Thread: [sqlmap-users] complicated case
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Vojtěch P. <kr...@gm...> - 2015-08-11 14:13:55
|
Greetings, I am searching for help. I would like to test a part of application which deletes something. Obviously I am searching for SQL injection vulnerability. So I need to send request to create object, retrieve response, derive needed information and send a request for deletion which is probed for possible SQL injection. I suppose that this is not possible just through command line even through --eval function. Am I right? If yes, my next logical step would be to use sqlmap in some Python program. Are there any information about importing sqlmap and invoking it from my Python program? Or should I go just with doc strings? Thanks, Vojta |
|
From: Brandon P. <bpe...@gm...> - 2015-08-11 14:19:34
|
You can drive sqlmap via the REST API. in the root of the project is a sqlmapapi.py file which starts a web server. You can create any content you need, then pass the request which you want to fuzz to sqlmap via the API to get results. On Tue, Aug 11, 2015 at 9:13 AM, Vojtěch Polášek <kr...@gm...> wrote: > Greetings, > I am searching for help. I would like to test a part of application > which deletes something. Obviously I am searching for SQL injection > vulnerability. > So I need to send request to create object, retrieve response, derive > needed information and send a request for deletion which is probed for > possible SQL injection. > I suppose that this is not possible just through command line even > through --eval function. Am I right? > If yes, my next logical step would be to use sqlmap in some Python > program. Are there any information about importing sqlmap and invoking > it from my Python program? Or should I go just with doc strings? > Thanks, > Vojta > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Vojtěch P. <kr...@gm...> - 2015-08-12 07:18:54
|
Greetings, wow I have never known about this option, I can't find any information about it in user guide or on the home page. Does anywhere exist any documentation? I can't seem to find any in sqlmap folder. Thanks, Vojta On 11.8.2015 16:19, Brandon Perry wrote: > You can drive sqlmap via the REST API. in the root of the project is a > sqlmapapi.py file which starts a web server. > > You can create any content you need, then pass the request which you > want to fuzz to sqlmap via the API to get results. > > On Tue, Aug 11, 2015 at 9:13 AM, Vojtěch Polášek <kr...@gm... > <mailto:kr...@gm...>> wrote: > > Greetings, > I am searching for help. I would like to test a part of application > which deletes something. Obviously I am searching for SQL injection > vulnerability. > So I need to send request to create object, retrieve response, derive > needed information and send a request for deletion which is probed for > possible SQL injection. > I suppose that this is not possible just through command line even > through --eval function. Am I right? > If yes, my next logical step would be to use sqlmap in some Python > program. Are there any information about importing sqlmap and invoking > it from my Python program? Or should I go just with doc strings? > Thanks, > Vojta > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-08-12 12:16:42
|
>From sqlmap's directory:
$ python sqlmapapi.py -h
Usage: sqlmapapi.py [options]
Options:
-h, --help show this help message and exit
-s, --server Act as a REST-JSON API server
-c, --client Act as a REST-JSON API client
-H HOST, --host=HOST Host of the REST-JSON API server
-p PORT, --port=PORT Port of the the REST-JSON API server
$ python sqlmapapi.py -s
[14:12:14] [INFO] Running REST-JSON API server at '127.0.0.1:8775'..
[14:12:14] [INFO] Admin ID: de761511ee44165ac5ea6030bbffb4a4
[14:12:14] [DEBUG] IPC database: /tmp/sqlmapipc-KNEUQC
[14:12:14] [DEBUG] REST-JSON API server connected to IPC database
(another terminal)
$ python sqlmapapi.py -c
[14:12:32] [INFO] Starting REST-JSON API client to 'http://127.0.0.1:8775'.
..
