Exemplo n.º 1
def scan_data(taskid):
    Retrieve the data of a scan
    json_data_message = list()
    json_errors_message = list()

    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_data()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    # Read all data from the IPC database for the taskid
    for status, content_type, value in DataStore.current_db.execute(
            "SELECT status, content_type, value FROM data WHERE taskid = ? ORDER BY id ASC",
            {"status": status, "type": content_type, "value": dejsonize(value)})

    # Read all error messages from the IPC database
    for error in DataStore.current_db.execute(
            "SELECT error FROM errors WHERE taskid = ? ORDER BY id ASC",

    logger.debug("[%s] Retrieved scan data and error messages" % taskid)
    return jsonize({"success": True, "data": json_data_message, "error": json_errors_message})
Exemplo n.º 2
    def write(self, value, status=CONTENT_STATUS.IN_PROGRESS, content_type=None):
        if self.messagetype == "stdout":
            if content_type is None:
                content_type = 99

            output = conf.database_cursor.execute("SELECT id, value FROM data WHERE taskid = ? AND status = ? AND content_type = ? LIMIT 0,1",
                                                  (self.taskid, status, content_type))

            if status == CONTENT_STATUS.IN_PROGRESS:
                # Ignore all non-relevant messages
                if kb.partRun is None:

                if len(output) == 0:
                    conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                                                 (self.taskid, status, content_type, jsonize(value)))
                    new_value = "%s%s" % (dejsonize(output[0][1]), value)
                    conf.database_cursor.execute("UPDATE data SET value = ? WHERE id = ?",
                                                 (jsonize(new_value), output[0][0]))
                if len(output) > 0:
                    conf.database_cursor.execute("DELETE FROM data WHERE taskid = ? AND status = %s AND content_type = ?" % CONTENT_STATUS.IN_PROGRESS,
                                                 (self.taskid, content_type))

                conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                                             (self.taskid, status, content_type, jsonize(value)))
            conf.database_cursor.execute("INSERT INTO errors VALUES(NULL, ?, ?)",
                                         (self.taskid, str(value) if value else ""))
Exemplo n.º 3
    def write(self, value, status=CONTENT_STATUS.IN_PROGRESS, content_type=None):
        if self.messagetype == "stdout":
            if content_type is None:
                if kb.partRun is not None:
                    content_type = PART_RUN_CONTENT_TYPES.get(kb.partRun)
                    # Ignore all non-relevant messages

            output = conf.database_cursor.execute("SELECT id, status, value FROM data WHERE taskid = ? AND content_type = ?",
                                                  (self.taskid, content_type))

            #print >>sys.__stdout__, "output: %s\nvalue: %s\nstatus: %d\ncontent_type: %d\nkb.partRun: %s\n--------------" % (output, value, status, content_type, kb.partRun)

            # Delete partial output from IPC database if we have got a complete output
            if status == CONTENT_STATUS.COMPLETE:
                if len(output) > 0:
                    for index in xrange(0, len(output)):
                        conf.database_cursor.execute("DELETE FROM data WHERE id = ?", (output[index][0],))

                conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)", (self.taskid, status, content_type, jsonize(value)))
                if kb.partRun:
                    kb.partRun = None

            elif status == CONTENT_STATUS.IN_PROGRESS:
                if len(output) == 0:
                    conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                                                 (self.taskid, status, content_type, jsonize(value)))
                    new_value = "%s%s" % (dejsonize(output[0][2]), value)
                    conf.database_cursor.execute("UPDATE data SET value = ? WHERE id = ?",
                                                 (jsonize(new_value), output[0][0]))
            conf.database_cursor.execute("INSERT INTO errors VALUES(NULL, ?, ?)",
                                         (self.taskid, str(value) if value else ""))
Exemplo n.º 4
def scan_log_limited(taskid, start, end):
    Retrieve a subset of log messages
    json_log_messages = list()

    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_log_limited()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    if not start.isdigit() or not end.isdigit() or end < start:
        logger.warning("[%s] Invalid start or end value provided to scan_log_limited()" % taskid)
        return jsonize({"success": False, "message": "Invalid start or end value, must be digits"})

    start = max(1, int(start))
    end = max(1, int(end))

