Manning 2015/06/19 10:31

0 x00 preface

Sqlmap is the magic tool for SQL injection probing, and the excellent probing capability allows any user to mine SQL injection without any foundation. There are already 6 articles on SQLMap on Wooyun, none of which popularizessqlmapapi.py. So I’m going to share a little bit of practice on this. Testing SQL injection with SQLMap is inefficient and requires manual testing for every URL, which is definitely not ideal. Sqlmap authors must have realized this and developed SQLMapapi.py silently. Only when you use SQLMapapi.py can you realize the power of SQLMap. Sqlmap builds an automated distributed scanning empire! This article I mainly from sqlMapapi.py code point of view and AutoSqli class design and implementation point of view.

0 x01 sqlmapapi. Py were reviewed

Sqlmapapi.py provides users with a powerful function, service function. The user can use SQLMAPapi.py to open the service port, after as long as the SQLMAPAPI to send a request, you can carry out SQL injection, and then send a query request, you can get the URL is the injection point, as well as the detailed content. Are you excited to see this? Sqlmapapi.py help, we need to use the -s parameter, maybe you can also use the -p parameter.

As can be seen from the SQLmapapi.py file, the file we use is called

If you go to the server class in lib/utils/api.py, you can see that you interact with the service by submitting data to the server. There are three types.

  • Users’ methods User methods
  • Admin Function Manages functions
  • Sqlmap Core interact Functions Core interact functions

The types of data that can be submitted are as follows.

User method

  • @get(“/task/new”)
  • @get(“/task//delete”)

Management functions

  • @get(“/admin//list”)
  • @get(“/admin//flush”)

Core interaction function

  • @get(“/option//list”)
  • @post(“/option//get”)
  • @post(“/option//set”)
  • @post(“/scan//start”)
  • @get(“/scan//stop”)
  • @get(“/scan//kill”)
  • @get(“/scan//status”)
  • @get(“/scan//data”)
  • @get(“/scan//log//”)
  • @get(“/scan//log”)
  • @get(“/download///”)

It’s not hard to see how these operations fit our testing requirements, so we can use them to bulk up. Of course, each request will have a different return value, and these return values are returned as JSON, which can be parsed. Actually, I’ve already done this for you, just calling the AutoSqli class, but I’m going to pick a few.

Task /new Task creation

#! bash GET /task/new Response: { "taskid": "1D47D7F046DF1504"} /scan/<task_id>/status Scan task status GET /scan/<task_id>/status Response: {"status": "terminated", "returncode": 0 }Copy the code

Please refer to the code for details.

0 x02 AutoSqli class

The purpose of the AutoSqli class I wrapped was to easily interact with the server created by SQLMapapi.py.

The execution logic diagram of AutoSqli’s run method

These steps are the logic of a normal SQLMap scan, so the call to AutoSqli will work.

Show code

See the Mspider project’s autosqli.py file for the code.

https://github.com/manning23/MSpider

0x03 Use experience

AutoSqli class initialization can add url data,cookie,referer. So there is no need to worry about probing the page you want to log in to.

For the use of the AutoSqli class, the main attention is paid to the use of option_set() method, its data structure is a dictionary, because the content that can be added is too long, so to add automatic test Settings please refer to the set_option.txt file of the Mspider project.

Speaking of using the scene, actually I have been playing for a long time, to be honest, the effect did not meet my expectations, analyze the reasons.

The site does have less SQL injection now, and the main point of the pancake type is even less.

Sqlmap initial probe is not good, want to accurately determine the need for research, personal research found that for mysql database, using the time type probe works best, of course, you need to write your own probe, detailed reference mayikissyouniu article. By the way,Mayikissyou cow’s article, the rewriting of the probe is really dragonfly water ah, I studied for a long time to lijiejie those methods added 🙂

The students who have ideas would like me to combine Mspider and AutoSqli, but I think I already shared the method, the rest of you can practice it yourself. Practice leads to new ideas.

Sqlmapapi.py is sqlMAP for distributed scan SQL injection to do, but the data is really very little, the results of practice is even less, I hope this article to share when the introduction of a stone, have a question welcome to communicate with me at any time. Also,Mayikissyou cow article really recommend you read, with my article, SQL injection is really want to play how to play.

0 x04 data

http://volatile-minds.blogspot.jp/2013/04/unofficial-sqlmap-restful-api.html

http://drops.wooyun.org/tips/5254