Kaotic Creations: March 2015

It has certainly been a while :)

The last few weeks I have been teaching myself a little PHP to help improve my skills and knowledge. In the process I decided to try and make a Web GUI for SQLMAP. When I originally started I was unaware of the JSON API that they already have available through sqlmapapi.py (available from latest versions in github repo). The API itself is not documented anywhere really so I took it as a small challenge to see what I might be able to slap together. You can find most of the API functionality documented to best of my ability in the SQLMAPClientAPI.class.php file I wrote, hopefully it will be helpful to others in the future that look to expand or write cooler GUI's and apps for the API.

Quick View of the core SQLMAPClientAPI.class.php:

Data hosted with ♥ by Pastebin.com - Download Raw - See Original

<?php
include("config.php");
/*
Ghetto Check if file is binary or ascii
This way we can determine if we can print the contents in textarea or not
Returns True if file is ascii, False otherwise
*/
function is_ascii($sourcefile) {
if (is_file($sourcefile)) {
$content = str_replace(array("\n", "\r", "\t", "\v", "\b"), '', file_get_contents($sourcefile));
return ctype_print($content);
} else {
return false;
}
}
/*
Check if array is a associated (hash) array vs a simple list array
Returns True when array is an associative array (key:value pairings)
Returns False otherwise
Borrowed from stackoverflow discussion:
http://stackoverflow.com/questions/5996749/determine-whether-an-array-is-associative-hash-or-not
*/
function is_assoc(array $array) {
$keys = array_keys($array); // Keys of the array
return array_keys($keys) !== $keys;
}
// SQLMAP Rest API Client Communicator Class
class SQLMAPClientAPI {
private $api = API_URL; // REST API Server Address
public $task_id; // Task ID to track against
/*
Initialize our Class Object
Set the task id for new instance
*/
public function __construct() {
// Commented out to avoid spinning up unneccary tasks for admin
// Manually call the generateNewTaskID() function to set...
// $this->task_id = $this->generateNewTaskID();
}
/*
Start up a new Task
Returns the new task id on success, false otherwise
*/
public function generateNewTaskID() {
$json = json_decode(file_get_contents($this->api . "task/new"), true);
if(($json['success'] == "true") && (trim($json['taskid']) != "")) {
return trim($json['taskid']);
}
return NULL;
}
/*
Delete an Active Task by ID
Returns true on success, false otherwise
*/
public function deleteTaskID($id) {
$json = json_decode(file_get_contents($this->api . "task/" . $id . "/delete"), true);
if($json['success'] == "true") {
return true;
}
return false;
}
/*
Lists current tasks with ADMIN ID, NOT task id
Returns associative array on success, false otherwise
array(
'tasks_num' => int,
'tasks' => array('1eb32c498dd90fb3','e398810ea2603520',...)
)'
*/
public function adminListTasks($adminid) {
$json = json_decode(file_get_contents($this->api . "admin/" . $adminid . "/list"), true);
if($json['success'] == "true") {
return array('tasks_num' => $json['tasks_num'], 'tasks' => $json['tasks']);
}
return false;
}
/*
Flush all tasks with ADMIN ID, NOT task id
Returns true on success, false otherwise
*/
public function adminFlushTasks($adminid) {
$json = json_decode(file_get_contents($this->api . "admin/" . $adminid . "/flush"), true);
if($json['success'] == "true") {
return true;
}
return false;
}
/*
List the currently set options under particular task ID