    # Read a subset of log messages from the IPC database
    for time_, level, message in DataStore.current_db.execute(
            ("SELECT time, level, message FROM logs WHERE "
             "taskid = ? AND id >= ? AND id <= ? ORDER BY id ASC"),
            (taskid, start, end)):
        json_log_messages.append({"time": time_, "level": level, "message": message})

    logger.debug("[%s] Retrieved scan log messages subset" % taskid)
    return jsonize({"success": True, "log": json_log_messages})
Exemplo n.º 5
def option_list(taskid):
    List options for a certain task ID
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to option_list()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    logger.debug("[%s] Listed task options" % taskid)
    return jsonize({"success": True, "options": DataStore.tasks[taskid].get_options()})
Exemplo n.º 6
def task_list(taskid):
    List task pull
    if is_admin(taskid):
        logger.debug("[%s] Listed task pool" % taskid)
        tasks = list(DataStore.tasks)
        return jsonize({"success": True, "tasks": tasks, "tasks_num": len(tasks)})
        logger.warning("[%s] Unauthorized call to task_list()" % taskid)
        return jsonize({"success": False, "message": "Unauthorized"})
Exemplo n.º 7
def task_flush(taskid):
    Flush task spool (delete all tasks)
    if is_admin(taskid):
        DataStore.tasks = dict()
        logger.debug("[%s] Flushed task pool" % taskid)
        return jsonize({"success": True})
        logger.warning("[%s] Unauthorized call to task_flush()" % taskid)
        return jsonize({"success": False, "message": "Unauthorized"})
Exemplo n.º 8
def task_delete(taskid):
    Delete own task ID
    if taskid in DataStore.tasks:

        logger.debug("[%s] Deleted task" % taskid)
        return jsonize({"success": True})
        logger.warning("[%s] Invalid task ID provided to task_delete()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})
Exemplo n.º 9
def scan_kill(taskid):
    Kill a scan
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_kill()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})


    logger.debug("[%s] Killed scan" % taskid)
    return jsonize({"success": True})
Exemplo n.º 10
def option_set(taskid):
    Set an option (command line switch) for a certain task ID
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to option_set()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)

    logger.debug("[%s] Requested to set options" % taskid)
    return jsonize({"success": True})
Exemplo n.º 11
def option_get(taskid):
    Get the value of an option (command line switch) for a certain task ID
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    option = request.json.get("option", "")

    if option in tasks[taskid]:
        return jsonize({option: tasks[taskid].get_option(option)})
        return jsonize({option: None})
Exemplo n.º 12
def task_delete(taskid):
    Delete an existing task
    if taskid in DataStore.tasks:

        logger.debug("(%s) Deleted task" % taskid)
        return jsonize({"success": True})
        response.status = 404
        logger.warning("[%s] Non-existing task ID provided to task_delete()" % taskid)
        return jsonize({"success": False, "message": "Non-existing task ID"})
Exemplo n.º 13
def scan_kill(taskid):
    Kill a scan

    if (taskid not in DataStore.tasks or DataStore.tasks[taskid].engine_process() is None or DataStore.tasks[taskid].engine_has_terminated()):
        logger.warning("[%s] Invalid task ID provided to scan_kill()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})


    logger.debug("(%s) Killed scan" % taskid)
    return jsonize({"success": True})
Exemplo n.º 14
def scan_status(taskid):
    Returns status of a scan
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_status()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    if DataStore.tasks[taskid].engine_process() is None:
        status = "not running"
        status = "terminated" if DataStore.tasks[taskid].engine_has_terminated() is True else "running"

    logger.debug("[%s] Retrieved scan status" % taskid)
    return jsonize({"success": True, "status": status, "returncode": DataStore.tasks[taskid].engine_get_returncode()})
Exemplo n.º 15
def option_get(taskid):
    Get the value of an option (command line switch) for a certain task ID
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to option_get()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    option = request.json.get("option", "")

    if option in DataStore.tasks[taskid].options:
        logger.debug("[%s] Retrieved value for option %s" % (taskid, option))
        return jsonize({"success": True, option: DataStore.tasks[taskid].get_option(option)})
        logger.debug("[%s] Requested value for unknown option %s" % (taskid, option))
        return jsonize({"success": False, "message": "Unknown option", option: "not set"})
Exemplo n.º 16
def scan_log(taskid):
    Retrieve the log messages
    json_log_messages = list()

