Thread: [sqlmap-users] Seeking web developers to join the sqlmap project
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-12-13 20:06:06
|
Hi, Sooner or later all projects go web and with the over hyped web 2.0 era and the high availability of eye-candy web development frameworks we have plans to follow the infosec tools herd starting by developing a RESTful API to interact with the sqlmap engine independently from the command line. As of a couple of days ago we do have an XML-RPC service[1] thanks to Miroslav, although we have decided internally after much bitching to replace it with a REST-JSON API[7] to let anyone script and interact with the sqlmap engine via HTTP. The idea is to put the API behind some kind of authentication and allow concurrent sessions by different "users" whereby sqlmap API can be run (e.g. python sqlmap --daemon or similar) on a predefined interface and TCP port and clients can query the API on such TCP port to mount attacks against a single target or multiple targets[5]. Needless to say that we are at an early design phase hence this email. It is that time of the year again when the most prepare for holidays and celebrating Christmas with family (enjoy!) and the few Internauts addicted contribute towards the sqlmap project with ideas and code[2] so if you feel like: * You have experience with web development in Python or.. * ..you have motivation and time enough to learn how to develop a RESTful API in Python and.. * ..you are familiar or keen on learning Python web frameworks like Flask[3] and Bottle[4] and.. * ..you have the guts to commit your time to discuss the design of this (or others) feature and contribute code[2] to one of the most acclaimed[6] and discussed (blamed sometimes) IT security tools out there.. ..then do not hesitate to reply to this email either privately to us only (de...@sq...) or publicly hitting the "Reply" button in your favorite mail client. We look forward to reading from you. Yes, I am looking at you Python software developer with web skills! [1] https://github.com/sqlmapproject/sqlmap/issues/287 [2] https://github.com/sqlmapproject/sqlmap/blob/master/CONTRIBUTING.md#submitting-code-changes [3] http://flask.pocoo.org [4] http://bottlepy.org [5] how cool is this [6] http://sectools.org/tool/sqlmap/ [7] https://github.com/sqlmapproject/sqlmap/issues/297 -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Dennis <kor...@ya...> - 2012-12-14 13:22:28
|
Hi guys,
since I updated sqlmap today, I get the following python error (using
Python 2.6.7):
$ ./sqlmap.py --help
Traceback (most recent call last):
File "./sqlmap.py", line 15, in <module>
from _sqlmap import main
File "/home/dst/bin/sqlmap/_sqlmap.py", line 48, in <module>
from lib.utils.restapi import restAPIrun
File "/home/dst/bin/sqlmap/lib/utils/restapi.py", line 8, in <module>
import argparse
ImportError: No module named argparse
Quick google tells me that 'argparse' has been added to python in
version 3.2. Is the assumption then correct that sqlmap needs python
>3.2 from now on?
Cheers
Dennis
|
|
From: Miroslav S. <mir...@gm...> - 2012-12-14 13:35:12
|
Fixed. Bye On Fri, Dec 14, 2012 at 2:22 PM, Dennis <kor...@ya...> wrote: > Hi guys, > > since I updated sqlmap today, I get the following python error (using > Python 2.6.7): > $ ./sqlmap.py --help > Traceback (most recent call last): > File "./sqlmap.py", line 15, in <module> > from _sqlmap import main > File "/home/dst/bin/sqlmap/_sqlmap.py", line 48, in <module> > from lib.utils.restapi import restAPIrun > File "/home/dst/bin/sqlmap/lib/utils/restapi.py", line 8, in <module> > import argparse > ImportError: No module named argparse > > Quick google tells me that 'argparse' has been added to python in > version 3.2. Is the assumption then correct that sqlmap needs python > >3.2 from now on? > > Cheers > Dennis > > > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Dennis <kor...@ya...> - 2012-12-14 13:46:51
|
You rock (as always) ;) Thanks Am 14.12.2012 14:35, schrieb Miroslav Stampar: > Fixed. > > Bye > > On Fri, Dec 14, 2012 at 2:22 PM, Dennis <kor...@ya... > <mailto:kor...@ya...>> wrote: > > Hi guys, > > since I updated sqlmap today, I get the following python error (using > Python 2.6.7): > $ ./sqlmap.py --help > Traceback (most recent call last): > File "./sqlmap.py", line 15, in <module> > from _sqlmap import main > File "/home/dst/bin/sqlmap/_sqlmap.py", line 48, in <module> > from lib.utils.restapi import restAPIrun > File "/home/dst/bin/sqlmap/lib/utils/restapi.py", line 8, in > <module> > import argparse > ImportError: No module named argparse > > Quick google tells me that 'argparse' has been added to python in > version 3.2. Is the assumption then correct that sqlmap needs python > >3.2 from now on? > > Cheers > Dennis > > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add > services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-02-06 17:29:58
|
Hi,
Quick update on this.. the REST-JSON API is nearly complete. It will
soon be possible to launch, query and monitor sqlmap scans via HTTP
requests.
