search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
30.88k stars 5.56k forks source link

Csrf-token not set when data in json format. #5698

Closed white-abaddon closed 1 month ago

white-abaddon commented 1 month ago

sqlmap --method=POST -u https://blabla.com/ --data='email=username@example.com&password=password&captchaToken=token' -p email --proxy=http://127.0.0.1:8080 --csrf-token "captchaToken" --csrf-url="http://127.0.0.1:8000/token/get/" --abort-code 429

According to this command, the captchaToken is fetched from localhost and updated in the captchaToken field within the JSON data. However, a problem arises when the data is in JSON format, such as --data={"email": "username@example.com", "password": "password", "captchaToken": ""}. This command is unable to update the captchaToken from localhost.

sudo docker run \ --network="host" \ pentest-tool/sqlmap \ --method=POST \ -u https://blabla.com \ --data='{"email": "username@example.com", "password": "password", "captchaToken": ""}' \ -p email \ -H "User-Agent: L" \ -H "Referer: https://blabla.com/" \ -H "Origin: https://blabla.com" \ -H "Content-Type: application/json" \ --delay=10 \ --skip-heuristics \ --skip-waf \ --technique=BT \ --ignore-code 401 \ --abort-code 429 \ --proxy=http://127.0.0.1:8080 \ --csrf-token "captchaToken" \ --csrf-url="http://127.0.0.1:8000/token/get/"

stamparm commented 1 month ago

and what's the format of returned http://127.0.0.1:8000/token/get/ ? i have to know what and how to parse

white-abaddon commented 1 month ago

<input type="text" name="captchaToken" value="{{ token }}" /> in html format

stamparm commented 1 month ago

@white-abaddon try now (with latest revision)

white-abaddon commented 1 month ago

Still not working. Following up:

  1. <input type="text" name="captchaToken" value="{{ token }}" /> this will return from localhost as a captchaToken.
  2. sqlmap --method=POST -u https://blabla.com/ --data='email=username@example.com&password=password&captchaToken=token' -p email --proxy=http://127.0.0.1:8080 --csrf-token "captchaToken" --csrf-url="http://127.0.0.1:8000/token/get/" --abort-code 429 this works fine i mean sqlmap set captcha token.
  3. sudo docker run \ --network="host" \ pentest-tool/sqlmap \ --method=POST \ -u https://blabla.com \ --data='{"email": "username@example.com", "password": "password", "captchaToken": ""}' \ -p email \ -H "User-Agent: L" \ -H "Referer: https://blabla.com/" \ -H "Origin: https://blabla.com" \ -H "Content-Type: application/json" \ --delay=10 \ --skip-heuristics \ --skip-waf \ --technique=BT \ --ignore-code 401 \ --abort-code 429 \ --proxy=http://127.0.0.1:8080 \ --csrf-token "captchaToken" \ --csrf-url="http://127.0.0.1:8000/token/get/" but here captchaToken not set by sqlmap.

Everthing working fine by my side i mean captcha token is fetched by sqlmap.

white-abaddon commented 1 month ago

By the way i already update my sqlmap after your last commit

stamparm commented 1 month ago

Everthing working fine by my side i mean captcha token is fetched by sqlmap. <- while everything is working on my side. somebody's side is screwed. i basically emulated everything you said

stamparm commented 1 month ago

proof from my side that i haven't "screwed":

image

image

white-abaddon commented 1 month ago

Please ignore hostname because i am bug hunter my bugcrowd username white_gh0st.

![Uploading sqlmap.png…]()

white-abaddon commented 1 month ago

sqlmap

white-abaddon commented 1 month ago

Actual command

sudo docker run \ --network="host" \ pentest-tool/sqlmap \ --method=POST \ -u https://api.starlink.com/auth/v1/sign-in \ --data='{"email": "username@example.com", "password": "password", "captchaToken": ""}' \ -p email \ -H "User-Agent: white_gh0st@BugCrowd" \ -H "Referer: https://auth.starlink.com/" \ -H "Origin: https://auth.starlink.com" \ -H "Content-Type: application/json" \ --delay=10 \ --skip-heuristics \ --skip-waf \ --technique=BT \ --ignore-code 401 \ --abort-code 429 \ --proxy=http://127.0.0.1:8080 \ --csrf-token captchaToken \ --csrf-url=http://127.0.0.1:8000/token/get/ \ -v 6

stamparm commented 1 month ago

you changed the UA and thus I am not sure that you are using the latest revision

white-abaddon commented 1 month ago

Screenshot from 2024-04-29 20-35-48

stamparm commented 1 month ago

can you please explain to me how can you possibly be serious in this whole conversation when i see this?

image

version which i pushed for your "problem" was 1.8.4.6

white-abaddon commented 1 month ago

Sorry, i am not able to understand.

stamparm commented 1 month ago

you are running 1.8.4.1#dev for the whole time

stamparm commented 1 month ago

my guess is that you are running sqlmap --update inside some docker container which doesn't persist with the update(s). now, we are ping-ponging here, where you claim that you are using the latest revision, while I can see that the version you have run with --update was 1.8.4.1#dev (<- where i would expect that you would ATM have latest 1.8.4.6#dev as you explicitly said that you already updated)

stamparm commented 1 month ago

won't spend 1 more minute here. closed this whole conversation. by the way, if you say that By the way i already update my sqlmap after your last commit then you should be really sure about your claim before doing this whole ping-pong here