Thread: [sqlmap-users] Best way to create a sqlmap wrapper
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Andres R. <and...@gm...> - 2011-01-27 22:05:09
|
Guys,
What's the best way to create a sqlmap wrapper?
In the w3af project we have a very old version of sqlmap
integrated as an attack plugin [0]. Right now we're doing something
like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap
version we include is very old, I would like to update it to the
latest trunk version. My objective is to build something that's
extensible and will allow me to update w3af's sqlmap frequently
without any (if possible) effort. In order to do that, I need to write
a decent wrapper that will not depend on the changes in sqlmap's
implementation.
Ideas?
Regards,
[0] (which is called sqlmap, we don't try to fool nobody or steal your efforts)
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-27 22:13:05
|
Hi. I would suggest you to research "lib\core\testing.py" (liveTest() together with auxiliary methods). It was not updated for quite long time, but it should be useful for starters. It's meant for our internal testing (smoke testing for dummy checking via module loading and live testing against our VMs). KR On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho <and...@gm...> wrote: > Guys, > > What's the best way to create a sqlmap wrapper? > > In the w3af project we have a very old version of sqlmap > integrated as an attack plugin [0]. Right now we're doing something > like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap > version we include is very old, I would like to update it to the > latest trunk version. My objective is to build something that's > extensible and will allow me to update w3af's sqlmap frequently > without any (if possible) effort. In order to do that, I need to write > a decent wrapper that will not depend on the changes in sqlmap's > implementation. > > Ideas? > > Regards, > > [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts) > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Andres R. <and...@gm...> - 2011-01-28 17:56:02
|
Miroslav,
On Thu, Jan 27, 2011 at 7:12 PM, Miroslav Stampar
<mir...@gm...> wrote:
> Hi.
>
> I would suggest you to research "lib\core\testing.py" (liveTest()
> together with auxiliary methods). It was not updated for quite long
> time, but it should be useful for starters. It's meant for our
> internal testing (smoke testing for dummy checking via module loading
> and live testing against our VMs).
Cool, I'll take a look at that. Something else I'm thinking about
is that sqlmap uses urllib2 to send HTTP requests, while w3af uses a
urllib2 wrapper, and when a w3af user sets proxy settings and stuff he
expects that to be applied "system-wide", affecting sqlmap. Is there
any easy way to modify sqlmap to use our
HTTP_request_sender_object.GET() ?
Regards,
> KR
>
> On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho
> <and...@gm...> wrote:
>> Guys,
>>
>> What's the best way to create a sqlmap wrapper?
>>
>> In the w3af project we have a very old version of sqlmap
>> integrated as an attack plugin [0]. Right now we're doing something
>> like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap
>> version we include is very old, I would like to update it to the
>> latest trunk version. My objective is to build something that's
>> extensible and will allow me to update w3af's sqlmap frequently
>> without any (if possible) effort. In order to do that, I need to write
>> a decent wrapper that will not depend on the changes in sqlmap's
>> implementation.
>>
>> Ideas?
>>
>> Regards,
>>
>> [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts)
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>>
>> ------------------------------------------------------------------------------
>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> Finally, a world-class log management solution at an even better price-free!
>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> February 28th, so secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsight-sfd2d
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 21:51:32
|
hi Andreas. On Fri, Jan 28, 2011 at 6:55 PM, Andres Riancho <and...@gm...> wrote: > Miroslav, > > On Thu, Jan 27, 2011 at 7:12 PM, Miroslav Stampar > <mir...@gm...> wrote: >> Hi. >> >> I would suggest you to research "lib\core\testing.py" (liveTest() >> together with auxiliary methods). It was not updated for quite long >> time, but it should be useful for starters. It's meant for our >> internal testing (smoke testing for dummy checking via module loading >> and live testing against our VMs). > > Cool, I'll take a look at that. Something else I'm thinking about > is that sqlmap uses urllib2 to send HTTP requests, while w3af uses a > urllib2 wrapper, and when a w3af user sets proxy settings and stuff he > expects that to be applied "system-wide", affecting sqlmap. Is there switch --ignore-proxy can be used to ignore "system-wide" proxy setting, while the default behavior is to use "system-wide" proxy, so sqlmap is quite smart in this field. > any easy way to modify sqlmap to use our > HTTP_request_sender_object.GET() ? well, no easy way out of box. we haven't "meant" this kind of things :) as it would require us to make a "dirty hack" on our side, i would suggest you guys to play around a bit and if you have some suggestions from your side (avoiding word "dirty" on our side) feel free to tell. kr > > Regards, > >> KR >> >> On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho >> <and...