    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_log()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    # Read all log messages from the IPC database
    for time_, level, message in DataStore.current_db.execute("SELECT time, level, message FROM logs WHERE taskid = ? ORDER BY id ASC", (taskid,)):
        json_log_messages.append({"time": time_, "level": level, "message": message})

    logger.debug("[%s] Retrieved scan log messages" % taskid)
    return jsonize({"success": True, "log": json_log_messages})
Exemplo n.º 17
def scan_log_limited(taskid, start, end):
    Retrieve a subset of log messages
    global procs

    json_log_messages = {}

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Temporary "protection" against SQL injection FTW ;)
    if not start.isdigit() or not end.isdigit() or end <= start:
        abort(500, "Invalid start or end value, must be digits")

    start = max(1, int(start))
    end = max(1, int(end))

    # Read a subset of log messages from the temporary I/O database
    procs[taskid].ipc_database_cursor.execute("SELECT id, time, level, message FROM logs WHERE id >= %d AND id <= %d" % (start, end))
    db_log_messages = procs[taskid].ipc_database_cursor.fetchall()

    for (id_, time_, level, message) in db_log_messages:
        json_log_messages[id_] = {"time": time_, "level": level, "message": message}

    return jsonize({"log": json_log_messages})
Exemplo n.º 18
def scan_output(taskid):
    Read the standard output of sqlmap core execution
    global procs
    global tasks

    json_stdout_message = []
    json_stderr_message = []

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Read all stdout messages from the temporary I/O database
    procs[taskid].ipc_database_cursor.execute("SELECT message FROM stdout")
    db_stdout_messages = procs[taskid].ipc_database_cursor.fetchall()

    for message in db_stdout_messages:

    # Read all stderr messages from the temporary I/O database
    procs[taskid].ipc_database_cursor.execute("SELECT message FROM stderr")
    db_stderr_messages = procs[taskid].ipc_database_cursor.fetchall()

    for message in db_stderr_messages:

    return jsonize({"stdout": json_stdout_message, "stderr": json_stderr_message})
Exemplo n.º 19
def task_new():
    Create new task ID
    global procs
    global tasks

    taskid = hexencode(os.urandom(16))
    tasks[taskid] = init_options()
    procs[taskid] = AttribDict()

    _, ipc_database_filepath = tempfile.mkstemp(prefix="sqlmapipc-", text=False)

    # Initiate the temporary database for asynchronous I/O with the
    # sqlmap engine
    procs[taskid].ipc_database_connection = sqlite3.connect(ipc_database_filepath, timeout=1, isolation_level=None)
    procs[taskid].ipc_database_cursor = procs[taskid].ipc_database_connection.cursor()
    procs[taskid].ipc_database_cursor.execute("CREATE TABLE logs(id INTEGER PRIMARY KEY AUTOINCREMENT, time TEXT, level TEXT, message TEXT)")
    procs[taskid].ipc_database_cursor.execute("CREATE TABLE stdout(id INTEGER PRIMARY KEY AUTOINCREMENT, time TEXT, message TEXT)")
    procs[taskid].ipc_database_cursor.execute("CREATE TABLE stderr(id INTEGER PRIMARY KEY AUTOINCREMENT, time TEXT, message TEXT)")

    # Set the temporary database to use for asynchronous I/O communication
    tasks[taskid].ipc_database = ipc_database_filepath

    return jsonize({"taskid": taskid})
Exemplo n.º 20
Arquivo: api.py Projeto: charl1/sqlmap
def scan_start(taskid):
    Launch a scan
    global tasks
    global procs
    global pipes

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    # Initialize sqlmap engine's options with user's provided options
    # within the JSON request
    for key, value in request.json.items():
        tasks[taskid][key] = value

    # Overwrite output directory (oDir) value to a temporary directory
    tasks[taskid].oDir = tempfile.mkdtemp(prefix="sqlmap-")

