Sqlmap sqlmapapi.py Simple to use

Look

StamparmCommented on 2014

@riramar

There is currently none:). I ' ll just give you a quick intro.

At server side:

$ python sqlmapapi.py -s -H 0.0.0.0[19:42:00] [INFO] Running REST-JSON API server at ‘0.0.0.0:8775‘..[19:42:00] [INFO] Admin ID: cfdd0c84a8ebbccf40a97fe6eaaeac9d[19:42:00] [DEBUG] IPC database: /tmp/sqlmapipc-QUdQ7m[19:42:00] [DEBUG] REST-JSON API server connected to IPC database

At client side:

$ Curl http://127.0.0.1:8775/task/new{"TaskID": "4be40bb5e98a03c2", "Success": true}$ curl-h "Content-type:appli Cation/json "-X post-d ' {" url ":" Http://testphp.vulnweb.com/artists.php?artist=1 "} ' http://127.0.0.1:8775/scan/    4be40bb5e98a03c2/start{"Engineid": 3068, "success": true}$ Curl http://127.0.0.1:8775/scan/4be40bb5e98a03c2/data{        "Data": [], "Success": True, "error": []}$ Curl http://127.0.0.1:8775/scan/4be40bb5e98a03c2/log{"Log": [ {"Message": "Testing connection to the target URL", "Level": "INFO", "Time": "19: 44:23 "}, {" message ":" Testing if the target URL is stable.            This can take a couple of seconds "," Level ":" INFO "," Time ":" 19:44:24 "}, {            "Message": "Target URL is stable", "level": "INFO", "Time": "19:44:25"}, {  "Message": "Testing if GET parameter ' artist ' is dynamic",           "Level": "INFO", "Time": "19:44:25"}, {"Message": "Confirming that GET            Parameter ' Artist ' is dynamic ', ' Level ': ' INFO ', ' time ': ' 19:44:25 '}, {         "Message": "GET parameter ' artist ' is dynamic", "Level": "INFO", "Time": "19:44:26"},  {"Message": "Heuristic (basic) test shows that GET parameter ' artist ' might is injectable (possible DBMS:  ' MySQL '), "level": "INFO", "Time": "19:44:26"}, {"message": "Testing         For SQL injection on GET parameter ' artist ' "," Level ":" INFO "," Time ":" 19:44:26 "},             {"Message": "Testing ' and boolean-based blind-where or have clause '", "Level": "INFO", "Time": "19:44:26"}, {"Message": "GET parameter ' artist ' seems to be ' and boolean-base D Blind-where or HavinG clause ' injectable "," Level ":" INFO "," Time ":" 19:44:27 "}, {" Messag  E ":" Testing ' MySQL >= 5.0 and error-based-where or have clause ' "," Level ":" INFO "," Time ": "19:44:27"}, {"message": "Testing ' MySQL >= 5.1 and error-based-where or HAVING clause ( Extractvalue) ' "," Level ":" INFO "," Time ":" 19:44:27 "}, {" Message ":" Te Sting ' MySQL >= 5.1 and error-based-where or have clause (updatexml) ' "," Level ":" INFO "," t IME ":" 19:44:28 "}, {" message ":" Testing ' MySQL >= 4.1 and error-based-where or having CLA Use ' "," Level ":" INFO "," Time ":" 19:44:28 "}, {" message ":" Testing ' MyS        QL >= 5.0 or Error-based-where or having a clause ' "," Level ":" INFO "," Time ":" 19:44:28 "           },         { "Message": "Testing ' MySQL >= 5.1 or error-based-where or have clause (extractvalue) '", "Level": "INFO "," Time ":" 19:44:29 "}, {" message ":" Testing ' MySQL >= 5.1 OR error-based-whe            RE or has clause (updatexml) ' "," Level ":" INFO "," Time ":" 19:44:29 "}, {             "Message": "Testing ' MySQL >= 4.1 or error-based-where or have clause '", "Level": "INFO",              "Time": "19:44:29"}, {"message": "Testing ' MySQL or error-based-where or HAVING clause '", "Level": "INFO", "Time": "19:44:29"}, {"message": "Testing" MySQL            = 5.0 Error-based-parameter Replace ' "," Level ":" INFO "," Time ":" 19:44:30 "}, { "Message": "Testing ' MySQL >= 5.1 error-based-parameter replace (extractvalue) '", "Level": "In FO "," Time ": "19:44:30"}, {"message": "Testing ' MySQL >= 5.1 error-based-parameter replace (updatexml  ) ' "," Level ":" INFO "," Time ":" 19:44:30 "}, {" message ":" Testing "MySQL Inline queries ' "," Level ":" INFO "," Time ":" 19:44:30 "}, {" Message ":"         Testing ' MySQL > 5.0.11 stacked Queries ' "," Level ":" INFO "," Time ":" 19:44:31 "},             {"Message": "Testing ' MySQL < 5.0.12 stacked queries (heavy query) '", "Level": "INFO",             "Time": "19:44:31"}, {"message": "Testing ' MySQL > 5.0.11 and time-based blind '",  "Level": "INFO", "Time": "19:44:31"}, {"Message": "GET parameter ' artist ' Seems to is ' MySQL > 5.0.11 and time-based blind ' injectable ', ' Level ': ' INFO ', ' time ': ' 19:4         4:42 "},{"Message": "Testing" MySQL UNION query (NULL)-1 to $ Columns ' "," Level ":" INFO "," Time ":" 19:44:42 "}, {" Message ":" Automatically extending ranges for UNION query injection tech Nique tests as there is at least one other (potential) technique found "," Level ":" INFO "," Time ": "19:44:42"}, {"Message": "ORDER by technique seems to be usable. This should reduce the time needed to find the right number of the query columns.             Automatically extending the range for current UNION query injection technique test ', ' Level ': ' INFO ',             "Time": "19:44:42"}, {"message": "Target URL appears to has 3 columns in query", "Level": "INFO", "Time": "19:44:43"}, {"Message": "GET parameter ' artist ' is '            MySQL UNION Query (NULL)-1 to Columns ' injectable "," Level ":" INFO ", "Time": "19:44:44"}, {"Message": "The Back-end DBMS is MySQL", "Level": "INFO", "Time": "19:44:45"}], "Success": true}

Might be a better way to call Sqlmap, first of all.

Sqlmap sqlmapapi.py Simple to use