From 05888b6f7a4c0780c8cbeb815ccec896124d5e49 Mon Sep 17 00:00:00 2001
From: Marcel Gregoriadis <marcel.g98@live.de>
Date: Tue, 4 Dec 2018 19:52:22 +0100
Subject: [PATCH] added * wildcard for csrf-token argument

---
 lib/core/target.py     | 15 ++++++++++++++-
 lib/request/connect.py | 14 +++++++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/lib/core/target.py b/lib/core/target.py
index a89c0c891..ed7834c5a 100644
--- a/lib/core/target.py
+++ b/lib/core/target.py
@@ -393,7 +393,20 @@ def _setRequestParams():
         raise SqlmapGenericException(errMsg)
 
     if conf.csrfToken:
-        if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and conf.csrfToken not in set(_[0].lower() for _ in conf.httpHeaders) and conf.csrfToken not in conf.paramDict.get(PLACE.COOKIE, {}):
+        csrfTokenPattern = ''
+        strings = conf.csrfToken.split("*")
+        for index, string in enumerate(strings):
+            csrfTokenPattern += re.escape(string)
+            if index < len(strings) - 1:
+                csrfTokenPattern += ".*"
+
+        def csrfTokenAppearsInGetOrPost():
+            for params in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {})):
+                for paramKey in params:
+                    if re.search(r"\b%s\b" % csrfTokenPattern, paramKey):
+                        return True
+
+        if not csrfTokenAppearsInGetOrPost() and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and conf.csrfToken not in set(_[0].lower() for _ in conf.httpHeaders) and conf.csrfToken not in conf.paramDict.get(PLACE.COOKIE, {}):
             errMsg = "anti-CSRF token parameter '%s' not " % conf.csrfToken
             errMsg += "found in provided GET, POST, Cookie or header values"
             raise SqlmapGenericException(errMsg)
diff --git a/lib/request/connect.py b/lib/request/connect.py
index 8d46dbc7f..1ca48dc4e 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -970,7 +970,19 @@ class Connect(object):
                 return retVal
 
             page, headers, code = Connect.getPage(url=conf.csrfUrl or conf.url, data=conf.data if conf.csrfUrl == conf.url else None, method=conf.method if conf.csrfUrl == conf.url else None, cookie=conf.parameters.get(PLACE.COOKIE), direct=True, silent=True, ua=conf.parameters.get(PLACE.USER_AGENT), referer=conf.parameters.get(PLACE.REFERER), host=conf.parameters.get(PLACE.HOST))
-            token = extractRegexResult(r"(?i)<input[^>]+\bname=[\"']?%s\b[^>]*\bvalue=[\"']?(?P<result>[^>'\"]*)" % re.escape(conf.csrfToken), page or "")
+
+            if "*" in conf.csrfToken:
+                csrfTokenPattern = ''
+                strings = conf.csrfToken.split("*")
+                for index, string in enumerate(strings):
+                    csrfTokenPattern += re.escape(string)
+                    if index < len(strings) - 1:
+                        csrfTokenPattern += ".*"
+
+                token = extractRegexResult(
+                    r"(?i)<input[^>]+\bname=[\"']?%s\b[^>]*\bvalue=[\"']?(?P<result>[^>'\"]*)" % csrfTokenPattern, page or "")
+            else:
+                token = extractRegexResult(r"(?i)<input[^>]+\bname=[\"']?%s\b[^>]*\bvalue=[\"']?(?P<result>[^>'\"]*)" % re.escape(conf.csrfToken), page or "")
 
             if not token:
                 token = extractRegexResult(r"(?i)<input[^>]+\bvalue=[\"']?(?P<result>[^>'\"]*)[\"']?[^>]*\bname=[\"']?%s\b" % re.escape(conf.csrfToken), page or "")