[14:12:32] [ERROR] Not yet implemented, use curl from command line instead
for now, for example:
$ taskid=$(curl http://127.0.0.1:8775/task/new 2>1 | grep -o -I
'[a-f0-9]\{16\}') && echo $taskid
$ curl -H "Content-Type: application/json" -X POST -d '{"url": "
http://testphp.vulnweb.com/artists.php?artist=1"}'
http://127.0.0.1:8775/scan/$taskid/start
$ curl http://127.0.0.1:8775/scan/$taskid/data
$ curl http://127.0.0.1:8775/scan/$taskid/log
$ taskid=$(curl http://127.0.0.1:8775/task/new 2>1 | grep -o -I
'[a-f0-9]\{16\}') && echo $taskid
33bc7155e74d4454
$ curl -H "Content-Type: application/json" -X POST -d '{"url": "
http://testphp.vulnweb.com/artists.php?artist=1"}'
http://127.0.0.1:8775/scan/$taskid/start
{
"engineid": 3236,
"success": true
}
$ curl http://127.0.0.1:8775/scan/$taskid/data
{
"data": [],
"success": true,
"error": []
}
$ curl http://127.0.0.1:8775/scan/$taskid/log
{
"log": [
{
"message": "using '/home/stamparm/.sqlmap/output' as the output
directory",
"level": "WARNING",
"time": "14:14:51"
},
{
"message": "testing connection to the target URL",
"level": "INFO",
"time": "14:14:52"
},
{
"message": "testing if the target URL is stable",
"level": "INFO",
"time": "14:14:53"
},
{
"message": "target URL is stable",
"level": "INFO",
"time": "14:14:54"
},
{
"message": "testing if GET parameter 'artist' is dynamic",
"level": "INFO",
"time": "14:14:54"
},
{
"message": "confirming that GET parameter 'artist' is dynamic",
........
On Wed, Aug 12, 2015 at 9:18 AM, Vojtěch Polášek <kr...@gm...> wrote:
> Greetings,
> wow I have never known about this option, I can't find any information
> about it in user guide or on the home page.
> Does anywhere exist any documentation? I can't seem to find any in sqlmap
> folder.
> Thanks,
> Vojta
>
>
>
> On 11.8.2015 16:19, Brandon Perry wrote:
>
> You can drive sqlmap via the REST API. in the root of the project is a
> sqlmapapi.py file which starts a web server.
>
> You can create any content you need, then pass the request which you want
> to fuzz to sqlmap via the API to get results.
>
> On Tue, Aug 11, 2015 at 9:13 AM, Vojtěch Polášek <kr...@gm...>
> wrote:
>
>> Greetings,
>> I am searching for help. I would like to test a part of application
>> which deletes something. Obviously I am searching for SQL injection
>> vulnerability.
>> So I need to send request to create object, retrieve response, derive
>> needed information and send a request for deletion which is probed for
>> possible SQL injection.
>> I suppose that this is not possible just through command line even
>> through --eval function. Am I right?
>> If yes, my next logical step would be to use sqlmap in some Python
>> program. Are there any information about importing sqlmap and invoking
>> it from my Python program? Or should I go just with doc strings?
>> Thanks,
>> Vojta
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Brandon P. <bpe...@gm...> - 2015-08-12 13:58:20
|
I also documented a lot of the core methods on an old blog of mine: http://volatile-minds.blogspot.com/2013/04/unofficial-sqlmap-restful-api.html On Wed, Aug 12, 2015 at 7:16 AM, Miroslav Stampar < mir...@gm...> wrote: > From sqlmap's directory: > > $ python sqlmapapi.py -h > Usage: sqlmapapi.py [options] > > Options: > -h, --help show this help message and exit > -s, --server Act as a REST-JSON API server > -c, --client Act as a REST-JSON API client > -H HOST, --host=HOST Host of the REST-JSON API server > -p PORT, --port=PORT Port of the the REST-JSON API server > > $ python sqlmapapi.py -s > [14:12:14] [INFO] Running REST-JSON API server at '127.0.0.1:8775'.. > [14:12:14] [INFO] Admin ID: de761511ee44165ac5ea6030bbffb4a4 > [14:12:14] [DEBUG] IPC database: /tmp/sqlmapipc-KNEUQC > [14:12:14] [DEBUG] REST-JSON API server connected to IPC database > > (another terminal) > > $ python sqlmapapi.py -c > [14:12:32] [INFO] Starting REST-JSON API client to 'http://127.0.0.1:8775'. > .. > [14:12:32] [ERROR] Not yet implemented, use curl from command line instead > for now, for example: > > $ taskid=$(curl http://127.0.0.1:8775/task/new 2>1 | grep -o -I > '[a-f0-9]\{16\}') && echo $taskid > $ curl -H "Content-Type: application/json" -X POST -d '{"url": " > http://testphp.vulnweb.com/artists.php?artist=1"}' > http://127.0.0.1:8775/scan/$taskid/start > $ curl http://127.0.0.1:8775/scan/$taskid/data > $ curl http://127.0.0.1:8775/scan/$taskid/log > > $ taskid=$(curl