From c44a829b9bfdb172cf2d2055a711a6240e6be977 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 9 Jan 2013 12:34:45 +0000 Subject: [PATCH] pass a pickled options object to sqlmap engine when called from API --- lib/core/option.py | 10 +++++++--- lib/parse/cmdline.py | 4 +++- lib/utils/api.py | 7 +++++-- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/lib/core/option.py b/lib/core/option.py index 1221d525c..5746e04bb 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -51,6 +51,7 @@ from lib.core.common import singleTimeWarnMessage from lib.core.common import UnicodeRawConfigParser from lib.core.common import urldecode from lib.core.common import urlencode +from lib.core.convert import base64unpickle from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger @@ -1766,6 +1767,9 @@ def _mergeOptions(inputOptions, overrideOptions): @type inputOptions: C{instance} """ + if inputOptions.pickledOptions: + inputOptions = base64unpickle(inputOptions.pickledOptions) + if inputOptions.configFile: configFileParser(inputOptions.configFile) @@ -2051,9 +2055,9 @@ def init(inputOptions=AttribDict(), overrideOptions=False): if not inputOptions.disableColoring: coloramainit() - else: - if hasattr(LOGGER_HANDLER, "disable_coloring"): - LOGGER_HANDLER.disable_coloring = True + elif hasattr(LOGGER_HANDLER, "disable_coloring"): + LOGGER_HANDLER.disable_coloring = True + _setConfAttributes() _setKnowledgeBaseAttributes() _mergeOptions(inputOptions, overrideOptions) diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index fc96f4234..945fad0ad 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -664,6 +664,8 @@ def cmdLineParser(): help="Simple wizard interface for beginner users") # Hidden and/or experimental options + parser.add_option("--pickle", dest="pickledOptions", help=SUPPRESS_HELP) + parser.add_option("--profile", dest="profile", action="store_true", help=SUPPRESS_HELP) @@ -757,7 +759,7 @@ def cmdLineParser(): if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \ args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \ - args.purgeOutput)): + args.purgeOutput, args.pickledOptions)): errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --wizard, --update, --purge-output or --dependencies), " errMsg += "use -h for basic or -hh for advanced help" parser.error(errMsg) diff --git a/lib/utils/api.py b/lib/utils/api.py index e02757c49..7106814bc 100644 --- a/lib/utils/api.py +++ b/lib/utils/api.py @@ -18,6 +18,7 @@ from subprocess import Popen from lib.controller.controller import start from lib.core.common import unArrayizeValue +from lib.core.convert import base64pickle from lib.core.convert import hexencode from lib.core.convert import stdoutencode from lib.core.data import paths @@ -48,6 +49,7 @@ RESTAPI_SERVER_PORT = 8775 # Local global variables adminid = "" +procs = dict() tasks = AttribDict() # Generic functions @@ -251,6 +253,7 @@ def scan_start(taskid): Launch a scan """ global tasks + global procs if taskid not in tasks: abort(500, "Invalid task ID") @@ -266,8 +269,8 @@ def scan_start(taskid): # Launch sqlmap engine in a separate thread logger.debug("starting a scan for task ID %s" % taskid) - proc = Popen("python sqlmap.py -c %s" % config_file, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) - stdout, stderr = proc.communicate() + procs[taskid] = Popen("python sqlmap.py --pickle %s" % base64pickle(tasks[taskid]), shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) + stdout, stderr = procs[taskid].communicate() return jsonize({"success": True})