microsoft SQL Server, IBM DB2, etc. Fuzzing pure SQL stored procedures, such as in this example, is likely not a good use of your time ;)