Sqlmap and Burpsuite bypass CSRF token for SQL injection detection

SQL injection using SQLMAP and Burpsuite to bypass CSRF tokens

Reprint please indicate source: http://www.cnblogs.com/phoenix--/archive/2013/04/12/3016332.html

Issue: Post method injection verification encountered CSRF token blocking, because CSRF is a one-time, failure results in the inability to test.

Solution:Sqlmap with Burpsuite, the following is the detailed process, referring to Foreign cattle blog (but the foreigner is not very detailed, not suitable for me, such as small white).

1, open Burpsuite (take 1.5 as an example), set up the local agent and set to off state;

2. Sessions (Session recording, parsing, and processing functions) are provided in the option Burpsuite. (hardly seen online, so never used ...) ）

3. Open the sessions in the Option tab, add the processing rule and name: "Add" rules description Add Processing action: rule actions, I tested the POST request, so select "Run a post-request Macro ";

4. Set scope, click on the Scope tab, select only the proxy (use with caution) in the tool Scope, set the URL scope, paste the address of the requested page that needs to be intercepted;

5, recording session: ADD macro, open macro Recorder, click "Record Macro", at this time in the browser open the suspect injected page and submit a POST request, at this time in the macro Recorder can be seen in the request page and the URL of the submission request and automatically detected parameters;

6, press the CTRL key to select the desired request, then click OK, add it to Macro editor;

7. Check the GET request and configure item to open the configuration interface, manually add the parameters in the response (CSRF token) and click OK;

7. Check the POST request and configure item to open the configuration interface, set the value of CSRF token to Response1, and the corresponding selected parameter of Get request;

8, all the way click OK, on the configuration;

9, run Sqlmap, enter the normal injection statement, increase the agent option--proxy= "http://127.0.0.1:8080" after execution;

10, you can see in the Burpsuite in the Proxy tab of the history item in the injection execution process, if the page response is correct, then the above configuration is valid and successful.

There are several issues that are documented in the resolution process:

1, Google search keywords: sqlmap CSRF protection Bypass, reference some information, said Sqlmap can identify some CSRF token and then processing, but the test did not find;

2, after only see a person using Burpsuite to deal with the method (the English link above);

3, you understand, read English and understand that there are some gaps, coupled with the author does not have a very detailed introduction, I have been testing for a long time. The last thing to discover is that you don't need to focus on the same cookie, just pay attention to CSRF token, because the cookie jar Burpsuite comes with can handle changing cookies.

Sqlmap and Burpsuite bypass CSRF token for SQL injection detection