Returns an associative array on success, false otherwise
{
"options": {
"taskid": "e398810ea2603520",
"agent": null,
"alert": null,
"answers": null,
"api": true,
"authCred": null,
"authPrivate": null,
"authType": null,
"batch": true,
"beep": false,
"binaryFields": null,
"bulkFile": null,
"charset": null,
"checkTor": false,
"cleanup": false,
"code": null,
"col": null,
"commonColumns": false,
"commonTables": false,
"configFile": null,
"cookie": null,
"cookieDel": null,
"cpuThrottle": 5,
"crawlDepth": null,
"csrfToken": null,
"csrfUrl": null,
"csvDel": ",",
"data": null,
"database": "/tmp/sqlmapipc-rA0QdN",
"db": null,
"dbms": null,
"dbmsCred": null,
"delay": 0,
"dependencies": false,
"dFile": null,
"direct": null,
"disableColoring": true,
"dnsName": null,
"dropSetCookie": false,
"dummy": false,
"dumpAll": false,
"dumpFormat": "CSV",
"dumpTable": false,
"dumpWhere": null,
"eta": false,
"excludeCol": null,
"excludeSysDbs": false,
"extensiveFp": false,
"evalCode": null,
"firstChar": null,
"flushSession": false,
"forceDns": false,
"forceSSL": false,
"forms": false,
"freshQueries": false,
"getAll": false,
"getBanner": false,
"getColumns": false,
"getComments": false,
"getCount": false,
"getCurrentDb": false,
"getCurrentUser": false,
"getDbs": false,
"getHostname": false,
"getPasswordHashes": false,
"getPrivileges": false,
"getRoles": false,
"getSchema": false,
"getTables": false,
"getUsers": false,
"googleDork": null,
"googlePage": 1,
"headers": null,
"hexConvert": false,
"host": null,
"hpp": false,
"identifyWaf": false,
"ignore401": false,
"ignoreProxy": false,
"invalidBignum": false,
"invalidLogical": false,
"invalidString": false,
"isDba": false,
"keepAlive": false,
"lastChar": null,
"level": 1,
"limitStart": null,
"limitStop": null,
"liveTest": false,
"loadCookies": null,
"logFile": null,
"method": null,
"mnemonics": null,
"mobile": false,
"msfPath": null,
"noCast": false,
"noEscape": false,
"notString": null,
"nullConnection": false,
"optimize": false,
"outputDir": null,
"os": null,
"osBof": false,
"osCmd": null,
"osPwn": false,
"osShell": false,
"osSmb": false,
"pageRank": false,
"paramDel": null,
"parseErrors": false,
"pivotColumn": null,
"predictOutput": false,
"prefix": null,
"privEsc": false,
"profile": false,
"proxy": null,
"proxyCred": null,
"proxyFile": null,
"purgeOutput": false,
"query": null,
"randomAgent": false,
"referer": null,
"regexp": null,
"regAdd": false,
"regData": null,
"regDel": false,
"regKey": null,
"regRead": false,
"regType": null,
"regVal": null,
"requestFile": null,
"retries": 3,
"risk": 1,
"rFile": null,
"rParam": null,
"runCase": null,
"safUrl": null,
"saFreq": 0,
"saveCmdline": false,
"scope": null,
"search": false,
"secondOrder": null,
"sessionFile": null,
"shLib": null,
"sitemapUrl": null,
"skip": null,
"skipUrlEncode": false,
"smart": false,
"smokeTest": false,
"sqlFile": null,
"sqlShell": false,
"stopFail": false,
"string": null,
"suffix": null,
"tamper": null,
"tbl": null,
"tech": "BEUSTQ",
"testFilter": null,
"testParameter": null,
"textOnly": false,
"threads": 1,
"timeout": 30,
"timeSec": 5,
"titles": false,
"tmpPath": null,
"tor": false,
"torPort": null,
"torType": "HTTP",
"trafficFile": null,
"uChar": null,
"uCols": null,
"udfInject": false,
"uFrom": null,
"updateAll": false,
"url": null,
"user": null,
"verbose": 1,
"wizard": false,
"wFile": null
},
"success": true
}
*/
public function listOptions($taskid) {
$json = json_decode(file_get_contents($this->api . "option/" . $taskid . "/list"), true);
if($json['success'] == "true") {
return $json;
}
return false;
