Read Sqlmap source code, write Burpsuite plugin--sqlmapapi (ii)

Last Update:2018-06-19 Source: Internet

Author: User

Tags configuration settings sca sql injection

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Burpsuite plug-in writing---SQL injection0x00 Overview

In the security testing process, most people will use Burpsuite's scanner module to test, you can find some obvious vulnerabilities: such as XSS, SQL injection, CF, XXe, arbitrary file existence disclosure In Act, plaintext transmission, and so on.
When it comes to SQL injection, testers have an idea of whether there is an automated tool that can try to get all the links from one site to the next, as much as possible to find all the SQL injection. With this idea people will think about the solution, there is a solution is to write the Burpsuite plugin.
In this article, the previous article records to the inheritance Ihttplistener interface writing plug-ins, affecting the test efficiency, this article will introduce another way to compare Sqlmapapi and Burpsuite

0X01 inherits the Iscannercheck interface (Method 2)

First on the plug-in code:

> from burp import iburpextender> from burp import iscannercheck> from java.io import printwriter> import RE&G T Import urllib> Import urllib2> import time> import json> from threading import thread> import requests>     > > > > Class Burpextender (Iburpextender, Iscannercheck):> > #> #implement iburpextender> #> def registerextendercallbacks (self, callbacks):> # Keep a reference to our callbacks Object&gt         ; Self._callbacks = callbacks> > # set our extension name> callbacks.setextensionname ("Fanyingjie")         > > # Obtain our output stream> Self._stdout = PrintWriter (Callbacks.getstdout (), True) > > Self._helpers = Callbacks.gethelpers () > > # Register ourselves as an> Callbacks.register     Scannercheck (self) > > > Def doactivescan (Self, baserequestresponse, insertionpoint):> pass> def DopassIvescan (self, baserequestresponse):> a=self._helpers.analyzerequest (baserequestresponse) > METHOD=A.G Etmethod () > Url=str (A.geturl ()) > if (("?" in URL) and (method== "GET"):> self._stdout.      println ("Start") > T=autosqli (Target=url,stdout=self._stdout,method=method) > T.run () > > def consolidateduplicateissues (self, existingissue, newissue):> pass> > > > Class Autosqli (Thread):> def __init__ (self,target,stdout,method):> self.server= "http://192.168.159.134:8775" &G         T         Self.taskid = ' > self.target=target> self.method=method> self._stdout=stdout> Self.start_time = Time.time () > > Def task_new (self):> self.taskid = Json.loads (The Urllib2.urlopen (self).         Server + '/task/new '). Read ()) [' TaskID ']> self._stdout.println (' Created New task: ' + self.taskid ') > If Len (self.tAskid) > 0:> return true> return false> > Def task_delete (self):> if JSO N.loads (Urllib2.urlopen (self.server + '/task/' + self.taskid + '/delete '). Read ()) [' Success ']:> self._stdout . println (' [%s] Deleted task '% (self.taskid)) > Return true> return false> > > def s         Can_start (self):> headers = {' Content-type ': ' Application/json '}> payload = {' URL ':self.target}> url = self.server + '/scan/' + self.taskid + '/start ' > #t = json.loads (requests.post (URL, data=json.dum PS (payload), headers=headers). Text) > > req=urllib2. Request (Url,data=json.dumps (payload), headers=headers) > T=json.loads (Urllib2.urlopen (req). Read ()) > SE             Lf._stdout.println ("Start" + self.taskid) > > If Len (str (t[' Engineid ')) > 0 and t[' success ']:> Return true> return false> > Def scan_status (SELF):> status = Json.loads (Urllib2.urlopen (self.server + '/scan/' + self.taskid + '/status '). Read ()) [' Status ']&G         T If status = = ' Running ':> return ' running ' > if status = = ' terminated ':> return ' Te Rminated ' > Return ' Error ' > > Def scan_data (self):> > data = Json.loads (urllib2. Urlopen (self.server + '/scan/' + self.taskid + '/data '). Read ()) [' Data ']> if len (data) = = 0:> Sel F._stdout.println (' not injection:\t ' + self.target) > return false> else:> self._s Tdout.println (' injection:\t ' + self.target) > Return true> > Def scan_kill (self):> JSON . Loads (Rurllib2.urlopen (self.server + '/scan/' + self.taskid + '/kill '). Read ()) [' Success ']> self._stdout.printl N ("%s Kill")% (Self.taskid) > > > Def scan_stop (self):> json.loads (Urllib2.urlopen (Self.server + '/s can/' + self.TaskID + '/stop '). Read ()) [' Success ']> self._stdout.println ("%s stop")% (Self.taskid) > > Def run (self): > try:> if not self.task_new ():> return false> if not Self.sca N_start ():> return false> while true:> if self.scan_status () = = ' Runn                     ing ':> time.sleep (Ten) > Elif self.scan_status () = = ' terminated ':> break> else:> break> #print self.target + ": \ T" + str (Time.time ()-Self.start_time) > If Time.time ()-self.start_time > 500:> sel             F.scan_stop () > Self.scan_kill () > Break> self.scan_data () >  #self. Task_delete () > > except Exception as e:> pass>

Using the Burp scanner module and the plug-in written above to http://172.16.173.136/sqli-labs/Less-8/?id=234 SQL injection test, burp scanner module can test the presence of injection, But the plugin cannot be tested;
So the plugin is rewritten, the default configuration is modified, the following code is added to the plugin, I only modified the level and risk

    def optionSet(self):        headers = {‘Content-Type‘: ‘application/json‘}        payload={"level":"5","risk":"3"}        url = self.server + ‘/option/‘ + self.taskid + ‘/set‘        req = urllib2.Request(url, data=json.dumps(payload), headers=headers)        t = json.loads(urllib2.urlopen(req).read())        self._stdout.println("set option " + self.taskid)