    # Launch sqlmap engine in a separate thread
    logger.debug("starting a scan for task ID %s" % taskid)

    pipes[taskid] = os.pipe()

    # Provide sqlmap engine with the writable pipe for logging
    tasks[taskid]["fdLog"] = pipes[taskid][1]

    # Launch sqlmap engine
    procs[taskid] = execute("python sqlmap.py --pickled-options %s" % base64pickle(tasks[taskid]), shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=False)

    return jsonize({"success": True})
Exemplo n.º 21
def option_list(taskid):
    List options for a certain task ID
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    return jsonize({"options": tasks[taskid].get_options()})
Exemplo n.º 22
def scan_log(taskid):
    Retrieve the log messages

    json_log_messages = list()

    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_log()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    # Read all log messages from the IPC database
    for time_, level, message in DataStore.current_db.execute("SELECT time, level, message FROM logs WHERE taskid = ? ORDER BY id ASC", (taskid,)):
        json_log_messages.append({"time": time_, "level": level, "message": message})

    logger.debug("(%s) Retrieved scan log messages" % taskid)
    return jsonize({"success": True, "log": json_log_messages})
Exemplo n.º 23
def scan_start(taskid):
    Launch a scan
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_start()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    # Initialize sqlmap engine's options with user's provided options, if any
    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)

    # Launch sqlmap engine in a separate process

    logger.debug("[%s] Started scan" % taskid)
    return jsonize({"success": True, "engineid": DataStore.tasks[taskid].engine_get_id()})
Exemplo n.º 24
    def write(self,
        if self.messagetype == "stdout":
            if content_type is None:
                if kb.partRun is not None:
                    content_type = PART_RUN_CONTENT_TYPES.get(kb.partRun)
                    # Ignore all non-relevant messages

            output = conf.database_cursor.execute(
                "SELECT id, status, value FROM data WHERE taskid = ? AND content_type = ?",
                (self.taskid, content_type))

            #print >>sys.__stdout__, "output: %s\nvalue: %s\nstatus: %d\ncontent_type: %d\nkb.partRun: %s\n--------------" % (output, value, status, content_type, kb.partRun)

            # Delete partial output from IPC database if we have got a complete output
            if status == CONTENT_STATUS.COMPLETE:
                if len(output) > 0:
                    for index in xrange(0, len(output)):
                            "DELETE FROM data WHERE id = ?",
                            (output[index][0], ))

                    "INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                    (self.taskid, status, content_type, jsonize(value)))
                if kb.partRun:
                    kb.partRun = None

            elif status == CONTENT_STATUS.IN_PROGRESS:
                if len(output) == 0:
                        "INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                        (self.taskid, status, content_type, jsonize(value)))
                    new_value = "%s%s" % (dejsonize(output[0][2]), value)
                        "UPDATE data SET value = ? WHERE id = ?",
                        (jsonize(new_value), output[0][0]))
                "INSERT INTO errors VALUES(NULL, ?, ?)",
                (self.taskid, str(value) if value else ""))
def task_list(taskid):
    List all active tasks
    if is_admin(taskid):
        return jsonize({"tasks": tasks})
Exemplo n.º 26
def option_list(taskid):
    List options for a certain task ID
    if taskid not in tasks:
        abort(500, "Invalid task ID")

    return jsonize(tasks[taskid].get_options())
Exemplo n.º 27
def version(token=None):
    Fetch server version

    logger.debug("Fetched version (%s)" %
                 ("admin" if is_admin(token) else request.remote_addr))
    return jsonize({"success": True, "version": VERSION_STRING.split('/')[-1]})
Exemplo n.º 28
def scan_start(taskid):
    Launch a scan
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_start()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    # Initialize sqlmap engine's options with user's provided options, if any
    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)