http://127.0.0.1:8775/task/new 2>1 | grep -o -I > '[a-f0-9]\{16\}') && echo $taskid > 33bc7155e74d4454 > $ curl -H "Content-Type: application/json" -X POST -d '{"url": " > http://testphp.vulnweb.com/artists.php?artist=1"}' > http://127.0.0.1:8775/scan/$taskid/start > { > "engineid": 3236, > "success": true > } > $ curl http://127.0.0.1:8775/scan/$taskid/data > { > "data": [], > "success": true, > "error": [] > } > $ curl http://127.0.0.1:8775/scan/$taskid/log > { > "log": [ > { > "message": "using '/home/stamparm/.sqlmap/output' as the > output directory", > "level": "WARNING", > "time": "14:14:51" > }, > { > "message": "testing connection to the target URL", > "level": "INFO", > "time": "14:14:52" > }, > { > "message": "testing if the target URL is stable", > "level": "INFO", > "time": "14:14:53" > }, > { > "message": "target URL is stable", > "level": "INFO", > "time": "14:14:54" > }, > { > "message": "testing if GET parameter 'artist' is dynamic", > "level": "INFO", > "time": "14:14:54" > }, > { > "message": "confirming that GET parameter 'artist' is > dynamic", > > ........ > > > > On Wed, Aug 12, 2015 at 9:18 AM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Greetings, >> wow I have never known about this option, I can't find any information >> about it in user guide or on the home page. >> Does anywhere exist any documentation? I can't seem to find any in sqlmap >> folder. >> Thanks, >> Vojta >> >> >> >> On 11.8.2015 16:19, Brandon Perry wrote: >> >> You can drive sqlmap via the REST API. in the root of the project is a >> sqlmapapi.py file which starts a web server. >> >> You can create any content you need, then pass the request which you want >> to fuzz to sqlmap via the API to get results. >> >> On Tue, Aug 11, 2015 at 9:13 AM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >>> Greetings, >>> I am searching for help. I would like to test a part of application >>> which deletes something. Obviously I am searching for SQL injection >>> vulnerability. >>> So I need to send request to create object, retrieve response, derive >>> needed information and send a request for deletion which is probed for >>> possible SQL injection. >>> I suppose that this is not possible just through command line even >>> through --eval function. Am I right? >>> If yes, my next logical step would be to use sqlmap in some Python >>> program. Are there any information about importing sqlmap and invoking >>> it from my Python program? Or should I go just with doc strings? >>> Thanks, >>> Vojta >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Vojtěch P. <kr...@gm...> - 2015-08-13 10:11:29
|
Thank you very much, this will certainly help in automating Sqlmap. But I think it doesn't solve my problem. I will try to explain it once more and suggest some possible solution, which came to my mind: I am trying to find SQL injection flaw in a HTTP request which deletes an object. Before every request I need to: 1. send a POSt request to create an object - every object gets a new ID 2. receive response and get new object ID 3. send the deletion request which tests for SQL injection flaw. As far as I thought about it, the REST API won't help me here. The --eval argument seems like the best approach for me. From the usage page I can see, that I can change parameter values in the request through --eval. That's good. But is it also possible to access information send in the last response? That's all I need I think. If I could access information from last response within the --eval, I could modify original request for deletion to delete the right object. I guess that there is some name space which can be accessed by my custom script in the context of --eval, right? What do you think about it? Do you understand it or should I provide more information? And one more question - in which class should I look to get list of all implemented methods for REST API? I took a brief look at lib/utils/api.py, but I can't seem to find the right class. I have never worked with Bottle framework before. Thanks alot for your help, I really appreciate it. Best regards, Vojtěch Polášek |
|
From: Miroslav S. <mir...@gm...> - 2015-08-14 21:31:31
|