}
/*
Get SQLMAP Configuration Option Value under specific task ID
Returns the option value as string on success, false otherwise
$taskid = your user level task id to look under
$optstr = the SQLMAP configuration option string
NOTE: It's case sensitive, so reference list example above if stuck
*/
public function getOptionValue($taskid, $optstr) {
// Sorry, not going to pass through code to be eval'd in setter so not going to bother trying to return value...
if((strtolower(trim($optstr)) != "evalcode") && (strtolower(trim($optstr)) != "eval")) {
$opts = array(
'http'=> array(
'method'=>"POST",
'header'=>"Content-Type: application/json\r\n",
'content' => '{"option":"' . trim($optstr) . '"}',
'timeout' => 60
)
);
$context = stream_context_create($opts);
$json = json_decode(file_get_contents($this->api . "option/" . $taskid . "/get", false, $context), true);
if($json['success'] == "true") {
return $json[$optstr];
}
}
return false;
}
/*
Set SQLMAP Configuration Option Value under specific task ID
Returns true on success, false otherwise
$taskid = your user level task id to look under
$optstr = the SQLMAP configuration option we want to set value for (case sensitive)
$optvalue = the value to set for configuration option above ($optstr)
*/
public function setOptionValue($taskid, $optstr, $optvalue, $integer=false) {
// Sorry, not going to pass through code to be eval'd here...
if((strtolower(trim($optstr)) != "evalcode") && (strtolower(trim($optstr)) != "eval")) {
if(!$integer) {
$opts = array(
'http'=> array(
'method'=>"POST",
'header'=>"Content-Type: application/json\r\n",
'content' => '{"' . trim($optstr) . '":"' . trim($optvalue) . '"}',
'timeout' => 60
)
);
} else {
$opts = array(
'http'=> array(
'method'=>"POST",
'header'=>"Content-Type: application/json\r\n",
'content' => '{"' . trim($optstr) . '":' . trim($optvalue) . '}',
'timeout' => 60
)
);
}
$context = stream_context_create($opts);
$json = json_decode(file_get_contents($this->api . "option/" . $taskid . "/set", false, $context), true);
if($json['success'] == "true") {
return true;
}
}
return false;
}
/*
Start SQLMAP Scan using all configured options under user level task ID
Returns the scan engine id for tracking status and results on success, false otherwise
$taskid = your user level task id to track scan under
*/
public function startScan($taskid) {
$opts = array(
'http'=> array(
'method'=>"POST",
'header'=>"Content-Type: application/json\r\n",
'content' => '{ "url":"' . trim($this->getOptionValue($taskid, "url")) . '"}',
'timeout' => 60
)
);
$context = stream_context_create($opts);
$json = json_decode(file_get_contents($this->api . "scan/" . $taskid . "/start", false, $context), true);
if($json['success'] == 1) {
return $json['engineid'];
}
return false;
}
/*
Gracefully Stop a SQLMAP Scan, identified by user level task ID
Returns true on success, false otherwise
$taskid = your user level task id to stop scan for
*/
public function stopScan($taskid) {
$json = json_decode(file_get_contents($this->api . "scan/" . $taskid . "/stop"), true);
if($json['success'] == 1) {
return true;
}
return false;
}
/*
Forcefully KILL a SQLMAP Scan, identified by user level task ID
Returns true on success, false otherwise
$taskid = your user level task id to kill scan for
*/
public function killScan($taskid) {
$json = json_decode(file_get_contents($this->api . "scan/" . $taskid . "/kill"), true);
if($json['success'] == 1) {
return true;
}
return false;
}
/*
Check Status for a SQLMAP Scan, identified by user level task ID