    # Launch sqlmap engine in a separate process

    logger.debug("[%s] Started scan" % taskid)
    return jsonize({"success": True, "engineid": DataStore.tasks[taskid].engine_get_id()})
Exemplo n.º 29
def task_list(taskid):
    List all active tasks
    if is_admin(taskid):
        return jsonize({"tasks": tasks})
Exemplo n.º 30
def task_list(taskid):
    List task pull
    if is_admin(taskid):
        logger.debug("Listed task pull")
        return jsonize({"tasks": tasks, "tasks_num": len(tasks)})
def task_destroy(taskid):
    Destroy own task ID
    if taskid in tasks and not is_admin(taskid):
        return jsonize({"success": True})
        abort(500, "Invalid task ID")
Exemplo n.º 32
def option_set(taskid):
    Set value of option(s) for a certain task ID

    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to option_set()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    if request.json is None:
        logger.warning("[%s] Invalid JSON options provided to option_set()" % taskid)
        return jsonize({"success": False, "message": "Invalid JSON options"})

    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)

    logger.debug("(%s) Requested to set options" % taskid)
    return jsonize({"success": True})
Exemplo n.º 33
def task_new():
    Create new task ID
    taskid = hexencode(os.urandom(8))
    DataStore.tasks[taskid] = Task(taskid)

    logger.debug("Created new task: '%s'" % taskid)
    return jsonize({"success": True, "taskid": taskid})
Exemplo n.º 34
def option_set(taskid):
    Set value of option(s) for a certain task ID

    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to option_set()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    if request.json is None:
        logger.warning("[%s] Invalid JSON options provided to option_set()" % taskid)
        return jsonize({"success": False, "message": "Invalid JSON options"})

    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)

    logger.debug("(%s) Requested to set options" % taskid)
    return jsonize({"success": True})
Exemplo n.º 35
def task_destroy(taskid):
    Destroy own task ID
    if taskid in tasks and not is_admin(taskid):
        return jsonize({"success": True})
        abort(500, "Invalid task ID")
Exemplo n.º 36
 def write(self, value, status=None, content_type=None):
     if self.messagetype == "stdout":
         #conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
         #                             (self.taskid, status, content_type, base64pickle(value)))
         conf.database_cursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                                      (self.taskid, status, content_type, jsonize(value)))
         conf.database_cursor.execute("INSERT INTO errors VALUES(NULL, ?, ?)",
                                      (self.taskid, str(value) if value else ""))
Exemplo n.º 37
def task_list(taskid):
    List task pull
    if is_admin(taskid):
        logger.debug("Listed task pull")
        return jsonize({"tasks": tasks, "tasks_num": len(tasks)})
Exemplo n.º 38
    def write(self,
        if self.messagetype == "stdout":
            if content_type is None:
                if kb.partRun is not None:
                    content_type = PART_RUN_CONTENT_TYPES.get(kb.partRun)
                    # 忽略所有不相关的消息

            output = conf.databaseCursor.execute(
                "SELECT id, status, value FROM data WHERE taskid = ? AND content_type = ?",
                (self.taskid, content_type))

            # 如果得到完整的输出,则从IPC数据库中删除部分输出
            if status == CONTENT_STATUS.COMPLETE:
                if len(output) > 0:
                    for index in xrange(len(output)):
                            "DELETE FROM data WHERE id = ?",
                            (output[index][0], ))

                    "INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                    (self.taskid, status, content_type, jsonize(value)))
                if kb.partRun:
                    kb.partRun = None

            elif status == CONTENT_STATUS.IN_PROGRESS:
                if len(output) == 0:
                        "INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
                        (self.taskid, status, content_type, jsonize(value)))
                    new_value = "%s%s" % (dejsonize(output[0][2]), value)
                        "UPDATE data SET value = ? WHERE id = ?",
                        (jsonize(new_value), output[0][0]))
                "INSERT INTO errors VALUES(NULL, ?, ?)",
                (self.taskid, str(value) if value else ""))
def status(taskid):
    Verify the status of the API as well as the core

    if is_admin(taskid):
        tasks_num = len(tasks)
        return jsonize({"tasks": tasks_num})
Exemplo n.º 40
def scan_kill(taskid):
    Kill a scan
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    return jsonize({"success": tasks[taskid].engine_kill()})
Exemplo n.º 41
def status(taskid):
    Verify the status of the API as well as the core

    if is_admin(taskid):
        tasks_num = len(tasks)
        return jsonize({"tasks": tasks_num})
def task_new():
    Create new task ID
    global tasks

