-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsqlmap-client
126 lines (96 loc) · 3.24 KB
/
sqlmap-client
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/usr/bin/python
##
## This script is a convenience wrapper to invoke the sqlmap REST API
##
## Application Security Threat Attack Modeling (ASTAM)
##
## Copyright (C) 2017 Applied Visions - http://securedecisions.com
##
## Written by Aspect Security - http://aspectsecurity.com
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
from __future__ import print_function
import getopt, requests, json, sys, time
# global variables
apiURL = ''
verbose = False
# pretty colors
red='\033[0;31m'
green='\033[0;32m'
nocolor='\033[0m'
# send a request to the API; returns the JSON response
def sendRequest(url, data=None):
headers = {'Accept': 'application/json', 'Content-Type': 'application/json'}
if data:
return requests.post(apiURL + url, headers = headers, data = data).json()
else:
return requests.get(apiURL + url, headers = headers).json()
# print error and exit
def fatalError(msg):
print(red + 'ERROR: ' + msg + nocolor, file=sys.stderr)
quit()
# print verbose message
def say(msg):
if verbose:
print(green + msg + nocolor)
# print progress message
def progress(msg):
if verbose:
print(green + msg + nocolor, end='')
sys.stdout.flush()
def main():
global apiURL
global verbose
# process the command line
opts, args = getopt.getopt(sys.argv[1:], 'v')
if ('-v','') in opts:
verbose = True
if len(args) < 2:
print('Usage: sqlmap-client [-v] <apiURL> <attackOpt> <dumpFile>')
fatalError('invalid command line')
apiURL = args[0]
attackOpt = args[1]
if len(args) == 3:
dumpFile = args[2]
else:
dumpFile = None
say('initializing task via sqlmap api')
task = sendRequest('/task/new')
if task['success']:
taskid = task['taskid']
say('... got task id ' + taskid)
else:
fatalError('could not create a new task')
say('starting task via sqlmap api using ' + attackOpt)
attack = sendRequest('/scan/{0}/start'.format(taskid), attackOpt)
if not attack['success']:
fatalError('sqlmap api command never started')
progress('waiting for completion')
while True:
progress('.')
time.sleep(1)
if sendRequest('/scan/{0}/status'.format(taskid))['status'] == 'terminated':
break
say(' attack complete')
data = sendRequest('/scan/{0}/data'.format(taskid))
log = sendRequest('/scan/{0}/log'.format(taskid))
output = {'task_id': taskid, 'data_response': data, 'log_response': log}
# if a file name was provided, use it for the output
if dumpFile:
fdump = open(dumpFile, 'w')
else:
fdump = sys.stdout
print(json.dumps(output, indent=4, sort_keys=True), file=fdump)
if __name__ == '__main__':
main()