Thursday, March 19, 2015

SQLMAP Web GUI

It has certainly been a while :)

The last few weeks I have been teaching myself a little PHP to help improve my skills and knowledge. In the process I decided to try and make a Web GUI for SQLMAP. When I originally started I was unaware of the JSON API that they already have available through sqlmapapi.py (available from latest versions in github repo). The API itself is not documented anywhere really so I took it as a small challenge to see what I might be able to slap together. You can find most of the API functionality documented to best of my ability in the SQLMAPClientAPI.class.php file I wrote, hopefully it will be helpful to others in the future that look to expand or write cooler GUI's and apps for the API.

Quick View of the core SQLMAPClientAPI.class.php:


Now once I had that working, I decided to dive on into trying to make a front end. To date, I have only ever really tried breaking web applications, never really building them (I think I learned things backwards and wouldn't advice this path to others). I decided to use Bootstrap since it was easy to pickup and run with and well documented. The look is clean and simple for now, meets my minimum for acceptability test I suppose but leaves lots of room for improvements if you do this on a regular basis. I documented things in the source as best I could, where I could, but nothing too magical with the front end work and as I said plenty of room for further improvements...

A few snapshots to show off the basic view:


I broke the  form up into tabbed areas to make it all a little easier to swallow since SQLMAP has a whole lot of options to configure scans with. The actual scan opens in a new tab so you dont loose all the form data and allows you to continue enumerating target as you build up info (I like it this way :p).

Request modifications:

Detection modifications:


Injection & Technique modifications:


Enumeration & Data Dumping modifications:


System Access & Advanced Exploitations:

You can find the code on Github for your forking, pulling, and pushing delights: https://github.com/Hood3dRob1n/SQLMAP-Web-GUI

How to get things setup:
  •  Install SQLMAP and all necessary dependencies per the standard sqlmap instructions...
  •  Get a basic LAMP setup going per your favorite distro's guide
    •  NOTE: MySQL is not being used for this project at this point in time
  •  Download the Web GUI files from my new github repo I created (https://github.com/Hood3dRob1n/SQLMAP-Web-GUI)
    • Edit the sqlmap/inc/config.php from the GUI files so the correct paths are in place for your box
    • Then copy all the web_gui/sqlmap/ files to the web root directory for your server /var/www/sqlmap/
  •  Start up the API server when you want to use it, otherwise GUI will fail
  •  Surf to your new SQLMAP Web GUI in browser to enjoy

Here is a few quick videos I made to show that almost all of your usual SQLMAP command line functionality is still possible via the Web GUI.

Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005


Demo against: Linux (CentOS), Apache, MySQL, PHP




It is entirely possible that the API Server runs on one server while the Web GUI Frontend runs on a different server, simply make the proper edits to the config file so they can communicate. There still remain a few obstacles in some advanced functions I want to add due to how the API Server works. I plan to try and work on them as time goes on. I had several friends tell me to put this out there and I feel pretty happy with where things are for now that I decided to share with everyone that might be interested.

Open to suggestions and feedback, hope you guys like it!


My Current ToDo List:
  • Ask SQLMAP team to modify the logger or work with me on how to extract info log while it is running scan
    • Would love to present scan log info while the spinner wheel is running during an active scan so you know what is going on
    • Currently the scan log info seems to be set in a blocking manner so that the active scan needs to finish before logs can be parsed/extracted from API
    •  The admin panel seems to suffer from this blocking behavior as well.
      • I would like to improve this function/feature in future but current blocking behavior makes it too annoying to work on for now
  • Ask SQLMAP team to modify the --answer delimiter value or allow custom one to be set
    • Affects ability to pass in more than one path when using file write options (which takes a csv list of paths, but --answer mistakes them as multiple answers instead)
  • Ask if MSF Advanced Exploit options (--os-pwn, --os-smb, --os-bof, --priv-esc) could be prompted differently
    • Currently assumption is that sqlmap attack box is the box that should also accept MSF payload call backs
    • Should allow new option to be added so user can specify a remote IP and PORT instead of local IP/PORT
    • Current setup causes API to hang in an infinite loop if a remote IP/PORT specified
    • The GUI version of these is disabled until can fix
  • The --os-cmd option doesn't seem to return output to API properly with MySQL (works fine for MS-SQL), more testing needed to report bug if indeed a bug...
  • Ask if SQLMAP team would consider moving away from using Python's pickle method for serializing options passed from API to CLI
    • Also use a different web server that doesn't use the same pickle method
    • pickle.loads() and pickle.dumps() are known to be susceptible to Python Object Injection attacks that can lead to code execution
    • Current use of API Server doesn't call the vulnerable cookie decoder the bottle server has built in, so safe for now...
      • Currently my attempts to find a working exploit seem to break the json which stops it from passing through to execute by sqlmap
      • I'm concerned someone smarter than me can figure it out and find a way to sneak some pickled py code through to achieve rce
      • If you know how, please show or send me a quick POC as I would love to see how it is accomplished in this particular situation
    • Until this is address or confirmed safe by more people, I can't widely suggest or really recommend running this Web GUI on a open web facing server to untrusted users of the interwebs
    • Did my best to secure the few areas I found problems with for trying to get it to be safe web facing
      • Nothing can be done without API server running so secure enough for me to use locally or spin up as needed, you will need to decide your own security...
  • Add options to config.php to allow settings or levels to activate and expose some of the other options not currently available as of right now
    • evalCode, proxy options, tor use, etc
  • Do more testing:
    • May have some issues with PHP < 5.3, not tested and still a PHP n00b so all bets are off...
    • Setups Confirmed Working:
      • Debian 7, PHP 5.4.4-14+deb7u14
      • Debian 7, PHP 5.4.36-0+deb7u3
      • Ubuntu 12, PHP 5.3.10-1ubuntu3.17
      • Kali w/PHP 5.4