Then after the new scan, call the configuration settings function, the modified code:

From burp import iburpextenderfrom burp import iscannercheckfrom java.io import printwriterimport reimport urllibimport ur Llib2import timeimport jsonfrom Threading Import Threadimport requestsclass Burpextender (IBurpExtender, IScannerCheck) : # # Implement Iburpextender # def registerextendercallbacks (self, callbacks): # Keep a reference to O ur callbacks Object self._callbacks = callbacks # Set our extension name Callbacks.setextensionname (" Fanyingjie ") # obtain our output stream self._stdout = PrintWriter (Callbacks.getstdout (), True) self. _helpers = Callbacks.gethelpers () # Register ourselves as an Callbacks.registerscannercheck (self) def DoA        Ctivescan (self, Baserequestresponse, InsertionPoint): Pass def dopassivescan (self, baserequestresponse):  A = Self._helpers.analyzerequest (baserequestresponse) method = A.getmethod () url = str (a.geturl ()) if (("?" in URL) and (method == "GET"): Self._stdout.println ("start") T = Autosqli (Target=url, Stdout=self._stdout, Method=method    ) T.run () def consolidateduplicateissues (self, Existingissue, newissue): Passclass autosqli (Thread):        def __init__ (self, target, stdout, method): Self.server = "http://172.16.173.136:8775" Self.taskid = "    Self.target = Target Self.method = Method Self._stdout = stdout Self.start_time = Time.time ()        def task_new (self): Self.taskid = Json.loads (Urllib2.urlopen (self.server + '/task/new '). Read ()) [' TaskID ']        Self._stdout.println (' Created New task: ' + self.taskid) If Len (self.taskid) > 0:return True Return False def task_delete (self): if Json.loads (Urllib2.urlopen (self.server + '/task/' + self.taskid + '/delet        E '). read ()) [' Success ']: Self._stdout.println (' [%s] Deleted task '% (self.taskid)) return True return False def optIonset: headers = {' Content-type ': ' Application/json '} payload={' Level ': ' 5 ', ' Risk ': ' 3 '} URL = s Elf.server + '/option/' + self.taskid + '/set ' req = urllib2. Request (URL, data=json.dumps (payload), headers=headers) T = json.loads (Urllib2.urlopen (req). Read ()) Self._st        Dout.println ("set option" + Self.taskid) def scan_start (self): headers = {' Content-type ': ' Application/json '} Payload = {' URL ': self.target} url = self.server + '/scan/' + self.taskid + '/start ' # t = json.loads ( Requests.post (URL, data=json.dumps (payload), headers=headers). Text) req = Urllib2. Request (URL, data=json.dumps (payload), headers=headers) T = json.loads (Urllib2.urlopen (req). Read ()) Self._st        Dout.println ("Start" + self.taskid) If Len (str (t[' Engineid ')) > 0 and t[' success ']: return True Return False def scan_status (self): status = Json.loads (Urllib2.urlopen (self.server + '/scan/' +Self.taskid + '/status '). Read ()) [' Status '] if status = = ' running ': return ' running ' if status = = ' Terminated ': return ' terminated ' return ' ERROR ' def scan_data (self): data = Json.loads (urllib 2.urlopen (self.server + '/scan/' + self.taskid + '/data '). Read ()) [' Data '] if len (data) = = 0:self._stdou T.println (' not injection:\t ' + self.target) return False else:self._stdout.println (' Injectio N:\t ' + self.target) return True def Scan_kill (self): Json.loads (Rurllib2.urlopen (self.server + '/sca n/' + self.taskid + '/kill '). Read ()) [' Success '] self._stdout.println ("%s Kill")% (Self.taskid) def scan_stop (SE LF): Json.loads (Urllib2.urlopen (self.server + '/scan/' + self.taskid + '/stop '). Read ()) [' Success '] self._std Out.println ("%s stop")% (Self.taskid) def run (self): Try:if not Self.task_new (): RET Urn False selF.optionset () if not Self.scan_start (): Return False while True:if SE                    Lf.scan_status () = = ' Running ': Time.sleep (Ten) elif self.scan_status () = = ' terminated ': Break Else:break # Print Self.target + ": \ T" + str (Tim                    E.time ()-Self.start_time) if Time.time ()-self.start_time > 500:self.scan_stop ()        Self.scan_kill () Break Self.scan_data () # Self.task_delete () Except Exception as E:pass

Once again, test the above code to test the presence of injected
Plug-in output:

Start
Created New task:42f685742c94a985
Set option 42f685742c94a985
Start 42f685742c94a985
injection:http://172.16.173.136:80/sqli-labs/less-8/?id=234

Compare SQLMAPAPI and Burpsuite scanner modules:
The accuracy of the injection detection can be improved by modifying the SQLMAPAPI default settings, but Sqlmapapi is more visible than the Burpsuite scanner module after modifying the default configuration, and Sqlmapapi can only detect the GET request type. and cannot detect a GET request after login, so it seems that in the security testing process, if the purpose is to find out whether the site has SQL injection, or use the Burpsuite scanner module is better, after knowing that there is SQL injection, you can use the Sqlmap for subsequent operations.

Read Sqlmap source code, write Burpsuite plugin--sqlmapapi (ii)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More