Returns associative array on success, false otherwise
array(
"status" => "running|terminated|not running",
"code" => (int) "Process Polling Return Code, Status Percent?"
);
$taskid = your user level task id to check scan status for
*/
public function checkScanStatus($taskid) {
$json = json_decode(file_get_contents($this->api . "scan/" . $taskid . "/status"), true);
if($json['success'] == 1) {
return array("status" => $json['status'], "code" => $json['returncode']);
}
return false;
}
/*
Fetch the Scan Data from finished SQLMAP scan, identified by user level task ID
Returns associative array on success, false otherwise
array(
"data" => array(
"status" => "stats",
"type" => "content_type",
"value" => "some value"
),
"error" => array("error msg", "error msg2", ...)
);
$taskid = your user level task id to get scan data for
*/
public function getScanData($taskid) {
$json = json_decode(file_get_contents($this->api . "scan/" . $taskid . "/data"), true);
if($json['success'] == 1) {
return array("data" => $json['data'], "error" => $json['error']);
}
return false;
}
/*
Review a subset of the SQLMAP scan log messages
Message subset is based on start and end points provided by user
Returns associative array on success, false otherwise
array(
"log" => array(
array(
"message" => "testing connection to the target URL",
"level" => "INFO",
"time" => "19:44:23"
),
array(
"message" => "testing if the target URL is stable. This can take a couple of seconds",
"level" => "INFO",
"time" => "19:44:24"
),
array(...)
);
$taskid = your user level task id to get scan log for
$start = the log entry index to start on
$end = the log entry index to end on
*/
public function reviewScanLogPartial($taskid, $start, $end) {
$json = json_decode(file_get_contents($this->api . "scan/" . $taskid . "/log/" . $start . "/" . $end), true);
if($json['success'] == 1) {
return $json['log'];
}
return false;
}
/*
Review the FULL set of SQLMAP scan log messages
Returns associative array on success, false otherwise
array(
"log" => array(
array(
"message" => "testing connection to the target URL",
"level" => "INFO",
"time" => "19:44:23"
),
array(
"message" => "testing if the target URL is stable. This can take a couple of seconds",
"level" => "INFO",
"time" => "19:44:24"
),
array(...)
);
$taskid = your user level task id to get scan log for
*/
public function reviewScanLogFull($taskid) {
$json = json_decode(file_get_contents($this->api . "scan/" . $taskid . "/log"), true);
if($json['success'] == 1) {
return $json['log'];
}
return false;
}
/*
Download a Scan Result File for a Particular Target under Task ID
Returns $filename's content as base64 encoded string on success, false otherwise
$taskid = your user level task id to find results under
$target = ip or domain from scan
NOTE: This is what SQLMAP will create folder under in output directory on scan initialization
i.e. 10.10.10.10, domain.com, sub.domain.com or www.domain.com
$filename = the file you wish to download
NOTE: filename should include path (relative to sqlmap/output/target/ folder)
i.e. dump/dbname/tblname.csv
i.e. dump/ipbf_db/ipbf_members.csv
i.e. files/filename
i.e. files/_etc_passwd
*/
public function downloadTargetFile($taskid, $target, $filename) {
if((!preg_match("#..|%2e%2e|\x2e\x2e|0x2e0x2e#", $target)) && (!preg_match("#..|%2e%2e|\x2e\x2e|0x2e0x2e#", $filename))) {
$json = json_decode(file_get_contents($this->api . "download/" . $taskid . "/" . $target . "/" . $filename), true);
if($json['success'] == "true") {
return $json['file'];
}
}
return false;
}
}
?>

