From 8abae02111f72517920a81b01d78158e68c0818b Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Tue, 18 Sep 2018 22:05:52 +0200 Subject: [PATCH] Improvement of anti-CSRF token extraction --- lib/core/settings.py | 4 ++-- lib/parse/cmdline.py | 2 +- lib/request/connect.py | 16 ++++++++++++++-- txt/checksum.md5 | 6 +++--- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index 4c7e8fc91..83687a204 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.2.9.29" +VERSION = "1.2.9.30" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) @@ -755,7 +755,7 @@ EVALCODE_KEYWORD_SUFFIX = "_KEYWORD" NETSCAPE_FORMAT_HEADER_COOKIES = "# Netscape HTTP Cookie File." # Infixes used for automatic recognition of parameters carrying anti-CSRF tokens -CSRF_TOKEN_PARAMETER_INFIXES = ("csrf", "xsrf") +CSRF_TOKEN_PARAMETER_INFIXES = ("csrf", "xsrf", "token") # Prefixes used in brute force search for web server document root BRUTE_DOC_ROOT_PREFIXES = { diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 4570b9996..b6a46c0b3 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -207,7 +207,7 @@ def cmdLineParser(argv=None): help="Parameter used to hold anti-CSRF token") request.add_option("--csrf-url", dest="csrfUrl", - help="URL address to visit to extract anti-CSRF token") + help="URL address to visit for extraction of anti-CSRF token") request.add_option("--force-ssl", dest="forceSSL", action="store_true", help="Force usage of SSL/HTTPS") diff --git a/lib/request/connect.py b/lib/request/connect.py index d114663b7..d15a2c4d8 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -948,15 +948,27 @@ class Connect(object): return retVal page, headers, code = Connect.getPage(url=conf.csrfUrl or conf.url, data=conf.data if conf.csrfUrl == conf.url else None, method=conf.method if conf.csrfUrl == conf.url else None, cookie=conf.parameters.get(PLACE.COOKIE), direct=True, silent=True, ua=conf.parameters.get(PLACE.USER_AGENT), referer=conf.parameters.get(PLACE.REFERER), host=conf.parameters.get(PLACE.HOST)) - token = extractRegexResult(r"(?i)]+\bname=[\"']?%s[\"']?[^>]*\bvalue=(?P(\"([^\"]+)|'([^']+)|([^ >]+)))" % re.escape(conf.csrfToken), page or "") + token = extractRegexResult(r"(?i)]+\bname=[\"']?%s\b[^>]*\bvalue=[\"']?(?P[^>'\"]*)" % re.escape(conf.csrfToken), page or "") if not token: - token = extractRegexResult(r"(?i)]+\bvalue=(?P(\"([^\"]+)|'([^']+)|([^ >]+)))[^>]+\bname=[\"']?%s[\"']?" % re.escape(conf.csrfToken), page or "") + token = extractRegexResult(r"(?i)]+\bvalue=[\"']?(?P[^>'\"]*)[\"']?[^>]*\bname=[\"']?%s\b" % re.escape(conf.csrfToken), page or "") if not token: match = re.search(r"%s[\"']:[\"']([^\"']+)" % re.escape(conf.csrfToken), page or "") token = match.group(1) if match else None + if not token: + token = extractRegexResult(r"\b%s\s*[:=]\s*(?P\w+)" % re.escape(conf.csrfToken), str(headers)) + + if not token: + token = extractRegexResult(r"\b%s\s*=\s*['\"]?(?P[^;'\"]+)" % re.escape(conf.csrfToken), page or "") + + if token: + match = re.search(r"String\.fromCharCode\(([\d+, ]+)\)", token) + + if match: + token = "".join(chr(int(_)) for _ in match.group(1).replace(' ', "").split(',')) + if not token: if conf.csrfUrl != conf.url and code == httplib.OK: if headers and "text/plain" in headers.get(HTTP_HEADER.CONTENT_TYPE, ""): diff --git a/txt/checksum.md5 b/txt/checksum.md5 index bb5d71ddd..460896a28 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -50,7 +50,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py -c4de3786929e1e0fcf2a614a58679588 lib/core/settings.py +64ae44f8e2b61c49354f3866ba40a926 lib/core/settings.py dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py 248bd121e0565318e1efaff54aa427bc lib/core/target.py @@ -61,7 +61,7 @@ b35636650cfe721f5cc47fb91737c061 lib/core/update.py e772deb63270375e685fa5a7b775c382 lib/core/wordlist.py 1e5532ede194ac9c083891c2f02bca93 lib/__init__.py 7620f1f4b8791e13c7184c06b5421754 lib/parse/banner.py -fc5a42940327dd3f40a780c865b6b136 lib/parse/cmdline.py +134bbbf67bb30c188b8409c0b3bfbc2a lib/parse/cmdline.py fb2e2f05dde98caeac6ccf3e67192177 lib/parse/configfile.py 3794ff139869f5ae8e81cfdbe5714f56 lib/parse/handler.py 6bab53ea9d75bc9bb8169d3e8f3f149f lib/parse/headers.py @@ -72,7 +72,7 @@ f6b5957bf2103c3999891e4f45180bce lib/parse/payloads.py 30eed3a92a04ed2c29770e1b10d39dc0 lib/request/basicauthhandler.py 2b81435f5a7519298c15c724e3194a0d lib/request/basic.py 859b6ad583e0ffba154f17ee179b5b89 lib/request/comparison.py -b744d840de253c05e808a72d6d11dc5d lib/request/connect.py +35db2a1779b9c71dfa183ac1f8995a5b lib/request/connect.py dd4598675027fae99f2e2475b05986da lib/request/direct.py 2044fce3f4ffa268fcfaaf63241b1e64 lib/request/dns.py 98535d0efca5551e712fcc4b34a3f772 lib/request/httpshandler.py