From 65ce6ba4c9da6bfd4424e915747e442e8c3b0b62 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 8 Jan 2026 23:31:40 +0100 Subject: [PATCH] Implementing CSRF case into vuln testing --- data/txt/sha256sums.txt | 6 +++--- extra/vulnserver/vulnserver.py | 28 ++++++++++++++++++++++++++++ lib/core/settings.py | 2 +- lib/core/testing.py | 1 + 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 03af5d49c..fb985c8c7 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -160,7 +160,7 @@ ca86d61d3349ed2d94a6b164d4648cff9701199b5e32378c3f40fca0f517b128 extra/shutils/ df768bcb9838dc6c46dab9b4a877056cb4742bd6cfaaf438c4a3712c5cc0d264 extra/shutils/recloak.sh 1972990a67caf2d0231eacf60e211acf545d9d0beeb3c145a49ba33d5d491b3f extra/shutils/strip.sh 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 extra/vulnserver/__init__.py -0389d8b2248c6c03a215c85adbc0c84227bfe1e3f88ec279a89f59e1225138fe extra/vulnserver/vulnserver.py +d2c300dc997a2cb009376c4ce85f84aa63314ea7f72825c5d6cc10df55918586 extra/vulnserver/vulnserver.py b8411d1035bb49b073476404e61e1be7f4c61e205057730e2f7880beadcd5f60 lib/controller/action.py 460d3da652b8f55c9eaf0f90be33eddf3355355e5c5b1c98b7fc4d83b1c54fda lib/controller/checks.py 430475857a37fd997e73a47d7485c5dd4aa0985ef32c5a46b5e7bff01749ba66 lib/controller/controller.py @@ -189,11 +189,11 @@ f5272cda54f7cdd07fb6154d5a1ed1f1141a2a4f39b6a85d3f325fd60ac8dc9a lib/core/enums 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 3574639db4942d16a2dc0a2f04bb7c0913c40c3862b54d34c44075a760e0c194 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -73270d228b087c53d7f948185bf4962462859280a89811bbe39e1a3b9c0ba481 lib/core/settings.py +64fe31066194ca17a5d829df35947ad68868c8cafd77239debbcc5ec7cfb3c32 lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py d35650179816193164a5f177102f18379dfbe6bb6d40fbb67b78d907b41c8038 lib/core/target.py -bfe2e998fd43498c8682763d77403d9b44600b4e3fb43b44cfa598c7a8a745c2 lib/core/testing.py +03d877d056791cab2de9a9765b9c79f37c1887e509f6b0ceebc9be713853b21c lib/core/testing.py cf4dca323645d623109a82277a8e8a63eb9abb3fff6c8a57095eb171c1ef91b3 lib/core/threads.py b9aacb840310173202f79c2ba125b0243003ee6b44c92eca50424f2bdfc83c02 lib/core/unescaper.py 10719f5ca450610ad28242017b2d8a77354ca357ffa26948c5f62d20cac29a8b lib/core/update.py diff --git a/extra/vulnserver/vulnserver.py b/extra/vulnserver/vulnserver.py index 3ad6c4567..da97dc38a 100644 --- a/extra/vulnserver/vulnserver.py +++ b/extra/vulnserver/vulnserver.py @@ -11,8 +11,10 @@ from __future__ import print_function import base64 import json +import random import re import sqlite3 +import string import sys import threading import traceback @@ -73,11 +75,15 @@ _cursor = None _lock = None _server = None _alive = False +_csrf_token = None def init(quiet=False): global _conn global _cursor global _lock + global _csrf_token + + _csrf_token = "".join(random.sample(string.ascii_letters + string.digits, 20)) _conn = sqlite3.connect(":memory:", isolation_level=None, check_same_thread=False) _cursor = _conn.cursor() @@ -142,6 +148,28 @@ class ReqHandler(BaseHTTPRequestHandler): self.url, self.params = path, params + if self.url == "/csrf": + if self.params.get("csrf_token") == _csrf_token: + self.url = "/" + else: + self.send_response(OK) + self.send_header("Content-type", "text/html; charset=%s" % UNICODE_ENCODING) + self.end_headers() + + form = ( + "" + "CSRF protection check
" + "
" + "" + "id: " + "" + "
" + "" + ) % _csrf_token + + self.wfile.write(form.encode(UNICODE_ENCODING)) + return + if self.url == '/': if not any(_ in self.params for _ in ("id", "query")): self.send_response(OK) diff --git a/lib/core/settings.py b/lib/core/settings.py index 5d1ce09ca..89e33fe55 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import OS from thirdparty import six # sqlmap version (...) -VERSION = "1.10.1.15" +VERSION = "1.10.1.16" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/core/testing.py b/lib/core/testing.py index 305ded0d7..855df51cb 100644 --- a/lib/core/testing.py +++ b/lib/core/testing.py @@ -75,6 +75,7 @@ def vulnTest(): ("-u \"&query=*\" --flush-session --technique=Q --banner", ("Title: SQLite inline queries", "banner: '3.")), ("-d \"\" --flush-session --dump -T creds --dump-format=SQLITE --binary-fields=password_hash --where \"user_id=5\"", ("3137396164343563366365326362393763663130323965323132303436653831", "dumped to SQLITE database")), ("-d \"\" --flush-session --banner --schema --sql-query=\"UPDATE users SET name='foobar' WHERE id=5; SELECT * FROM users; SELECT 987654321\"", ("banner: '3.", "INTEGER", "TEXT", "id", "name", "surname", "5,foobar,nameisnull", "'987654321'",)), + ("-u csrf --data=\"id=1&csrf_token=1\" --banner --answers=\"update=y\" --flush-session", ("back-end DBMS: SQLite", "banner: '3.")), ("--purge -v 3", ("~ERROR", "~CRITICAL", "deleting the whole directory tree")), )