79：Python开发-sqlmapapi&Tamper&Pocsuite

本课知识点：

• Request爬虫技术，sqlmap深入分析，Pocsuite分析，框架代码二次修改等

本课目的：

• 掌握安全工具的API接口开发利用，掌握优秀框架的二次开发插件引用等

案例1：sqlmap Tamper模块脚本编写绕过滤

 

案例2：sqlmapAPI调用实现自动化SQL注入安全检测

参考：https://www.freebuf.com/articles/web/204875.html

应用案例：前期通过信息收集拿到大量的URL地址，然后配合sqlmapAPI接口进行批量的sql注入检测（SRC挖掘）

开发当前项目过程：（利用sqlmapapi接口实现批量URL注入安全检测）

• 1.创建新任务记录任务ID @get("/task/new")
• 2.设置任务ID扫描信息@get("/option//set")
• 3.开始扫描对应ID任务 @get("/scan//start")
• 4.读取扫描状态判断结果 @get("/scan//status")
• 5.如果结束删除ID@get("/task//delete")
• 6.扫描结果查看@get("/scan//data")

# Author:Serena
import requests,json


# 首先：进入sqlmap目录，启动sqlmapapi，命令：python sqlmapapi.py -s
# 出现以下内容说明启动成功
# F:安全测试0安全测试工具sqlmapsqlmap-packagesqlmapproject-sqlmap-1.2.2-18-g93859fd>python sqlmapapi.py -s
# [14:40:28] [INFO] Running REST-JSON API server at '127.0.0.1:8775'..
# [14:40:28] [INFO] Admin ID: b551026d61168d80124301f545c24096
# [14:40:28] [DEBUG] IPC database: 'c:usersadmini~1appdatalocal	empsqlmapipc-kdq7ha'
# [14:40:28] [DEBUG] REST-JSON API server connected to IPC database
# [14:40:28] [DEBUG] Using adapter 'wsgiref' to run bottle

#创建新任务，记录任务ID
task_new_url = 'http://127.0.0.1:8775/task/new'
resp = requests.get(task_new_url)
task_id = resp.json()['taskid']
# print(task_id)

#设置任务ID的配置信息（扫描信息）
data = {
    "url":"http://127.0.0.1:8081/sqlilabs/Less-2/?id=1"
}
headers = {
    "Content-Type":"application/json"
}
task_set_url = "http://127.0.0.1:8775/option/"+task_id+"/set"
task_set_resp = requests.post(task_set_url,data=json.dumps(data),headers=headers)
# print(task_set_resp.json())

#启动对应ID的扫描任务
task_start_url = "http://127.0.0.1:8775/scan/"+task_id+"/start"
task_start_resp = requests.post(task_start_url,data=json.dumps(data),headers=headers)
# print(task_start_resp.json())


#获取对应ID的扫描状态
task_status_url =  "http://127.0.0.1:8775/scan/"+task_id+"/status"
task_status_resp = requests.get(task_status_url)
print(task_status_resp.json())

# Author:Serena
import time
import requests,json


# 首先：进入sqlmap目录，启动sqlmapapi，命令：python sqlmapapi.py -s


def sqlmapapi(url):

    data = {
        "url": url
    }
    headers = {
        "Content-Type": "application/json"
    }

    # 创建新任务，记录任务ID
    task_new_url = 'http://127.0.0.1:8775/task/new'
    resp = requests.get(task_new_url)
    task_id = resp.json()['taskid']
    # print(task_id)

    if 'success' in resp.content.decode('utf-8'):
        print('sqlmapapi task create success!')
        # 设置任务ID的配置信息（扫描信息）
        task_set_url = "http://127.0.0.1:8775/option/" + task_id + "/set"
        task_set_resp = requests.post(task_set_url, data=json.dumps(data), headers=headers)
        # print(task_set_resp.json())

        if 'success' in task_set_resp.content.decode('utf-8'):
            print('sqlmapapi task set success!')
            # 启动对应ID的扫描任务
            task_start_url = "http://127.0.0.1:8775/scan/" + task_id + "/start"
            task_start_resp = requests.post(task_start_url, data=json.dumps(data), headers=headers)
            # print(task_start_resp.json())
            if 'success' in task_start_resp.content.decode('utf-8'):
                print('sqlmapapi task start success!')
                while 1:
                    # 获取对应ID的扫描状态
                    task_status_url = "http://127.0.0.1:8775/scan/" + task_id + "/status"
                    task_status_resp = requests.get(task_status_url)
                    # print(task_status_resp.json())
                    if 'running' in task_status_resp.content.decode('utf-8'):
                        print('suqmapapi task scan running!-->' + url)
                        pass
                    else:
                        # print('sqlmapapi task scan end!')
                        #扫描结果查看
                        task_data_url = "http://127.0.0.1:8775/scan/" + task_id + "/data"
                        task_data_resp = requests.get(task_data_url).content.decode('utf-8')
                        print(task_data_resp)
                        with open(r'scan_result.txt','a+') as f:
                            f.write(url + '
')
                            f.write(task_data_resp + '
')
                            f.write('==========python sqlmapapi by Serena==========' + '
')
                        #如果结束删除ID
                        task_delete_url = "http://127.0.0.1:8775/task/" + task_id + "/delete"
                        task_delete_resp = requests.get(task_delete_url)
                        if 'success' in task_delete_resp.content.decode('utf-8'):
                            print('delete taskid success!')
                        break
                    time.sleep(3)


if __name__ == '__main__':
    for url in open('url.txt'):
        url = url.replace('
','')
        # print(url)
        sqlmapapi(url)

案例3：Pocsuite3漏扫框架二次开发POC/EXP引入使用

参考：https://www.freebuf.com/articles/people/162868.html

开发当前项目过程：（利用已知框架增加引入最新或内部的EXP进行安全检测）

• 1.熟悉Pocsuite3项目使用及介绍
• 2.熟悉使用命令及代码文件对应情况
• 3.选取Glassfish漏洞进行编写测试
• 4.参考自带漏洞模板代码模仿写法测试
  • python cli.py -u x.x.x.x -r Glassfish.py --verify

涉及资源：

• http://sqlmap.org
• https:/github.com/konwnsec/pocsuite/
• https://www.freebuf.com/articles/web/204875.html
• https://www.freebuf.com/articles/people/162868.html
• https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ，提取码：xiao