    taskid = hexencode(os.urandom(16))
    tasks[taskid] = init_options()

    return jsonize({"taskid": taskid})
Exemplo n.º 43
def scan_status(taskid):
    Returns status of a scan
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_status()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    if DataStore.tasks[taskid].engine_process() is None:
        status = "not running"
        status = "terminated" if DataStore.tasks[taskid].engine_has_terminated() is True else "running"

    logger.debug("[%s] Retrieved scan status" % taskid)
    return jsonize({
        "success": True,
        "status": status,
        "returncode": DataStore.tasks[taskid].engine_get_returncode()
Exemplo n.º 44
def task_new():
    Create a new task
    taskid = hexencode(os.urandom(8))
    remote_addr = request.remote_addr

    DataStore.tasks[taskid] = Task(taskid, remote_addr)

    logger.debug("Created new task: '%s'" % taskid)
    return jsonize({"success": True, "taskid": taskid})
Exemplo n.º 45
def scan_start(taskid):
    if taskid not in DataStore.tasks:
        logger.warning(u"[%s] 提供给scan_start()的任务ID无效" % taskid)
        return jsonize({"success": False, "message": u"任务ID无效"})

    # 使用用户提供的选项(如果有)初始化sqlmap引擎选项
    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)

    # 在单独的进程中启动sqlmap引擎

    logger.debug(u"[%s] 开始扫描" % taskid)
    return jsonize({
        "success": True,
        "engineid": DataStore.tasks[taskid].engine_get_id()
Exemplo n.º 46
def task_new():
    Create new task ID
    global tasks

    taskid = hexencode(os.urandom(8))
    tasks[taskid] = Task(taskid)

    logger.debug("Created new task ID: %s" % taskid)
    return jsonize({"taskid": taskid})
Exemplo n.º 47
def task_delete(taskid):
    Delete own task ID
    if taskid in tasks:

        logger.debug("Deleted task ID: %s" % taskid)
        return jsonize({"success": True})
        abort(500, "Invalid task ID")
Exemplo n.º 48
def option_get(taskid):
    Get value of option(s) for a certain task ID
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to option_get()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    options = request.json or []
    results = {}

    for option in options:
        if option in DataStore.tasks[taskid].options:
            results[option] = DataStore.tasks[taskid].options[option]
            logger.debug("(%s) Requested value for unknown option '%s'" % (taskid, option))
            return jsonize({"success": False, "message": "Unknown option '%s'" % option})

    logger.debug("(%s) Retrieved values for option(s) '%s'" % (taskid, ",".join(options)))

    return jsonize({"success": True, "options": results})
Exemplo n.º 49
def task_list(token=None):
    Pull task list
    tasks = {}

    for key in DataStore.tasks:
        if is_admin(token) or DataStore.tasks[key].remote_addr == request.remote_addr:
            tasks[key] = dejsonize(scan_status(key))["status"]

    logger.debug("(%s) Listed task pool (%s)" % (token, "admin" if is_admin(token) else request.remote_addr))
    return jsonize({"success": True, "tasks": tasks, "tasks_num": len(tasks)})
Exemplo n.º 50
def task_flush(token=None):
    Flush task spool (delete all tasks)

    for key in list(DataStore.tasks):
        if is_admin(token) or DataStore.tasks[key].remote_addr == request.remote_addr:
            del DataStore.tasks[key]

    logger.debug("(%s) Flushed task pool (%s)" % (token, "admin" if is_admin(token) else request.remote_addr))
    return jsonize({"success": True})
Exemplo n.º 51
def scan_data(taskid):
    Retrieve the data of a scan

    json_data_message = list()
    json_errors_message = list()

    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to scan_data()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    # Read all data from the IPC database for the taskid
    for status, content_type, value in DataStore.current_db.execute("SELECT status, content_type, value FROM data WHERE taskid = ? ORDER BY id ASC", (taskid,)):
        json_data_message.append({"status": status, "type": content_type, "value": dejsonize(value)})