@gm...> wrote: >>> Guys, >>> >>> What's the best way to create a sqlmap wrapper? >>> >>> In the w3af project we have a very old version of sqlmap >>> integrated as an attack plugin [0]. Right now we're doing something >>> like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap >>> version we include is very old, I would like to update it to the >>> latest trunk version. My objective is to build something that's >>> extensible and will allow me to update w3af's sqlmap frequently >>> without any (if possible) effort. In order to do that, I need to write >>> a decent wrapper that will not depend on the changes in sqlmap's >>> implementation. >>> >>> Ideas? >>> >>> Regards, >>> >>> [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts) >>> -- >>> Andrés Riancho >>> Director of Web Security at Rapid7 LLC >>> Founder at Bonsai Information Security >>> Project Leader at w3af >>> >>> ------------------------------------------------------------------------------ >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >>> Finally, a world-class log management solution at an even better price-free! >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >>> February 28th, so secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsight-sfd2d >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 21:55:49
|
you can also make a dirty hack on your side. hint: >>> import sys >>> import urllib2 >>> sys.modules['urllib2'] <module 'urllib2' from '...'> >>> import os >>> sys.modules['urllib2'] = os >>> import urllib2 >>> dir(urllib2) ['F_OK', 'O_APPEND', 'O_BINARY', 'O_CREAT', 'O_EXCL', 'O_NOINHERIT', 'O_RANDOM', 'O_RDONLY', 'O_RDWR', 'O_SEQUENTIAL', 'O_SHORT_LIVED', 'O_TEMPORARY', 'O_TEXT', 'O_TRUNC', 'O_WRONLY', 'P_DETACH', 'P_NOWAIT', 'P_NOWAITO', 'P_OVERLAY', 'P_WAI ... kr On Fri, Jan 28, 2011 at 10:51 PM, Miroslav Stampar <mir...@gm...> wrote: > hi Andreas. > > On Fri, Jan 28, 2011 at 6:55 PM, Andres Riancho > <and...@gm...> wrote: >> Miroslav, >> >> On Thu, Jan 27, 2011 at 7:12 PM, Miroslav Stampar >> <mir...@gm...> wrote: >>> Hi. >>> >>> I would suggest you to research "lib\core\testing.py" (liveTest() >>> together with auxiliary methods). It was not updated for quite long >>> time, but it should be useful for starters. It's meant for our >>> internal testing (smoke testing for dummy checking via module loading >>> and live testing against our VMs). >> >> Cool, I'll take a look at that. Something else I'm thinking about >> is that sqlmap uses urllib2 to send HTTP requests, while w3af uses a >> urllib2 wrapper, and when a w3af user sets proxy settings and stuff he >> expects that to be applied "system-wide", affecting sqlmap. Is there > > switch --ignore-proxy can be used to ignore "system-wide" proxy > setting, while the default behavior is to use "system-wide" proxy, so > sqlmap is quite smart in this field. > >> any easy way to modify sqlmap to use our >> HTTP_request_sender_object.GET() ? > well, no easy way out of box. we haven't "meant" this kind of things :) > > as it would require us to make a "dirty hack" on our side, i would > suggest you guys to play around a bit and if you have some suggestions > from your side (avoiding word "dirty" on our side) feel free to tell. > > kr >> >> Regards, >> >>> KR >>> >>> On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho >>> <and...@gm...> wrote: >>>> Guys, >>>> >>>> What's the best way to create a sqlmap wrapper? >>>> >>>> In the w3af project we have a very old version of sqlmap >>>> integrated as an attack plugin [0]. Right now we're doing something >>>> like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap >>>> version we include is very old, I would like to update it to the >>>> latest trunk version. My objective is to build something that's >>>> extensible and will allow me to update w3af's sqlmap frequently >>>> without any (if possible) effort. In order to do that, I need to write >>>> a decent wrapper that will not depend on the changes in sqlmap's >>>> implementation. >>>> >>>> Ideas? >>>> >>>> Regards, >>>> >>>> [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts) >>>> -- >>>> Andrés Riancho >>>> Director of Web Security at Rapid7 LLC >>>> Founder at Bonsai Information Security >>>> Project Leader at w3af >>>> >>>> ------------------------------------------------------------------------------ >>>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >>>> Finally, a world-class log management solution at an even better price-free! >>>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >>>> February 28th, so secure your free ArcSight Logger TODAY! >>>> http://p.sf.net/sfu/arcsight-sfd2d >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Andrés Riancho >> Director of Web Security at Rapid7 LLC >> Founder at Bonsai Information Security >> Project Leader at w3af >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X