Beispiel #1
0
def scan_start(taskid):
    """
    Launch a scan
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Initialize sqlmap engine's options with user's provided options
    # within the JSON request
    for key, value in request.json.items():
        tasks[taskid][key] = value

    # Overwrite output directory (oDir) value to a temporary directory
    tasks[taskid].oDir = tempfile.mkdtemp(prefix="sqlmap-")

    init(tasks[taskid], True)

    # Launch sqlmap engine in a separate thread
    thread = threading.Thread(target=start)
    thread.daemon = True
    thread.start()

    return jsonize({"success": True})
Beispiel #2
0
def scan_start(taskid):
    """
    Launch a scan
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Initialize sqlmap engine's options with user's provided options
    # within the JSON request
    for key, value in request.json.items():
        tasks[taskid][key] = value

    # Overwrite output directory (oDir) value to a temporary directory
    tasks[taskid].oDir = tempfile.mkdtemp(prefix="sqlmap-")

    init(tasks[taskid], True)

    # Launch sqlmap engine in a separate thread
    thread = threading.Thread(target=start)
    thread.daemon = True
    thread.start()

    return jsonize({"success": True})
Beispiel #3
0
def scan_start(taskid):
    """
    Launch a scan
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Initialize sqlmap engine's options with user's provided options
    # within the JSON request
    for key, value in request.json.items():
        tasks[taskid][key] = value

    # Overwrite output directory (oDir) value to a temporary directory
    tasks[taskid].oDir = tempfile.mkdtemp(prefix="sqlmap-")

    # Launch sqlmap engine in a separate thread
    logger.debug("starting a scan for task ID %s" % taskid)

    if _multiprocessing:
        #_multiprocessing.log_to_stderr(logging.DEBUG)
        p = _multiprocessing.Process(name=taskid, target=start_scan)
        p.daemon = True
        p.start()
        p.join()

    return jsonize({"success": True})
Beispiel #4
0
def option_list(taskid):
    """
    List options for a certain task ID
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    return jsonize(tasks[taskid])
Beispiel #5
0
def option_list(taskid):
    """
    List options for a certain task ID
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    return jsonize(tasks[taskid])
Beispiel #6
0
def task_list(taskid):
    """
    List all active tasks
    """
    if is_admin(taskid):
        return jsonize({"tasks": tasks})
    else:
        abort(401)
Beispiel #7
0
def task_list(taskid):
    """
    List all active tasks
    """
    if is_admin(taskid):
        return jsonize({"tasks": tasks})
    else:
        abort(401)
Beispiel #8
0
def task_destroy(taskid):
    """
    Destroy own task ID
    """
    if taskid in tasks and not is_admin(taskid):
        tasks.pop(taskid)
        return jsonize({"success": True})
    else:
        abort(500, "Invalid task ID")
Beispiel #9
0
def task_destroy(taskid):
    """
    Destroy own task ID
    """
    if taskid in tasks and not is_admin(taskid):
        tasks.pop(taskid)
        return jsonize({"success": True})
    else:
        abort(500, "Invalid task ID")
Beispiel #10
0
def status(taskid):
    """
    Verify the status of the API as well as the core
    """

    if is_admin(taskid):
        busy = kb.get("busyFlag")
        tasks_num = len(tasks)
        return jsonize({"busy": busy, "tasks": tasks_num})
    else:
        abort(401)
Beispiel #11
0
def status(taskid):
    """
    Verify the status of the API as well as the core
    """

    if is_admin(taskid):
        busy = kb.get("busyFlag")
        tasks_num = len(tasks)
        return jsonize({"busy": busy, "tasks": tasks_num})
    else:
        abort(401)
Beispiel #12
0
def scan_log(taskid):
    """
    Retrieve the log messages
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    LOGGER_OUTPUT.seek(0)
    output = LOGGER_OUTPUT.read()
    LOGGER_OUTPUT.flush()
    LOGGER_OUTPUT.truncate(0)

    return jsonize({"log": output})
Beispiel #13
0
def scan_delete(taskid):
    """
    Delete a scan and corresponding temporary output directory
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    if "oDir" in tasks[taskid] and tasks[taskid].oDir is not None:
        shutil.rmtree(tasks[taskid].oDir)

