Sqlmap API 总结

春风再美也比不上你的笑, 没见过你的人不会明了。

最近要写一个批量工具，然后就要用到sqlmap的api，顺手总结一下自己用的。

-help

> python sqlmapapi.py --help

Usage: sqlmapapi.py [options]

Options:
  -h, --help            show this help message and exit
  -s, --server          Run as a REST-JSON API server
  -c, --client          Run as a REST-JSON API client
  -H HOST, --host=HOST  Host of the REST-JSON API server (default "127.0.0.1")
  -p PORT, --port=PORT  Port of the the REST-JSON API server (default 8775)
  --adapter=ADAPTER     Server (bottle) adapter to use (default "wsgiref")
  --username=USERNAME   Basic authentication username (optional)
  --password=PASSWORD   Basic authentication password (optional)

启动 sqlmapapi server

需要使用 - s 参数让 sqlmapapi 以 server 模式运行

或者指定 - H 和 - P 参数

> python sqlmapapi.py -s

[13:48:59] [INFO] Running REST-JSON API server at '127.0.0.1:8775'..
[13:48:59] [INFO] Admin (secret) token: 772a261d52b21c2810713104ddfaf3f0
[13:48:59] [DEBUG] IPC database: '\Temp\sqlmapipc-33dj9q6p'
[13:48:59] [DEBUG] REST-JSON API server connected to IPC database
[13:48:59] [DEBUG] Using adapter 'wsgiref' to run bottle

REST API

# 用户方法
@get("/task/new") Create new task ID. 
@get("/task/<taskid>/delete") Delete own task ID. 

# 管理函数
@get("/admin/<taskid>/list") List task pull. 
@get("/admin/<taskid>/flush") Flush task spool (delete all tasks). 

# 核心交互函数
@get("/option/<taskid>/list") List options for a certain task ID
@post("/option/<taskid>/get") Get the value of an option (command line switch) for a certain task ID
@post("/option/<taskid>/set") Set an option (command line switch) for a certain task ID
@post("/scan/<taskid>/start") Launch a scan
@get("/scan/<taskid>/stop") Kill a scan
@get("/scan/<taskid>/status") Return status of a scan
@get("/scan/<taskid>/data") Retrieve the data of a scan
@get("/scan/<taskid>/log/<start>/<end>") Retrieve a subset of log messages
@get("/scan/<taskid>/log") Retrieve the log messages
@get("/download/<taskid>/<target>/<filename:path>") Download a certain file from the file system

创建新的扫描任务

http://127.0.0.1:8775/task/new

>>> requests.get(
    url='http://127.0.0.1:8775/task/new').json()

>>> {'success': True, 'taskid': 'c5d715b62bdc7089'}

taskid: 新建的任务id

配置扫描参数

http://127.0.0.1:8775/option/{taskid}/set

此处需使用post请求

>>> requests.post(
    url='http://127.0.0.1:8775/option/c5d715b62bdc7089/set',
    data=json.dumps({'url': 'target_url', 'getDbs': True}),
    headers={'Content-Type':'application/json'}).json()

>>> {'success': True}

option常用配置参数:

# ///Bools below.///
# "getDbs": True,        # 获取数据库列表
# "getTables": True,     # 获取表
# "getColumns": True,    # 获取列
# "dumpTable": False,     # 拖表
# "dumpAll": False,       # 拖库
# "smart": True,
# ///Bools before.///

# "db": "Database",       # 数据库
# "tbl": "Table name",    # 表名
# "col": "Column name",   # 列名

获取全部配置参数:

http://127.0.0.1:8775/option/{taskid}/list

开始扫描

http://127.0.0.1:8775/scan/{taskid}/start

>>> requests.post(
    url='http://127.0.0.1:8775/scan/c5d715b62bdc7089/start',
    data=json.dumps({}),
    headers={'Content-Type':'application/json'}).json()

>>> {'success': True, 'engineid': 226204}

获取扫描结果

http://127.0.0.1:8775/scan/{taskid}/status

# 运行中
>>> requests.get(
    url='http://127.0.0.1:8775/scan/c5d715b62bdc7089/status').json()

>>> {'success': True, 'status': 'running', 'returncode': None}


# 运行结束
>>> requests.get(
    url='http://127.0.0.1:8775/scan/c5d715b62bdc7089/status').json()

>>> {'success': True, 'status': 'terminated', 'returncode': 0}

status: running 运行中

status: terminated 运行结束

获取扫描结果

http://127.0.0.1:8775/scan/{taskid}/data

>>> requests.get(
    url='http://127.0.0.1:8775/scan/c5d715b62bdc7089/data').json()

>>> {'success': True, 'data': [], 'error': []}

如果有注入，在data中为中可以获取注入信息，error中为错误信息