Implementing support for csrfcookie (Issue #2)

This commit is contained in:
Miroslav Stampar 2014-10-24 09:37:51 +02:00
parent 5e31229d48
commit 6448d3caf4
2 changed files with 20 additions and 7 deletions

View File

@ -346,12 +346,12 @@ def _setRequestParams():
raise SqlmapGenericException(errMsg) raise SqlmapGenericException(errMsg)
if conf.csrfToken: if conf.csrfToken:
if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not conf.csrfToken in set(_[0].lower() for _ in conf.httpHeaders): if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not conf.csrfToken in set(_[0].lower() for _ in conf.httpHeaders) and not conf.csrfToken in conf.paramDict.get(PLACE.COOKIE, {}):
errMsg = "CSRF protection token parameter '%s' not " % conf.csrfToken errMsg = "CSRF protection token parameter '%s' not " % conf.csrfToken
errMsg += "found in provided GET, POST or header values" errMsg += "found in provided GET, POST, Cookie or header values"
raise SqlmapGenericException(errMsg) raise SqlmapGenericException(errMsg)
else: else:
for place in (PLACE.GET, PLACE.POST): for place in (PLACE.GET, PLACE.POST, PLACE.COOKIE):
for parameter in conf.paramDict.get(place, {}): for parameter in conf.paramDict.get(place, {}):
if any(parameter.lower().count(_) for _ in CSRF_TOKEN_PARAMETER_INFIXES): if any(parameter.lower().count(_) for _ in CSRF_TOKEN_PARAMETER_INFIXES):
message = "%s parameter '%s' appears to hold CSRF protection token. " % (place, parameter) message = "%s parameter '%s' appears to hold CSRF protection token. " % (place, parameter)

View File

@ -767,6 +767,19 @@ class Connect(object):
if headers and "text/plain" in headers.get(HTTP_HEADER.CONTENT_TYPE, ""): if headers and "text/plain" in headers.get(HTTP_HEADER.CONTENT_TYPE, ""):
token = page token = page
if not token and any(cookie.name == conf.csrfToken for cookie in conf.cj):
for cookie in conf.cj:
if cookie.name == conf.csrfToken:
token = cookie.value
if not any (conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))):
if post:
post = "%s%s%s=%s" % (post, conf.paramDel or DEFAULT_GET_POST_DELIMITER, conf.csrfToken, token)
elif get:
get = "%s%s%s=%s" % (get, conf.paramDel or DEFAULT_GET_POST_DELIMITER, conf.csrfToken, token)
else:
get = "%s=%s" % (conf.csrfToken, token)
break
if not token: if not token:
errMsg = "CSRF protection token '%s' can't be found at '%s'" % (conf.csrfToken, conf.csrfUrl or conf.url) errMsg = "CSRF protection token '%s' can't be found at '%s'" % (conf.csrfToken, conf.csrfUrl or conf.url)
if not conf.csrfUrl: if not conf.csrfUrl:
@ -775,11 +788,11 @@ class Connect(object):
raise SqlmapTokenException, errMsg raise SqlmapTokenException, errMsg
if token: if token:
for item in (PLACE.GET, PLACE.POST): for place in (PLACE.GET, PLACE.POST):
if item in conf.parameters: if place in conf.parameters:
if item == PLACE.GET and get: if place == PLACE.GET and get:
get = _adjustParameter(get, conf.csrfToken, token) get = _adjustParameter(get, conf.csrfToken, token)
elif item == PLACE.POST and post: elif place == PLACE.POST and post:
post = _adjustParameter(post, conf.csrfToken, token) post = _adjustParameter(post, conf.csrfToken, token)
for i in xrange(len(conf.httpHeaders)): for i in xrange(len(conf.httpHeaders)):