    return jsonize({"success": True})
Beispiel #14
0
def option_set(taskid):
    """
    Set an option (command line switch) for a certain task ID
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    for key, value in request.json.items():
        tasks[taskid][key] = value

    return jsonize({"success": True})
Beispiel #15
0
def option_get(taskid):
    """
    Get the value of an option (command line switch) for a certain task ID
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    option = request.json.get("option", "")

    if option in tasks[taskid]:
        return jsonize({option: tasks[taskid][option]})
    else:
        return jsonize({option: None})
Beispiel #16
0
def scan_delete(taskid):
    """
    Delete a scan and corresponding temporary output directory
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    if "oDir" in tasks[taskid] and tasks[taskid].oDir is not None:
        shutil.rmtree(tasks[taskid].oDir)

    return jsonize({"success": True})
Beispiel #17
0
def option_set(taskid):
    """
    Set an option (command line switch) for a certain task ID
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    for key, value in request.json.items():
        tasks[taskid][key] = value

    return jsonize({"success": True})
Beispiel #18
0
def scan_log(taskid):
    """
    Read the informational log messages
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    LOGGER_OUTPUT.seek(0)
    output = LOGGER_OUTPUT.read()
    LOGGER_OUTPUT.flush()
    LOGGER_OUTPUT.truncate(0)

    return jsonize({"log": output})
Beispiel #19
0
def option_get(taskid):
    """
    Get the value of an option (command line switch) for a certain task ID
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    option = request.json.get("option", "")

    if option in tasks[taskid]:
        return jsonize({option: tasks[taskid][option]})
    else:
        return jsonize({option: None})
Beispiel #20
0
def scan_output(taskid):
    """
    Read the standard output of sqlmap core execution
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    sys.stdout.seek(0)
    output = sys.stdout.read()
    sys.stdout.flush()
    sys.stdout.truncate(0)

    return jsonize({"output": output})
Beispiel #21
0
def task_flush(taskid):
    """
    Flush task spool (destroy all tasks except admin)
    """
    global adminid
    global tasks

    if is_admin(taskid):
        admin_task = tasks[adminid]
        tasks = AttribDict()
        tasks[adminid] = admin_task

        return jsonize({"success": True})
    else:
        abort(401)
Beispiel #22
0
def scan_output(taskid):
    """
    Read the standard output of sqlmap core execution
    """
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    sys.stdout.seek(0)
    output = sys.stdout.read()
    sys.stdout.flush()
    sys.stdout.truncate(0)

    return jsonize({"output": output})
Beispiel #23
0
def task_flush(taskid):
    """
    Flush task spool (destroy all tasks except admin)
    """
    global adminid
    global tasks

    if is_admin(taskid):
        admin_task = tasks[adminid]
        tasks = AttribDict()
        tasks[adminid] = admin_task

        return jsonize({"success": True})
    else:
        abort(401)
Beispiel #24
0
def cleanup(taskid):
    """
    Destroy all sessions except admin ID and all output directories
    """
    global tasks

    if is_admin(taskid):
        for task, options in tasks.items():
            if "oDir" in options and options.oDir is not None:
                shutil.rmtree(options.oDir)

        admin_task = tasks[adminid]
        tasks = AttribDict()
        tasks[adminid] = admin_task

        return jsonize({"success": True})
    else:
        abort(401)
Beispiel #25
0
def cleanup(taskid):
    """
    Destroy all sessions except admin ID and all output directories
    """
    global tasks

    if is_admin(taskid):
        for task, options in tasks.items():
            if "oDir" in options and options.oDir is not None:
                shutil.rmtree(options.oDir)

        admin_task = tasks[adminid]
        tasks = AttribDict()
        tasks[adminid] = admin_task

        return jsonize({"success": True})
    else:
        abort(401)
Beispiel #26
0
def download(taskid, target, filename):
    """
    Download a certain file from the file system
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Prevent file path traversal - the lame way
    if target.startswith("."):
        abort(500)

    path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target)
    if os.path.exists(path):
        return static_file(filename, root=path)
    else:
        abort(500)
Beispiel #27
0
def download(taskid, target, filename):
    """
    Download a certain file from the file system
    """
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Prevent file path traversal - the lame way
    if target.startswith("."):
        abort(500)

    path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target)
    if os.path.exists(path):
        return static_file(filename, root=path)
    else:
        abort(500)