Now once I had that working, I decided to dive on into trying to make a front end. To date, I have only ever really tried breaking web applications, never really building them (I think I learned things backwards and wouldn't advice this path to others). I decided to use Bootstrap since it was easy to pickup and run with and well documented. The look is clean and simple for now, meets my minimum for acceptability test I suppose but leaves lots of room for improvements if you do this on a regular basis. I documented things in the source as best I could, where I could, but nothing too magical with the front end work and as I said plenty of room for further improvements...

A few snapshots to show off the basic view:

I broke the form up into tabbed areas to make it all a little easier to swallow since SQLMAP has a whole lot of options to configure scans with. The actual scan opens in a new tab so you dont loose all the form data and allows you to continue enumerating target as you build up info (I like it this way :p).

Request modifications:

Detection modifications:

Injection & Technique modifications:

Enumeration & Data Dumping modifications:

System Access & Advanced Exploitations:

You can find the code on Github for your forking, pulling, and pushing delights: https://github.com/Hood3dRob1n/SQLMAP-Web-GUI

How to get things setup:

Install SQLMAP and all necessary dependencies per the standard sqlmap instructions...
Get a basic LAMP setup going per your favorite distro's guide

NOTE: MySQL is not being used for this project at this point in time

Download the Web GUI files from my new github repo I created (https://github.com/Hood3dRob1n/SQLMAP-Web-GUI)

Edit the sqlmap/inc/config.php from the GUI files so the correct paths are in place for your box
Then copy all the web_gui/sqlmap/ files to the web root directory for your server /var/www/sqlmap/

Start up the API server when you want to use it, otherwise GUI will fail
Surf to your new SQLMAP Web GUI in browser to enjoy

Here is a few quick videos I made to show that almost all of your usual SQLMAP command line functionality is still possible via the Web GUI.

Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005

Demo against: Linux (CentOS), Apache, MySQL, PHP

It is entirely possible that the API Server runs on one server while the Web GUI Frontend runs on a different server, simply make the proper edits to the config file so they can communicate. There still remain a few obstacles in some advanced functions I want to add due to how the API Server works. I plan to try and work on them as time goes on. I had several friends tell me to put this out there and I feel pretty happy with where things are for now that I decided to share with everyone that might be interested.

Open to suggestions and feedback, hope you guys like it!

My Current ToDo List:

Ask SQLMAP team to modify the logger or work with me on how to extract info log while it is running scan

Would love to present scan log info while the spinner wheel is running during an active scan so you know what is going on
Currently the scan log info seems to be set in a blocking manner so that the active scan needs to finish before logs can be parsed/extracted from API
The admin panel seems to suffer from this blocking behavior as well.

I would like to improve this function/feature in future but current blocking behavior makes it too annoying to work on for now

Ask SQLMAP team to modify the --answer delimiter value or allow custom one to be set

Affects ability to pass in more than one path when using file write options (which takes a csv list of paths, but --answer mistakes them as multiple answers instead)

Ask if MSF Advanced Exploit options (--os-pwn, --os-smb, --os-bof, --priv-esc) could be prompted differently

Currently assumption is that sqlmap attack box is the box that should also accept MSF payload call backs
Should allow new option to be added so user can specify a remote IP and PORT instead of local IP/PORT
Current setup causes API to hang in an infinite loop if a remote IP/PORT specified
The GUI version of these is disabled until can fix

The --os-cmd option doesn't seem to return output to API properly with MySQL (works fine for MS-SQL), more testing needed to report bug if indeed a bug...
Ask if SQLMAP team would consider moving away from using Python's pickle method for serializing options passed from API to CLI

Also use a different web server that doesn't use the same pickle method
pickle.loads() and pickle.dumps() are known to be susceptible to Python Object Injection attacks that can lead to code execution
Current use of API Server doesn't call the vulnerable cookie decoder the bottle server has built in, so safe for now...

Currently my attempts to find a working exploit seem to break the json which stops it from passing through to execute by sqlmap
I'm concerned someone smarter than me can figure it out and find a way to sneak some pickled py code through to achieve rce
If you know how, please show or send me a quick POC as I would love to see how it is accomplished in this particular situation

Until this is address or confirmed safe by more people, I can't widely suggest or really recommend running this Web GUI on a open web facing server to untrusted users of the interwebs
Did my best to secure the few areas I found problems with for trying to get it to be safe web facing

Nothing can be done without API server running so secure enough for me to use locally or spin up as needed, you will need to decide your own security...

Add options to config.php to allow settings or levels to activate and expose some of the other options not currently available as of right now

evalCode, proxy options, tor use, etc

Do more testing:

May have some issues with PHP < 5.3, not tested and still a PHP n00b so all bets are off...
Setups Confirmed Working:

Debian 7, PHP 5.4.4-14+deb7u14
Debian 7, PHP 5.4.36-0+deb7u3
Ubuntu 12, PHP 5.3.10-1ubuntu3.17
Kali w/PHP 5.4

Kaotic Creations

Pages

Thursday, March 19, 2015

SQLMAP Web GUI