The last few weeks I have been teaching myself a little PHP to help improve my skills and knowledge. In the process I decided to try and make a Web GUI for SQLMAP. When I originally started I was unaware of the JSON API that they already have available through sqlmapapi.py (available from latest versions in github repo). The API itself is not documented anywhere really so I took it as a small challenge to see what I might be able to slap together. You can find most of the API functionality documented to best of my ability in the SQLMAPClientAPI.class.php file I wrote, hopefully it will be helpful to others in the future that look to expand or write cooler GUI's and apps for the API.
Quick View of the core SQLMAPClientAPI.class.php:
Now once I had that working, I decided to dive on into trying to make a front end. To date, I have only ever really tried breaking web applications, never really building them (I think I learned things backwards and wouldn't advice this path to others). I decided to use Bootstrap since it was easy to pickup and run with and well documented. The look is clean and simple for now, meets my minimum for acceptability test I suppose but leaves lots of room for improvements if you do this on a regular basis. I documented things in the source as best I could, where I could, but nothing too magical with the front end work and as I said plenty of room for further improvements...
A few snapshots to show off the basic view:
I broke the form up into tabbed areas to make it all a little easier to swallow since SQLMAP has a whole lot of options to configure scans with. The actual scan opens in a new tab so you dont loose all the form data and allows you to continue enumerating target as you build up info (I like it this way :p).
Injection & Technique modifications:
Enumeration & Data Dumping modifications:
System Access & Advanced Exploitations:
You can find the code on Github for your forking, pulling, and pushing delights: https://github.com/Hood3dRob1n/SQLMAP-Web-GUI
How to get things setup:
- Install SQLMAP and all necessary dependencies per the standard sqlmap instructions...
- Get a basic LAMP setup going per your favorite distro's guide
- NOTE: MySQL is not being used for this project at this point in time
- Download the Web GUI files from my new github repo I created (https://github.com/Hood3dRob1n/SQLMAP-Web-GUI)
- Edit the sqlmap/inc/config.php from the GUI files so the correct paths are in place for your box
- Then copy all the web_gui/sqlmap/ files to the web root directory for your server /var/www/sqlmap/
- Start up the API server when you want to use it, otherwise GUI will fail
- Surf to your new SQLMAP Web GUI in browser to enjoy
Here is a few quick videos I made to show that almost all of your usual SQLMAP command line functionality is still possible via the Web GUI.
Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005
Demo against: Linux (CentOS), Apache, MySQL, PHP
It is entirely possible that the API Server runs on one server while the Web GUI Frontend runs on a different server, simply make the proper edits to the config file so they can communicate. There still remain a few obstacles in some advanced functions I want to add due to how the API Server works. I plan to try and work on them as time goes on. I had several friends tell me to put this out there and I feel pretty happy with where things are for now that I decided to share with everyone that might be interested.
Open to suggestions and feedback, hope you guys like it!
My Current ToDo List:
- Ask SQLMAP team to modify the logger or work with me on how to extract info log while it is running scan
- Would love to present scan log info while the spinner wheel is running during an active scan so you know what is going on
- Currently the scan log info seems to be set in a blocking manner so that the active scan needs to finish before logs can be parsed/extracted from API
- The admin panel seems to suffer from this blocking behavior as well.
- I would like to improve this function/feature in future but current blocking behavior makes it too annoying to work on for now
- Ask SQLMAP team to modify the --answer delimiter value or allow custom one to be set
- Affects ability to pass in more than one path when using file write options (which takes a csv list of paths, but --answer mistakes them as multiple answers instead)
- Ask if MSF Advanced Exploit options (--os-pwn, --os-smb, --os-bof, --priv-esc) could be prompted differently
- Currently assumption is that sqlmap attack box is the box that should also accept MSF payload call backs
- Should allow new option to be added so user can specify a remote IP and PORT instead of local IP/PORT
- Current setup causes API to hang in an infinite loop if a remote IP/PORT specified
- The GUI version of these is disabled until can fix
- The --os-cmd option doesn't seem to return output to API properly with MySQL (works fine for MS-SQL), more testing needed to report bug if indeed a bug...
- Ask if SQLMAP team would consider moving away from using Python's pickle method for serializing options passed from API to CLI
- Also use a different web server that doesn't use the same pickle method
- pickle.loads() and pickle.dumps() are known to be susceptible to Python Object Injection attacks that can lead to code execution
- Current use of API Server doesn't call the vulnerable cookie decoder the bottle server has built in, so safe for now...
- Currently my attempts to find a working exploit seem to break the json which stops it from passing through to execute by sqlmap
- I'm concerned someone smarter than me can figure it out and find a way to sneak some pickled py code through to achieve rce
- If you know how, please show or send me a quick POC as I would love to see how it is accomplished in this particular situation
- Until this is address or confirmed safe by more people, I can't widely suggest or really recommend running this Web GUI on a open web facing server to untrusted users of the interwebs
- Did my best to secure the few areas I found problems with for trying to get it to be safe web facing
- Nothing can be done without API server running so secure enough for me to use locally or spin up as needed, you will need to decide your own security...
- Add options to config.php to allow settings or levels to activate and expose some of the other options not currently available as of right now
- evalCode, proxy options, tor use, etc
- Do more testing:
- May have some issues with PHP < 5.3, not tested and still a PHP n00b so all bets are off...
- Setups Confirmed Working:
- Debian 7, PHP 5.4.4-14+deb7u14
- Debian 7, PHP 5.4.36-0+deb7u3
- Ubuntu 12, PHP 5.3.10-1ubuntu3.17
- Kali w/PHP 5.4