added * wildcard for csrf-token argument

2025-07-28 00:50:06 +03:00 · 2018-12-04 19:52:22 +01:00 · 2018-12-04 19:52:22 +01:00 · 05888b6f7a
commit 05888b6f7a
parent 101d1f0d49
2 changed files with 27 additions and 2 deletions
--- a/lib/core/target.py
+++ b/lib/core/target.py
@ -393,7 +393,20 @@ def _setRequestParams():
        raise SqlmapGenericException(errMsg)

    if conf.csrfToken:
-        if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and conf.csrfToken not in set(_[0].lower() for _ in conf.httpHeaders) and conf.csrfToken not in conf.paramDict.get(PLACE.COOKIE, {}):
+        csrfTokenPattern = ''
+        strings = conf.csrfToken.split("*")
+        for index, string in enumerate(strings):
+            csrfTokenPattern += re.escape(string)
+            if index < len(strings) - 1:
+                csrfTokenPattern += ".*"
+
+        def csrfTokenAppearsInGetOrPost():
+            for params in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {})):
+                for paramKey in params:
+                    if re.search(r"\b%s\b" % csrfTokenPattern, paramKey):
+                        return True
+
+        if not csrfTokenAppearsInGetOrPost() and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and conf.csrfToken not in set(_[0].lower() for _ in conf.httpHeaders) and conf.csrfToken not in conf.paramDict.get(PLACE.COOKIE, {}):
            errMsg = "anti-CSRF token parameter '%s' not " % conf.csrfToken
            errMsg += "found in provided GET, POST, Cookie or header values"
            raise SqlmapGenericException(errMsg)
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -970,7 +970,19 @@ class Connect(object):
                return retVal

            page, headers, code = Connect.getPage(url=conf.csrfUrl or conf.url, data=conf.data if conf.csrfUrl == conf.url else None, method=conf.method if conf.csrfUrl == conf.url else None, cookie=conf.parameters.get(PLACE.COOKIE), direct=True, silent=True, ua=conf.parameters.get(PLACE.USER_AGENT), referer=conf.parameters.get(PLACE.REFERER), host=conf.parameters.get(PLACE.HOST))
-            token = extractRegexResult(r"(?i)<input[^>]+\bname=[\"']?%s\b[^>]*\bvalue=[\"']?(?P<result>[^>'\"]*)" % re.escape(conf.csrfToken), page or "")
+
+            if "*" in conf.csrfToken:
+                csrfTokenPattern = ''
+                strings = conf.csrfToken.split("*")
+                for index, string in enumerate(strings):
+                    csrfTokenPattern += re.escape(string)
+                    if index < len(strings) - 1:
+                        csrfTokenPattern += ".*"
+
+                token = extractRegexResult(
+                    r"(?i)<input[^>]+\bname=[\"']?%s\b[^>]*\bvalue=[\"']?(?P<result>[^>'\"]*)" % csrfTokenPattern, page or "")
+            else:
+                token = extractRegexResult(r"(?i)<input[^>]+\bname=[\"']?%s\b[^>]*\bvalue=[\"']?(?P<result>[^>'\"]*)" % re.escape(conf.csrfToken), page or "")

            if not token:
                token = extractRegexResult(r"(?i)<input[^>]+\bvalue=[\"']?(?P<result>[^>'\"]*)[\"']?[^>]*\bname=[\"']?%s\b" % re.escape(conf.csrfToken), page or "")