Re: [sqlmap-users] Seeking web developers to join the sqlmap project

[Bernardo D. A. G. <ber...@gm...>]

Hi,

Quick update on this.. the REST-JSON API is nearly complete. It will
soon be possible to launch, query and monitor sqlmap scans via HTTP
requests.
Although the API will be widely documented on the wiki, I thought
about sharing a sneak peek of how it currently works:

1) Start it on a terminal
$ python sqlmapapi.py -s
[17:21:15] [INFO] Running REST-JSON API server at '127.0.0.1:8775'..
[17:21:15] [INFO] Admin ID: af1d8cd4c607db5271202156c7175867
[17:21:15] [DEBUG] IPC database: /tmp/sqlmapipc-yxIjvv
[17:21:15] [DEBUG] REST-JSON API server connected to IPC database

2) Call the method to create a new task:
$ curl http://127.0.0.1:8775/task/new
{
    "taskid": "f5033fd4da442534"
}

3) Set the options (as you normally do when you call sqlmap from
command line (e.g. --technique B -v 2 --banner) and start a scan for
the new task:
$ curl -H "Content-Type: application/json" -X POST -d '{"url":
"http://debindev/sqlmap/mysql/get_int.php?id=1", "tech": "B",
"verbose": 2, "getBanner": "True"}'
http://127.0.0.1:8775/scan/f5033fd4da442534/start
{
    "engineid": 18300,
    "success": true
}

4) retrieve the data and error messages:
$ curl http://127.0.0.1:8775/scan/f5033fd4da442534/data
{
    "data": [
        {
            "status": 1,
            "type": 1,
            "value": [
                {
                    "dbms": null,
                    "suffix": "",
                    "clause": [
                        1
                    ],
                    "ptype": 1,
                    "dbms_version": null,
                    "prefix": "",
                    "place": "GET",
                    "os": null,
                    "conf": {
                        "string": null,
                        "notString": null,
                        "titles": false,
                        "regexp": null,
                        "textOnly": false,
                        "optimize": false
                    },
                    "parameter": "id",
                    "data": {
                        "1": {
                            "comment": "",
                            "matchRatio": 0.463,
                            "title": "AND boolean-based blind - WHERE
or HAVING clause",
                            "templatePayload": null,
                            "vector": "AND [INFERENCE]",
                            "where": 1,
                            "payload": "id=1 AND 3873=3873"
                        }
                    }
                }
            ]
        },
        {
            "status": 0,
            "type": 2,
            "value": "5.1.66-0+squee"
        }
    ],
    "error": []

As you can see, the banner has been retrieved partially - when the
dump finishes, the whole banner will be available.

Bernardo

On 13 December 2012 20:05, Bernardo Damele A. G.
<ber...@gm...> wrote:
> Hi,
>
> Sooner or later all projects go web and with the over hyped web 2.0
> era and the high availability of eye-candy web development frameworks
> we have plans to follow the infosec tools herd starting by developing
> a RESTful API to interact with the sqlmap engine independently from
> the command line.
>
> As of a couple of days ago we do have an XML-RPC service[1] thanks to
> Miroslav, although we have decided internally after much bitching to
> replace it with a REST-JSON API[7] to let anyone script and interact
> with the sqlmap engine via HTTP.
> The idea is to put the API behind some kind of authentication and
> allow concurrent sessions by different "users" whereby sqlmap API can
> be run (e.g. python sqlmap --daemon or similar) on a predefined
> interface and TCP port and clients can query the API on such TCP port
> to mount attacks against a single target or multiple targets[5].
>
> Needless to say that we are at an early design phase hence this email.
> It is that time of the year again when the most prepare for holidays
> and celebrating Christmas with family (enjoy!) and the few Internauts
> addicted contribute towards the sqlmap project with ideas and code[2]
> so if you feel like:
>
> * You have experience with web development in Python or..
> * ..you have motivation and time enough to learn how to develop a
> RESTful API in Python and..
> * ..you are familiar or keen on learning Python web frameworks like
> Flask[3] and Bottle[4] and..
> * ..you have the guts to commit your time to discuss the design of
> this (or others) feature and contribute code[2] to one of the most
> acclaimed[6] and discussed (blamed sometimes) IT security tools out
> there..
>
> ..then do not hesitate to reply to this email either privately to us
> only (de...@sq...) or publicly hitting the "Reply" button in your
> favorite mail client.
>
> We look forward to reading from you. Yes, I am looking at you Python
> software developer with web skills!
>
> [1] https://github.com/sqlmapproject/sqlmap/issues/287
> [2] https://github.com/sqlmapproject/sqlmap/blob/master/CONTRIBUTING.md#submitting-code-changes
> [3] http://flask.pocoo.org
> [4] http://bottlepy.org
> [5] how cool is this
> [6] http://sectools.org/tool/sqlmap/
> [7] https://github.com/sqlmapproject/sqlmap/issues/297
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)