Although the API will be widely documented on the wiki, I thought
about sharing a sneak peek of how it currently works:
1) Start it on a terminal
$ python sqlmapapi.py -s
[17:21:15] [INFO] Running REST-JSON API server at '127.0.0.1:8775'..
[17:21:15] [INFO] Admin ID: af1d8cd4c607db5271202156c7175867
[17:21:15] [DEBUG] IPC database: /tmp/sqlmapipc-yxIjvv
[17:21:15] [DEBUG] REST-JSON API server connected to IPC database
2) Call the method to create a new task:
$ curl http://127.0.0.1:8775/task/new
{
"taskid": "f5033fd4da442534"
}
3) Set the options (as you normally do when you call sqlmap from
command line (e.g. --technique B -v 2 --banner) and start a scan for
the new task:
$ curl -H "Content-Type: application/json" -X POST -d '{"url":
"http://debindev/sqlmap/mysql/get_int.php?id=1", "tech": "B",
"verbose": 2, "getBanner": "True"}'
http://127.0.0.1:8775/scan/f5033fd4da442534/start
{
"engineid": 18300,
"success": true
}
4) retrieve the data and error messages:
$ curl http://127.0.0.1:8775/scan/f5033fd4da442534/data
{
"data": [
{
"status": 1,
"type": 1,
"value": [
{
"dbms": null,
"suffix": "",
"clause": [
1
],
"ptype": 1,
"dbms_version": null,
"prefix": "",
"place": "GET",
"os": null,
"conf": {
"string": null,
"notString": null,
"titles": false,
"regexp": null,
"textOnly": false,
"optimize": false
},
"parameter": "id",
"data": {
"1": {
"comment": "",
"matchRatio": 0.463,
"title": "AND boolean-based blind - WHERE
or HAVING clause",
"templatePayload": null,
"vector": "AND [INFERENCE]",
"where": 1,
"payload": "id=1 AND 3873=3873"
}
}
}
]
},
{
"status": 0,
"type": 2,
"value": "5.1.66-0+squee"
}
],
"error": []
As you can see, the banner has been retrieved partially - when the
dump finishes, the whole banner will be available.
Bernardo
On 13 December 2012 20:05, Bernardo Damele A. G.
<ber...@gm...> wrote:
> Hi,
>
> Sooner or later all projects go web and with the over hyped web 2.0
> era and the high availability of eye-candy web development frameworks
> we have plans to follow the infosec tools herd starting by developing
> a RESTful API to interact with the sqlmap engine independently from
> the command line.
>
> As of a couple of days ago we do have an XML-RPC service[1] thanks to
> Miroslav, although we have decided internally after much bitching to
> replace it with a REST-JSON API[7] to let anyone script and interact
> with the sqlmap engine via HTTP.
> The idea is to put the API behind some kind of authentication and
> allow concurrent sessions by different "users" whereby sqlmap API can
> be run (e.g. python sqlmap --daemon or similar) on a predefined
> interface and TCP port and clients can query the API on such TCP port
> to mount attacks against a single target or multiple targets[5].
>
> Needless to say that we are at an early design phase hence this email.
> It is that time of the year again when the most prepare for holidays
> and celebrating Christmas with family (enjoy!) and the few Internauts
> addicted contribute towards the sqlmap project with ideas and code[2]
> so if you feel like:
>
> * You have experience with web development in Python or..
> * ..you have motivation and time enough to learn how to develop a
> RESTful API in Python and..
> * ..you are familiar or keen on learning Python web frameworks like
> Flask[3] and Bottle[4] and..
> * ..you have the guts to commit your time to discuss the design of
> this (or others) feature and contribute code[2] to one of the most
> acclaimed[6] and discussed (blamed sometimes) IT security tools out
> there..
>
> ..then do not hesitate to reply to this email either privately to us
> only (de...@sq...) or publicly hitting the "Reply" button in your
> favorite mail client.
>
> We look forward to reading from you. Yes, I am looking at you Python
> software developer with web skills!
>
> [1] https://github.com/sqlmapproject/sqlmap/issues/287
> [2] https://github.com/sqlmapproject/sqlmap/blob/master/CONTRIBUTING.md#submitting-code-changes
> [3] http://flask.pocoo.org
> [4] http://bottlepy.org
> [5] how cool is this
> [6] http://sectools.org/tool/sqlmap/
> [7] https://github.com/sqlmapproject/sqlmap/issues/297
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X