Shulou(Shulou.com)05/31 Report--

This article shows you how to use sqlmapapi to initiate scanning, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

Sqlmap is the artifact of sql injection detection, but it is inefficient to test SQL injection with sqlmap, and every url needs to be tested manually. Sqlmap developers have added sqlmapapi.py, which can be operated directly through API calls, simplifying the execution of sqlmap commands.

Sqlmap api is divided into server and client. Sqlmap api has two modes, one is based on HTTP protocol interface mode, the other is based on command line interface mode.

Sqlmap source code download address: https://github.com/sqlmapproject/sqlmap/

First, view help

Python sqlmapapi.py-h

2. Open the api server

Whether it is the interface mode based on HTTP protocol or the interface mode based on command line, it is necessary to open the api server first. The api server can be opened by entering the following command: python sqlmapapi.py-s

When the command is successful, some information is returned on the command line. The following command roughly means that the api server runs on local port 8775, admin token is c6bbb0c1f86b7d7bc2ed6ce3e3bbdcb5, etc.

However, there is a disadvantage in opening the api server in this way. When the server and the client are not a host, you can open the api server by typing the following command: python sqlmapapi.py-s-H "0.0.0.0"-p 8775.

After the command is successful, the remote client can connect to the API server by specifying the remote host IP and port.

Third, based on the command line interface mode 3.1, open the client and initiate the injection command

Python sqlmapapi.py-c

If the client and server are not on the same computer, enter the following command:

Python sqlmapapi.py-c-H "192.168.1.101"-p 8775

3.2. help command to get all the command help display help information

New ARGS starts a new scanning task

Use TASKID handoff

Taskid data gets the data returned by the current task

Log gets the scan log of the current task

Status gets the scan status of the current task

Option OPTION gets the options for the current task

Options gets all the configuration information for the current task

Stop stops the current task

Kill kills the current task

List displays all task lists

Flush clears all tasks

Exit exits the client

3.3. Detection and injection

3.3.1.new command

New-u "url"

Example: new-u "http://www.baidu.com"

Although we only specify the-u parameter, we can see from the returned information that after entering the new command, we first request / task/new to create a new taskid, and then initiate a request to start the task, so we can find that the pattern is essentially based on the HTTP protocol.

3.3.2. Status command

Get the scan status of the task. If the status field in the returned content is terminated, the scan is complete. If the status field in the returned content is run, the scan is still in progress. The following is a screenshot of the completed scan:

3.3.3. Data command

Get the injected information after the scan is completed. If the data field in the returned content is not empty, it means that there is injection. The following figure shows the content returned by SQL injection, which includes database type, payload, injected parameters, and so on.

Fourth, interface mode based on HTTP protocol.

This paper briefly introduces the main functions of sqlmapapi.py h calling mode based on http interface, and enters the server class of lib/utils/api.py, and you can find that you can interact with the service by submitting data to server. It can be divided into three types.

Users' methods user method

Admin function management function

Sqlmap core interact functions core interaction function

The types of data that can be submitted are as follows:

4.1, user method

@ get ("/ task/new")

@ get ("/ task/new") def task_new (): "" Create a new task "" taskid = encodeHex (os.urandom (8), binary=False) remote_addr = request.remote_addr DataStore.tasks [taskid] = Task (taskid, remote_addr) logger.debug ("Created new task:'% s'"% taskid) return jsonize ({"success": True, "taskid": taskid})

@ get ("/ task/delete")

@ get ("/ task//delete") def task_delete (taskid): "" Delete an existing task "if taskid in DataStore.tasks: DataStore.tasks.pop (taskid) logger.debug (" (% s) Deleted task "% taskid) return jsonize ({" success ": True}) else: response.status = 404 logger.warning (" [% s] Non-existing task ") ID provided to task_delete () "% taskid) return jsonize ({" success ": False "message": "Non-existing task ID"}) 4.2, Core interaction function

@ get ("/ option/list")

@ post ("/ option/get")

@ post ("/ option/set")

@ post ("/ option//set") def option_set (taskid): "Set value of option (s) for a certain task ID"if taskid not in DataStore.tasks: logger.warning (" [% s] Invalid task ID provided to option_set () "% taskid) return jsonize ({" success ": False) "message": "Invalid task ID"}) if request.json is None: logger.warning ("[% s] Invalid JSON options provided to option_set ()"% taskid) return jsonize ({"success": False, "message": "Invalid JSON options"}) for option, value in request.json.items (): DataStore. Tasks.set _ option (option Value) logger.debug ("(% s) Requested to set options"% taskid) return jsonize ({"success": True})

@ post ("/ scan/start")

