New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Asynchronous RESTful API to interact with sqlmap engine #297
Comments
Some references:
|
First related commit, 6e31e87 |
… client/server skeleton (issue #297)
…all HTTP responses properly and make consistent responses across methods (#297)
…can method implementation (issue #297)
…to launch a scan from the API, hurray! (issue #297)
…to have its own temporary folder for output - issue #297
As of 4c4cb85 all features present in the XML-RPC interface have been ported to the RESTful API. |
I totally support the idea of a sqlmap API (talked with stamparm about that when we met). It's a shame you guys decided against xmlrpc since it seemed the best option from my side; but I can imagine the reasons to move towards RESTful. Question: Isn't the whole idea of an API to get the results in a programatic-friendly (if that even exists) way? I mean, what's the benefit that a user gets from calling the RESTful API (other than sqlmap being remote) if the output to a call is: {"output": "[15:57:29] [INFO] GET parameter 'artist' is 'MySQL > 5.0.11 AND... On the other side, I liked these answers from the API: {"taskid": "d35abc1537ca591729d1aa5f639811ee"} |
This is a work in progress feature. Currently, it no longer return the whole console output. Now the |
…sqlmap is executed by the REST API - issue #297
As of 9766f60, the method /scan/:taskid/log returns a json-friendly output:
|
Hi guys, did this achieve a stable state? Would you recommend me to use it in w3af? |
@andresriancho, not yet, working on it lately.. |
…s can introduce bugs but it is necessary at this stage of development (issue #297)
… wait for the lock to go away max 3 seconds, no longer 1 only. Relevant code refactoring and minor improvements all over the API library (issue #297)
As of edd6699, the RESTful API is usable. However, there's work to be done to allow the API to get the partial output (real-time enumeration): at the moment, the API has knowledge of the enumerated data only at the end of the enumeration of the requested switch. |
…API (issue #297), not quite yet though..
We can consider this to be closed now: the API is usable, although improvements can be done and will be documented in a separate ticket. |
Hi All, Sorry if this is a stupid question but I didn't find a documentation about how to run sqlmap testing a restful interface which accept only JSON. Could you help me? Thanks! |
There is currently none :). I'll just give you a quick intro. At server side:
At client side:
|
Hi @stamparm , First of all thanks so much for your quick replay. Thanks! |
All those examples I've given in
I would suggest you to research a bit what |
Hi @stamparm As i said I'm not a native speaker and sometimes I have difficult to express myself in English. I'm really sorry about that. Reading your answer I was thinking that sqlmapapi.py will act like a bridge between curl malicious requests... Sometimes I think I'm been rude with people when I try to talk in English. Maybe I need to improve my English more than my knowledge in RESTful interface. For my own good I'll do both, study RESTful and English. Maybe after that I'll be able to understand better your explanation how sqlmapapi.py works. Thanks! |
Just one thing that maybe left in the air: |
OK! Thanks! I'll try to do some tests here. |
Hi @stamparm Now I see the big misunderstood that I made. I was confusing about the purpose of sqlmapapi. :( Ricardo Iramar |
Hi @stamparm Is there a way to check if sqlmap has finished? Neither /data nor /log seem to offer this unless I missed something. |
@daremon yes, there is.
See example in attached picture: After the task finishes/terminates sqlmap API |
Perfect, thank you! |
Design and develop an asynchronous RESTful API to interact with sqlmap engine. This is useful to use/call sqlmap from custom scripts, web interface, third-party tools or similar as opposed to use it from command line or wrap it as in a call similar to os.popen('sqlmap...').
This API will replace the XML-RPC service (#287).
The text was updated successfully, but these errors were encountered: