Hi, Quick update on this.. the REST-JSON API is nearly complete. It will soon be possible to launch, query and monitor sqlmap scans via HTTP requests. Although the API will be widely documented on the wiki, I thought about sharing a sneak peek of how it currently works:
1) Start it on a terminal $ python sqlmapapi.py -s [17:21:15] [INFO] Running REST-JSON API server at '127.0.0.1:8775'.. [17:21:15] [INFO] Admin ID: af1d8cd4c607db5271202156c7175867 [17:21:15] [DEBUG] IPC database: /tmp/sqlmapipc-yxIjvv [17:21:15] [DEBUG] REST-JSON API server connected to IPC database 2) Call the method to create a new task: $ curl http://127.0.0.1:8775/task/new { "taskid": "f5033fd4da442534" } 3) Set the options (as you normally do when you call sqlmap from command line (e.g. --technique B -v 2 --banner) and start a scan for the new task: $ curl -H "Content-Type: application/json" -X POST -d '{"url": "http://debindev/sqlmap/mysql/get_int.php?id=1";, "tech": "B", "verbose": 2, "getBanner": "True"}' http://127.0.0.1:8775/scan/f5033fd4da442534/start { "engineid": 18300, "success": true } 4) retrieve the data and error messages: $ curl http://127.0.0.1:8775/scan/f5033fd4da442534/data { "data": [ { "status": 1, "type": 1, "value": [ { "dbms": null, "suffix": "", "clause": [ 1 ], "ptype": 1, "dbms_version": null, "prefix": "", "place": "GET", "os": null, "conf": { "string": null, "notString": null, "titles": false, "regexp": null, "textOnly": false, "optimize": false }, "parameter": "id", "data": { "1": { "comment": "", "matchRatio": 0.463, "title": "AND boolean-based blind - WHERE or HAVING clause", "templatePayload": null, "vector": "AND [INFERENCE]", "where": 1, "payload": "id=1 AND 3873=3873" } } } ] }, { "status": 0, "type": 2, "value": "5.1.66-0+squee" } ], "error": [] As you can see, the banner has been retrieved partially - when the dump finishes, the whole banner will be available. Bernardo On 13 December 2012 20:05, Bernardo Damele A. G. <bernardo.dam...@gmail.com> wrote: > Hi, > > Sooner or later all projects go web and with the over hyped web 2.0 > era and the high availability of eye-candy web development frameworks > we have plans to follow the infosec tools herd starting by developing > a RESTful API to interact with the sqlmap engine independently from > the command line. > > As of a couple of days ago we do have an XML-RPC service[1] thanks to > Miroslav, although we have decided internally after much bitching to > replace it with a REST-JSON API[7] to let anyone script and interact > with the sqlmap engine via HTTP. > The idea is to put the API behind some kind of authentication and > allow concurrent sessions by different "users" whereby sqlmap API can > be run (e.g. python sqlmap --daemon or similar) on a predefined > interface and TCP port and clients can query the API on such TCP port > to mount attacks against a single target or multiple targets[5]. > > Needless to say that we are at an early design phase hence this email. > It is that time of the year again when the most prepare for holidays > and celebrating Christmas with family (enjoy!) and the few Internauts > addicted contribute towards the sqlmap project with ideas and code[2] > so if you feel like: > > * You have experience with web development in Python or.. > * ..you have motivation and time enough to learn how to develop a > RESTful API in Python and.. > * ..you are familiar or keen on learning Python web frameworks like > Flask[3] and Bottle[4] and.. > * ..you have the guts to commit your time to discuss the design of > this (or others) feature and contribute code[2] to one of the most > acclaimed[6] and discussed (blamed sometimes) IT security tools out > there.. > > ..then do not hesitate to reply to this email either privately to us > only (d...@sqlmap.org) or publicly hitting the "Reply" button in your > favorite mail client. > > We look forward to reading from you. Yes, I am looking at you Python > software developer with web skills! > > [1] https://github.com/sqlmapproject/sqlmap/issues/287 > [2] > https://github.com/sqlmapproject/sqlmap/blob/master/CONTRIBUTING.md#submitting-code-changes > [3] http://flask.pocoo.org > [4] http://bottlepy.org > [5] how cool is this > [6] http://sectools.org/tool/sqlmap/ > [7] https://github.com/sqlmapproject/sqlmap/issues/297 > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
