There are ways to configure Burp using macros to bypass on HTML forms, so we can use Burp Active Scans, Burp Intruder, Burp Repeater, and (cautiously) even Burp Proxy. There’s also Grep-Extract and pitchfork attack type specifically for Intruder. And, you might even develop your Burp Extension to do it. Sqlmap has a –csrf-token and a –csrf-url for the same purpose, or you can just configure Burp as previously stated, and run sqlmap through Burp using –proxy.

Now, here’s another way, using CGIHTTPServer from python.

The lab

The lab is a simple PHP/mysql environment, in which you login to access a restricted area. I uploaded the PHP code here in case you want to try it out, and change/adjust it for other scenarios. Just bear with me, because I’m not a PHP specialist, but I do prefer to develop the environment I’m testing (within reason). It always helps you understand better what you’re testing and what to look for in real world scenarios.

The CSRF token is a SHA256 hash of a randomly generated number, and it’s different for each HTTP request.

- fig0 - Bypassing CSRF tokens with Python’s CGIHTTPServer

The problem

So, without any special configurations, Burp won’t detect the issue.

- fig1 - Bypassing CSRF tokens with Python’s CGIHTTPServer

And neither will sqlmap:

- fig2 - Bypassing CSRF tokens with Python’s CGIHTTPServer

I used the –technique, –dbms, and -p flags to speed up the scan. And since this is a simple boolean-based SQLi, –level 1 (the default) is more than enough. But, with wrong credentials, the –risk must indeed be set to 3. This is because only on that higher risk number, OR boolean-based SQL injections are tested. OR boolean-based SQL injections are dangerous because they can make any condition become true. If you think about cases where you inject into a WHERE clause of an UPDATE or DELETE statements, you could accidently update, let’s say, the passwords for all users on the database, or dump that user’s credentials table… exactly the kind of thing you avoid at all costs when performing pentests to your clients.

OR boolean-based SQLi detected with sqlmap –csrf-token=”mytoken”:

- fig3 - Bypassing CSRF tokens with Python’s CGIHTTPServer

But because this is a login validation form, it’s obviously a SELECT statement, which means there’s no harm in the highest risk 3.

Of course, if you have valid credentials (which you might not have in a real pentest), this is also vulnerable to AND boolean-based SQLi. But even if I do have valid credentials, I’d rather first test it with another (valid) username to find an OR SQLi, so I don’t accidently lock the account (if it does lock at all).

AND boolean-based SQLi also detected with –csrf-token=”mytoken”:

- fig4 - Bypassing CSRF tokens with Python’s CGIHTTPServer

for the rescue

Creating the CGI script:

- fig5 - Bypassing CSRF tokens with Python’s CGIHTTPServer

This should be created inside folder_whatever/cgi-bin/, which we’ll call mask.py , and make sure the .py is executable. After the file is created, run “python -m CGIHTTPServer” from within “folder_whatever”. It will, by default, listen on the 8000/tcp port.

- fig6 - Bypassing CSRF tokens with Python’s CGIHTTPServer

You can test it, with the correct password:

- fig7 - Bypassing CSRF tokens with Python’s CGIHTTPServer

And with the wrong one:

- fig8 - Bypassing CSRF tokens with Python’s CGIHTTPServer

So now, it becomes pretty easy to detect, without any special configuration, to both Burp and sqlmap.

- fig9 - Bypassing CSRF tokens with Python’s CGIHTTPServer

- fig10 - Bypassing CSRF tokens with Python’s CGIHTTPServer

It’s as if we added a “mask” to simplify the extra complexity of the real request – the CSRF token – that we’d have to submit, and now we don’t.

References:



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here