Thursday, March 19, 2015

SQLMAP Web GUI

It has certainly been a while :)

The last few weeks I have been teaching myself a little PHP to help improve my skills and knowledge. In the process I decided to try and make a Web GUI for SQLMAP. When I originally started I was unaware of the JSON API that they already have available through sqlmapapi.py (available from latest versions in github repo). The API itself is not documented anywhere really so I took it as a small challenge to see what I might be able to slap together. You can find most of the API functionality documented to best of my ability in the SQLMAPClientAPI.class.php file I wrote, hopefully it will be helpful to others in the future that look to expand or write cooler GUI's and apps for the API.

Quick View of the core SQLMAPClientAPI.class.php:


Now once I had that working, I decided to dive on into trying to make a front end. To date, I have only ever really tried breaking web applications, never really building them (I think I learned things backwards and wouldn't advice this path to others). I decided to use Bootstrap since it was easy to pickup and run with and well documented. The look is clean and simple for now, meets my minimum for acceptability test I suppose but leaves lots of room for improvements if you do this on a regular basis. I documented things in the source as best I could, where I could, but nothing too magical with the front end work and as I said plenty of room for further improvements...

A few snapshots to show off the basic view:


I broke the  form up into tabbed areas to make it all a little easier to swallow since SQLMAP has a whole lot of options to configure scans with. The actual scan opens in a new tab so you dont loose all the form data and allows you to continue enumerating target as you build up info (I like it this way :p).

Request modifications:

Detection modifications:


Injection & Technique modifications:


Enumeration & Data Dumping modifications:


System Access & Advanced Exploitations:

You can find the code on Github for your forking, pulling, and pushing delights: https://github.com/Hood3dRob1n/SQLMAP-Web-GUI

How to get things setup:
  •  Install SQLMAP and all necessary dependencies per the standard sqlmap instructions...
  •  Get a basic LAMP setup going per your favorite distro's guide
    •  NOTE: MySQL is not being used for this project at this point in time
  •  Download the Web GUI files from my new github repo I created (https://github.com/Hood3dRob1n/SQLMAP-Web-GUI)
    • Edit the sqlmap/inc/config.php from the GUI files so the correct paths are in place for your box
    • Then copy all the web_gui/sqlmap/ files to the web root directory for your server /var/www/sqlmap/
  •  Start up the API server when you want to use it, otherwise GUI will fail
  •  Surf to your new SQLMAP Web GUI in browser to enjoy

Here is a few quick videos I made to show that almost all of your usual SQLMAP command line functionality is still possible via the Web GUI.

Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005


Demo against: Linux (CentOS), Apache, MySQL, PHP




It is entirely possible that the API Server runs on one server while the Web GUI Frontend runs on a different server, simply make the proper edits to the config file so they can communicate. There still remain a few obstacles in some advanced functions I want to add due to how the API Server works. I plan to try and work on them as time goes on. I had several friends tell me to put this out there and I feel pretty happy with where things are for now that I decided to share with everyone that might be interested.

Open to suggestions and feedback, hope you guys like it!


My Current ToDo List:
  • Ask SQLMAP team to modify the logger or work with me on how to extract info log while it is running scan
    • Would love to present scan log info while the spinner wheel is running during an active scan so you know what is going on
    • Currently the scan log info seems to be set in a blocking manner so that the active scan needs to finish before logs can be parsed/extracted from API
    •  The admin panel seems to suffer from this blocking behavior as well.
      • I would like to improve this function/feature in future but current blocking behavior makes it too annoying to work on for now
  • Ask SQLMAP team to modify the --answer delimiter value or allow custom one to be set
    • Affects ability to pass in more than one path when using file write options (which takes a csv list of paths, but --answer mistakes them as multiple answers instead)
  • Ask if MSF Advanced Exploit options (--os-pwn, --os-smb, --os-bof, --priv-esc) could be prompted differently
    • Currently assumption is that sqlmap attack box is the box that should also accept MSF payload call backs
    • Should allow new option to be added so user can specify a remote IP and PORT instead of local IP/PORT
    • Current setup causes API to hang in an infinite loop if a remote IP/PORT specified
    • The GUI version of these is disabled until can fix
  • The --os-cmd option doesn't seem to return output to API properly with MySQL (works fine for MS-SQL), more testing needed to report bug if indeed a bug...
  • Ask if SQLMAP team would consider moving away from using Python's pickle method for serializing options passed from API to CLI
    • Also use a different web server that doesn't use the same pickle method
    • pickle.loads() and pickle.dumps() are known to be susceptible to Python Object Injection attacks that can lead to code execution
    • Current use of API Server doesn't call the vulnerable cookie decoder the bottle server has built in, so safe for now...
      • Currently my attempts to find a working exploit seem to break the json which stops it from passing through to execute by sqlmap
      • I'm concerned someone smarter than me can figure it out and find a way to sneak some pickled py code through to achieve rce
      • If you know how, please show or send me a quick POC as I would love to see how it is accomplished in this particular situation
    • Until this is address or confirmed safe by more people, I can't widely suggest or really recommend running this Web GUI on a open web facing server to untrusted users of the interwebs
    • Did my best to secure the few areas I found problems with for trying to get it to be safe web facing
      • Nothing can be done without API server running so secure enough for me to use locally or spin up as needed, you will need to decide your own security...
  • Add options to config.php to allow settings or levels to activate and expose some of the other options not currently available as of right now
    • evalCode, proxy options, tor use, etc
  • Do more testing:
    • May have some issues with PHP < 5.3, not tested and still a PHP n00b so all bets are off...
    • Setups Confirmed Working:
      • Debian 7, PHP 5.4.4-14+deb7u14
      • Debian 7, PHP 5.4.36-0+deb7u3
      • Ubuntu 12, PHP 5.3.10-1ubuntu3.17
      • Kali w/PHP 5.4

6 comments:

  1. Replies
    1. Kaotic Creations: Sqlmap Web Gui >>>>> Download Now

      >>>>> Download Full

      Kaotic Creations: Sqlmap Web Gui >>>>> Download LINK

      >>>>> Download Now

      Kaotic Creations: Sqlmap Web Gui >>>>> Download Full

      >>>>> Download LINK Sy

      Delete
  2. looks like nice article.....m gonna implement it....

    ReplyDelete
  3. This post is very useful for SSC Aspirants. Thanks for sharing.

    ReplyDelete
  4. Various ventures and organizations are straightforwardly impacted by the viable and useful utilization of man-made brainpower in light of AI. As per the Forrester research report, the organizations and undertakings releasing the force of client knowledge CI into their understanding driven organizations will catch as much as $1.2 trillion income by 2020. The report further uncovers that interest in man-made brainpower (artificial intelligence) expanded by 300% in 2017 when contrasted with the venture made in 2016>> ai engineer vs machine learning engineer

    ReplyDelete
  5. Hi.
    The effective and practical utilization of artificial intelligence, or AI, has a direct impact on various industries and organizations. Here is sharing some AngularJS Training information may be its helpful to you.
    AngularJS Training

    ReplyDelete