    # Read all error messages from the IPC database
    for error in DataStore.current_db.execute("SELECT error FROM errors WHERE taskid = ? ORDER BY id ASC", (taskid,)):

    logger.debug("(%s) Retrieved scan data and error messages" % taskid)
    return jsonize({"success": True, "data": json_data_message, "error": json_errors_message})
def scan_delete(taskid):
    Delete a scan and corresponding temporary output directory
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    if "oDir" in tasks[taskid] and tasks[taskid].oDir is not None:

    return jsonize({"success": True})
Exemplo n.º 53
def scan_log(taskid):
    json_log_messages = list()

    if taskid not in DataStore.tasks:
        logger.warning(u"提供给scan_log()的任务ID[%s]无效" % taskid)
        return jsonize({"success": False, "message": "任务ID无效"})

    # Read all log messages from the IPC database
    for time_, level, message in DataStore.current_db.execute(
            "SELECT time, level, message FROM logs WHERE taskid = ? ORDER BY id ASC",
        (taskid, )):
            "time": time_,
            "level": level,
            "message": message

    logger.debug(u" 检索扫描[%s]的日志消息" % taskid)
    return jsonize({"success": True, "log": json_log_messages})
Exemplo n.º 54
Arquivo: api.py Projeto: zensec/sqlmap
def download(taskid, target, filename):
    Download a certain file from the file system
    if taskid not in DataStore.tasks:
        logger.warning("[%s] Invalid task ID provided to download()" % taskid)
        return jsonize({"success": False, "message": "Invalid task ID"})

    path = os.path.abspath(os.path.join(paths.SQLMAP_OUTPUT_PATH, target, filename))
    # Prevent file path traversal
    if not path.startswith(paths.SQLMAP_OUTPUT_PATH):
        logger.warning("[%s] Forbidden path (%s)" % (taskid, target))
        return jsonize({"success": False, "message": "Forbidden path"})

    if os.path.isfile(path):
        logger.debug("[%s] Retrieved content of file %s" % (taskid, target))
        with open(path, 'rb') as inf:
            file_content = inf.read()
        return jsonize({"success": True, "file": file_content.encode("base64")})
        logger.warning("[%s] File does not exist %s" % (taskid, target))
        return jsonize({"success": False, "message": "File does not exist"})
Exemplo n.º 55
def option_set(taskid):
    Set an option (command line switch) for a certain task ID
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")

    for option, value in request.json.items():
        tasks[taskid].set_option(option, value)

    return jsonize({"success": True})
Exemplo n.º 56
def scan_kill(taskid):
    Kill a scan
    global tasks

    if taskid not in tasks:
        abort(500, "Invalid task ID")


    logger.debug("Killed scan for task ID %s" % taskid)
    return jsonize({"success": True})
Exemplo n.º 57
def _client(url, options=None):
    logger.debug("Calling %s" % url)
        data = None
        if options is not None:
            data = jsonize(options)
        req = urllib2.Request(url, data, {"Content-Type": "application/json"})
        response = urllib2.urlopen(req)
        text = response.read()
        if options:
            logger.error("Failed to load and parse %s" % url)
    return text
Exemplo n.º 58
def option_get(taskid):
    if taskid not in DataStore.tasks:
        logger.warning(u"[%s] 提供给option_get()的任务ID无效" % taskid)
        return jsonize({"success": False, "message": u"任务ID无效"})

    option = request.json.get("option", "")

    if option in DataStore.tasks[taskid].options:
        logger.debug(u"[%s] 检索选项%s的值" % (taskid, option))
        return jsonize({
            "success": True,
            option: DataStore.tasks[taskid].get_option(option)
        logger.debug(u"[%s] 未知选项%s的请求值" % (taskid, option))
        return jsonize({
            "success": False,
            "message": "Unknown option",
            option: "not set"
Exemplo n.º 59
def scan_status(taskid):
    if taskid not in DataStore.tasks:
        logger.warning(u"[%s] 提供给scan_status()的任务ID无效" % taskid)
        return jsonize({"success": False, "message": u"任务ID无效"})

    if DataStore.tasks[taskid].engine_process() is None:
        status = "not running"
        status = "terminated" if DataStore.tasks[taskid].engine_has_terminated(
        ) is True else "running"

    logger.debug(u"[%s] 检索扫描状态" % taskid)
    return jsonize({