Hi. With the latest revision you have a special variable "lastPage" for --eval purposes. For example: python sqlmap.py -u " http://testphp.vulnweb.com/artists.php?artist=1" --eval="print lastPage" Bye p.s. for REST API quick reference go to the http://volatile-minds.blogspot.com/2013/04/unofficial-sqlmap-restful-api.html as Brandon already suggested On Thu, Aug 13, 2015 at 12:11 PM, Vojtěch Polášek <kr...@gm...> wrote: > Thank you very much, this will certainly help in automating Sqlmap. > But I think it doesn't solve my problem. > I will try to explain it once more and suggest some possible solution, > which came to my mind: > I am trying to find SQL injection flaw in a HTTP request which deletes > an object. > Before every request I need to: > 1. send a POSt request to create an object - every object gets a new ID > 2. receive response and get new object ID > 3. send the deletion request which tests for SQL injection flaw. > As far as I thought about it, the REST API won't help me here. > The --eval argument seems like the best approach for me. From the usage > page I can see, that I can change parameter values in the request > through --eval. That's good. But is it also possible to access > information send in the last response? That's all I need I think. If I > could access information from last response within the --eval, I could > modify original request for deletion to delete the right object. > I guess that there is some name space which can be accessed by my custom > script in the context of --eval, right? > What do you think about it? Do you understand it or should I provide > more information? > And one more question - in which class should I look to get list of all > implemented methods for REST API? I took a brief look at > lib/utils/api.py, but I can't seem to find the right class. I have never > worked with Bottle framework before. > Thanks alot for your help, I really appreciate it. > Best regards, > Vojtěch Polášek > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Johnathon D. <hoo...@gm...> - 2015-08-15 05:01:21
|
Here is my project which also leverages the sqlmap API server, the client file might be of interest. I didn't find much documentation outside of Brandon's site so the source is fairly documented if you need another reference to help lend a hand in understanding how it works. https://github.com/Hood3dRob1n/SQLMAP-Web-GUI https://github.com/Hood3dRob1n/SQLMAP-Web-GUI/blob/master/sqlmap/inc/SQLMAPClientAPI.class.php #of most interest to you On Fri, Aug 14, 2015 at 4:31 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > With the latest revision you have a special variable "lastPage" for --eval > purposes. > > For example: python sqlmap.py -u " > http://testphp.vulnweb.com/artists.php?artist=1" --eval="print lastPage" > > Bye > > p.s. for REST API quick reference go to the > http://volatile-minds.blogspot.com/2013/04/unofficial-sqlmap-restful-api.html > as Brandon already suggested > > On Thu, Aug 13, 2015 at 12:11 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Thank you very much, this will certainly help in automating Sqlmap. >> But I think it doesn't solve my problem. >> I will try to explain it once more and suggest some possible solution, >> which came to my mind: >> I am trying to find SQL injection flaw in a HTTP request which deletes >> an object. >> Before every request I need to: >> 1. send a POSt request to create an object - every object gets a new ID >> 2. receive response and get new object ID >> 3. send the deletion request which tests for SQL injection flaw. >> As far as I thought about it, the REST API won't help me here. >> The --eval argument seems like the best approach for me. From the usage >> page I can see, that I can change parameter values in the request >> through --eval. That's good. But is it also possible to access >> information send in the last response? That's all I need I think. If I >> could access information from last response within the --eval, I could >> modify original request for deletion to delete the right object. >> I guess that there is some name space which can be accessed by my custom >> script in the context of --eval, right? >> What do you think about it? Do you understand it or should I provide >> more information? >> And one more question - in which class should I look to get list of all >> implemented methods for REST API? I took a brief look at >> lib/utils/api.py, but I can't seem to find the right class. I have never >> worked with Bottle framework before. >> Thanks alot for your help, I really appreciate it. >> Best regards, >> Vojtěch Polášek >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X