Wednesday, July 22, 2015

Python script to convert an HTTP Web Request to a sqlmap Command

Today I was working with OWASP ZAP and sqlmap for some testing.  I found that for the testing that I was doing I needed a script to automate the creation of the sqlmap command from the input of a HTTP web request.  I will demonstrate how I am utilizing it below:

Below is a screen shot of OWASP ZAP area where the request is shown after it is configured to show a combined view of the header and the content.


This is an example of an HTTP POST request during the login stage of getting into DVWA.  Then inside this box you can right-click, hover over Save Raw, Request, and then click on All.  This will bring up a save dialog box.  Where you saved the below script, create a folder called "requests".  Then save the HTTP Request in that folder.  If you are running Kali you do not need to be root to execute this script.

Here is the script that converts the POST Request into a sqlmap command and then it will execute it upon a key press:



#!/usr/bin/python

import os
import sys

additionalParameters='--dbms=mysql --level=5 --risk=3'


def checkDir():
 if not (os.path.exists("requests")):
  print "This must be the first time you have used this script."
  print
  print "Creating a directory called 'requests'.  This is where"
  print "you can save the web requests you would like formatted"
  print "for sqlmap."
  print
  os.makedirs("requests")

def getFileName():
 if (len(os.listdir('requests')) == 0):
  print "Inside this directory is another directory called requests."
  print "Currently this directory is empty, please add to this directory"
  print "the saved web requests that you would like formatted for sqlmap."
  print 
  print "Example: In OWASP ZAP 2.4 where the web request is located,"
  print "change the display to be combined with the header and the"
  print "body.  Then right-click and Save Raw --> Request --> All."
  print "Then navigate to the requests directory and save it.  You"
  print "can save more than one file and then select which one to"
  print "format."
  print

 else:
  print "Select which file to format:"
  files = os.listdir('requests')
  count = 1
  for f in files:
   print str(count) + ". " + f
   count += 1
  print
  fileNum = raw_input ("$ ")
  fileNum = int(fileNum) - 1
  return files[fileNum]

def parseFilename(fileName):
 fileName = 'requests/' + fileName
 file = open(fileName, 'r')
 # Count the number of lines in the file
 lineCount = 0
 for count in file:
  lineCount += 1
 file = open(fileName, 'r')
 count = 0
 requestType = ''
 cookieInfo = ''
 for line in file:
  count += 1
  if "POST" in line:
   lineList = line.split(' ')
   requestType = lineList[0]
   url = lineList[1]
  elif "GET" in line:
   lineList = line.split(' ')
   requestType = lineList[0]
   url = lineList[1]
  elif "User-Agent: " in line:
   userAgent = line[12:-2]
  elif "Cookie: " in line:
   cookieInfo = line[8:-2]
  elif (count == lineCount) & (requestType == 'POST'):
   dataInfo = line
   dataInfo = dataInfo[:-2]
 print 
 sqlMapString = "sqlmap -u '"
 sqlMapString += url + "' "
 if (requestType == 'POST'):
  sqlMapString += "--data='" + dataInfo + "' "
 if (cookieInfo <> ''):
  sqlMapString += "--cookie='" + cookieInfo + "' "
 sqlMapString += "--headers='" + userAgent + "' "
 sqlMapString += " " + additionalParameters
 print
 print "# Additional Parameters of " + additionalParameters 
 print "# These can be modified in the first few lines of the script"
 print
 print sqlMapString
 print
 return sqlMapString
 
def executeCommand(c):
 raw_input ("Hit any key to execute the above sqlmap command.")
 os.system(c)
 
def main():
 print 
 print "## SQLMap Format Script"
 checkDir()
 openFilename = getFileName()
 sqlmapCommand = parseFilename(openFilename)
 executeCommand(sqlmapCommand)

if __name__ == "__main__":
    main()



After you execute the above script you get the following output:



$ ./sqlmap-tool.py 

## SQLMap Format Script
Select which file to format:
1. requests-1678.raw
2. requests-1665.raw
3. requests-1664.raw

$ 1


# Additional Parameters of --dbms=mysql --level=5 --risk=3
# These can be modified in the first few lines of the script

sqlmap -u 'http://127.0.0.1/dvwa/login.php' --data='username=admin&password=password&Login=Log' --cookie='security=high; PHPSESSID=ec135ql5k3j6irk2j0ammp5l94' --headers='Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0'  --dbms=mysql --level=5 --risk=3

Hit any key to execute the above sqlmap command.



If you place more than one file in the 'requests' directory, as shown above you can choose which file you would like to format and then upon key press execute the command.  One item to note is the additional parameters.  These can be adjusted by modifying the respective line in the python script.

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...