Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to use Python CGIHTTPServer to bypass the CSRF Token defense during injection, which is very detailed and has certain reference value. Interested friends must read it!

Preface

CSRF tokens is a series of random values generated by the server, and its main purpose is to prevent form repeated submission and request forgery attacks. Because the generated value is random, one-time, and is generated based on a previous request on the server side, it is almost impossible for a hacker to forge it.

Burp Suite

Just because we can't forge it doesn't mean we can't get around it. Here, we have to mention a web penetration artifact, Burp Suite. There are several ways to configure Burp to use macros to bypass CSRF tokens on HTML forms. For example, we can use Burp Active Scans,Burp Intruder,Burp Repeater or even Burp Proxy. There are also Grep-Extract and pitchfork attack types specific to Intruder modules. If you don't think it's enough, Burp's perfect extensibility allows you to develop your own Burp plug-ins.

In addition to Burp, another artifact, Sqlmap, provides us with similar features. Sqlmap has a-- csrf-token and-- csrf-url parameters that can be used to bypass CSRF tokens. Or you can, as I just said, configure Burp to use-- proxy runs sqlmap through Burp.

But today I'm going to introduce another way to get around it, even with Python CGIHTTPServer.

Experimental environment

My test environment is a simple PHP+mysql where I can log in and access restricted areas. I uploaded the PHP code here, which you can download and test. The code may not be perfect, but it should not be a problem for testing purposes.

CSRF tokens is the SHA256 hash of randomly generated numbers, and the hash value of each HTTP request is different.

Therefore, if Burp is not specifically configured, it will not be able to detect the existence of the problem.

The same goes for sqlmap.

I use the-- technique,--dbms and-p options to speed up the scan. Since this is just a simple Boolean-based SQLi,-- level 1 (the default) is sufficient. However, if the credentials are incorrect, you must set-- risk to 3. Because only when the risk level is 3 can the Boolean-based SQLi be detected. Boolean-based SQLi is very dangerous because they can make any condition true. For example, when this injection exists in the WHERE clause of a UPDATE or DELETE statement, an attacker can change the user's password in the database, dump credentials, and so on.

Here, I detected an OR-based SQLi using sqlmap's SQLi-- csrf-token = "mytoken" option:

This is a login authentication form, and obviously here is a SELECT statement, which means that risk level 3 is harmless.

Of course, if you have valid credentials, it is also vulnerable to AND-based SQLi attacks. But even if I had valid credentials, I would test with another (valid) user name and find the OR-based SQLi first. Doing so will prevent the account from being locked out.

In addition, using sqlmap's SQLi-- csrf-token = "mytoken" option, I also detected an AND-based SQLi:

CGIHTTPServer

First, let's create a CGI script:

This script needs to be created in the folder_whatever/cgi-bin/ directory. We call it mask.py and make sure it is executable. After the creation is complete, we run "python-m CGIHTTPServer" from the "folder_whatever" directory. By default, it listens on the 8000/tcp port.

You can test it with the correct password:

And use an incorrect password:

Now, we can easily detect security vulnerabilities without specific configuration of Burp and sqlmap.

The above is all the content of the article "how to use Python CGIHTTPServer to bypass CSRF Token defense during injection". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.