@ post ("/ scan//start") def scan_start (taskid): "Launch a scan"if taskid not in DataStore.tasks: logger.warning (" [% s] Invalid task ID provided to scan_start () "% taskid) return jsonize ({" success ": False "message": "Invalid task ID"}) if request.json is None: logger.warning ("[% s] Invalid JSON options provided to scan_start ()"% taskid) return jsonize ({"success": False, "message": "Invalid JSON options"}) # Initialize sqlmap engine's options with user's provided options, if any for option, value in request.json.items (): DataStore. Tasks.set _ option (option) Value) # Launch sqlmap engine in a separate process DataStore. Tasks [taskid] .engine _ start () logger.debug ("(% s) Started scan"% taskid) return jsonize ({"success": True, "engineid": DataStore. Tasks[ taskid] .engine _ get_id ()})

@ get ("/ scan/stop")

@ get ("/ scan//stop") def scan_stop (taskid): "" Stop a scan "" if (taskid not in DataStore.tasks or DataStore. Tasks [taskid] .engine _ process () is None or DataStore. Tasks[ taskid] .engine _ has_terminated (): logger.warning ("[% s] Invalid task ID provided to scan_stop ()"% taskid) return jsonize ({"success": False) "message": "Invalid task ID"}) DataStore. Tasks.engine _ stop () logger.debug ("(% s) Stopped scan"% taskid) return jsonize ({"success": True})

@ get ("/ scan/kill")

@ get ("/ scan//kill") def scan_kill (taskid): "" Kill a scan "" if (taskid not in DataStore.tasks or DataStore. Tasks [taskid] .engine _ process () is None or DataStore. Tasks[ taskid] .engine _ has_terminated (): logger.warning ("[% s] Invalid task ID provided to scan_kill ()"% taskid) return jsonize ({"success": False) "message": "Invalid task ID"}) DataStore. Tasks.engine _ kill () logger.debug ("(% s) Killed scan"% taskid) return jsonize ({"success": True})

@ get ("/ scan/status")

@ get ("/ scan//status") def scan_status (taskid): "Returns status of a scan"if taskid not in DataStore.tasks: logger.warning (" [% s] Invalid task ID provided to scan_status () "% taskid) return jsonize ({" success ": False "message": "Invalid task ID"}) if DataStore .tasks.engine _ process () is None: status = "not running" else: status = "terminated" if DataStore .tasks.engine _ has_terminated () is True else "running" logger.debug ("(% s) Retrieved scan status"% taskid) return jsonize ({"success": True, "status": status) "returncode": DataStore. Tasks [taskid] .engine _ get_returncode ()})

@ get ("/ scan/data")

Get ("/ scan//data") def scan_data (taskid): "Retrieve the data of a scan" json_data_message = list () json_errors_message = list () if taskid not in DataStore.tasks: logger.warning ("[% s] Invalid task ID provided to scan_data ()"% taskid) return jsonize ({"success": False "message": "Invalid task ID") # Read all data from the IPC database for the taskid for status, content_type, value in DataStore.current_db.execute ("SELECT status, content_type, value FROM data WHERE taskid =? ORDER BY id ASC ", (taskid,): json_data_message.append ({" status ": status," type ": content_type," value ": dejsonize (value)}) # Read all error messages from the IPC database for error in DataStore.current_db.execute (" SELECT error FROM errors WHERE taskid =? ORDER BY id ASC ", (taskid,): json_errors_message.append (error) logger.debug ("% s) Retrieved scan data and error messages "% taskid) return jsonize ({" success ": True," data ": json_data_message," error ": json_errors_message})

@ get ("/ scan/log")

@ get ("/ download/")

4.3. Management function

@ get ("/ admin/list")

Get ("/ admin/list") @ get ("/ admin//list") def task_list (token=None): "Pull task list" tasks = {} for key in DataStore.tasks: if is_admin (token) or DataStore .tasks.remote _ addr = = request.remote_addr: tasks [key] = dejsonize (scan_status (key) ["status"] logger.debug (" (% s) Listed task pool (% s) "% (token "admin" if is_admin (token) else request.remote_addr) return jsonize ({"success": True, "tasks": tasks, "tasks_num": len (tasks)})

@ get ("/ admin//flush")

@ get ("/ admin/flush") @ get ("/ admin//flush") def task_flush (token=None): "Flush task spool (delete all tasks)" for key in list (DataStore.tasks): if is_admin (token) or DataStore. Tasks.r emote_addr = = request.remote_addr: DataStore.tasks.engine _ kill () del DataStore.tasks [key]. ] logger.debug ("(% s) Flushed task pool (% s)"% (token "admin" if is_admin (token) else request.remote_addr) return jsonize ({"success": True})

Analyze and extract the call relationship from the sqlmapapi.py file. It is not difficult to find that these operations can fully meet our testing needs, so they can be used in batches.

Fifth, use sqlmapapi to initiate scanning

Sqlmapapi.py conveniently provides http request entry, but it can only be used to get the result of whether or not to be injected. It is difficult to get what kind of request is initiated by each API for injection scanning, and how many requests are difficult to get. Let's share the flow chart of individual records after combing the sqlmap source code. You can locate the specific location of the request at the payload level from the figure, and you only need to add custom code here to get what kind of request and how many requests have been initiated.

VI. Implementation process of sql injection automation

The above content is how to use sqlmapapi to initiate scanning, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.