standalone REST API, code cleanup (#297)

This commit is contained in:
Bernardo Damele 2012-12-20 14:35:02 +00:00
parent d928cce122
commit e9ab33e9dd
4 changed files with 59 additions and 76 deletions

View File

@ -8,11 +8,9 @@ See the file 'doc/COPYING' for copying permission
import bdb import bdb
import logging import logging
import os import os
import StringIO
import sys import sys
import time import time
import traceback import traceback
import types
import warnings import warnings
warnings.filterwarnings(action="ignore", message=".*was already imported", category=UserWarning) warnings.filterwarnings(action="ignore", message=".*was already imported", category=UserWarning)
@ -24,7 +22,6 @@ from lib.core.common import dataToStdout
from lib.core.common import getUnicode from lib.core.common import getUnicode
from lib.core.common import setPaths from lib.core.common import setPaths
from lib.core.common import weAreFrozen from lib.core.common import weAreFrozen
from lib.core.convert import stdoutencode
from lib.core.data import cmdLineOptions from lib.core.data import cmdLineOptions
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
@ -35,18 +32,12 @@ from lib.core.exception import exceptionsTuple
from lib.core.exception import SqlmapMissingDependence from lib.core.exception import SqlmapMissingDependence
from lib.core.exception import SqlmapSilentQuitException from lib.core.exception import SqlmapSilentQuitException
from lib.core.exception import SqlmapUserQuitException from lib.core.exception import SqlmapUserQuitException
from lib.core.log import FORMATTER
from lib.core.log import LOGGER_HANDLER
from lib.core.log import LOGGER_OUTPUT
from lib.core.option import init from lib.core.option import init
from lib.core.profiling import profile from lib.core.profiling import profile
from lib.core.settings import LEGAL_DISCLAIMER from lib.core.settings import LEGAL_DISCLAIMER
from lib.core.settings import RESTAPI_SERVER_PORT
from lib.core.testing import smokeTest from lib.core.testing import smokeTest
from lib.core.testing import liveTest from lib.core.testing import liveTest
from lib.parse.cmdline import cmdLineParser from lib.parse.cmdline import cmdLineParser
from lib.utils.restapi import restAPIRun
from lib.utils.restapi import restAPISetup
def modulePath(): def modulePath():
""" """
@ -56,30 +47,6 @@ def modulePath():
return os.path.dirname(getUnicode(sys.executable if weAreFrozen() else __file__, sys.getfilesystemencoding())) return os.path.dirname(getUnicode(sys.executable if weAreFrozen() else __file__, sys.getfilesystemencoding()))
def restAPIServe():
# Increase default logging level to debug for RESTful API
logger.setLevel(logging.DEBUG)
# Enforce batch mode and disable coloring for RESTful API
cmdLineOptions.batch = True
cmdLineOptions.disableColoring = True
# Setup RESTful API
restAPISetup(port=cmdLineOptions.restApiPort or RESTAPI_SERVER_PORT)
# Wrap logger stdout onto a custom file descriptor (LOGGER_OUTPUT)
def emit(self, record):
message = stdoutencode(FORMATTER.format(record))
print >>LOGGER_OUTPUT, message.strip('\r')
LOGGER_HANDLER.emit = types.MethodType(emit, LOGGER_HANDLER, type(LOGGER_HANDLER))
# Wrap standard output onto a custom file descriptor
sys.stdout = StringIO.StringIO()
#sys.stderr = StringIO.StringIO()
# Run RESTful API
restAPIRun(port=cmdLineOptions.restApiPort or RESTAPI_SERVER_PORT)
def main(): def main():
""" """
Main function of sqlmap when running from command line. Main function of sqlmap when running from command line.
@ -96,9 +63,6 @@ def main():
# Store original command line options for possible later restoration # Store original command line options for possible later restoration
cmdLineOptions.update(cmdLineParser().__dict__) cmdLineOptions.update(cmdLineParser().__dict__)
if cmdLineOptions.restApi:
restAPIServe()
else:
init(cmdLineOptions) init(cmdLineOptions)
if conf.profile: if conf.profile:

View File

@ -482,9 +482,6 @@ EVENTVALIDATION_REGEX = r'(?i)(?P<name>__EVENTVALIDATION[^"]*)[^>]+value="(?P<re
# Number of rows to generate inside the full union test for limited output (mustn't be too large to prevent payload length problems) # Number of rows to generate inside the full union test for limited output (mustn't be too large to prevent payload length problems)
LIMITED_ROWS_TEST_NUMBER = 15 LIMITED_ROWS_TEST_NUMBER = 15
# Default TCP port used for REST API server instance
RESTAPI_SERVER_PORT = 8775
# Regular expression for SOAP-like POST data # Regular expression for SOAP-like POST data
SOAP_RECOGNITION_REGEX = r"(?s)\A(<\?xml[^>]+>)?\s*<([^> ]+)( [^>]+)?>.+</\2.*>\s*\Z" SOAP_RECOGNITION_REGEX = r"(?s)\A(<\?xml[^>]+>)?\s*<([^> ]+)( [^>]+)?>.+</\2.*>\s*\Z"

View File

@ -684,12 +684,6 @@ def cmdLineParser():
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP) parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
parser.add_option("--restapi", dest="restApi", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--restapi-port", dest="restApiPort", type="int",
help=SUPPRESS_HELP)
parser.add_option_group(target) parser.add_option_group(target)
parser.add_option_group(request) parser.add_option_group(request)
parser.add_option_group(optimization) parser.add_option_group(optimization)
@ -763,7 +757,7 @@ def cmdLineParser():
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \ if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \ args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
args.restApi, args.purgeOutput)): args.purgeOutput)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --wizard, --update, --purge-output or --dependencies), " errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --wizard, --update, --purge-output or --dependencies), "
errMsg += "use -h for basic or -hh for advanced help" errMsg += "use -h for basic or -hh for advanced help"
parser.error(errMsg) parser.error(errMsg)

70
lib/utils/restapi.py → lib/utils/api.py Normal file → Executable file
View File

@ -6,14 +6,15 @@ See the file 'doc/COPYING' for copying permission
""" """
import json import json
import logging
import optparse import optparse
import os import os
import shutil import shutil
import sys import sys
import StringIO
import tempfile import tempfile
import threading import threading
import types
sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__)), "..", ".."))
from extra.bottle.bottle import abort from extra.bottle.bottle import abort
from extra.bottle.bottle import error from extra.bottle.bottle import error
@ -26,17 +27,24 @@ from extra.bottle.bottle import run
from extra.bottle.bottle import static_file from extra.bottle.bottle import static_file
from extra.bottle.bottle import template from extra.bottle.bottle import template
from lib.controller.controller import start from lib.controller.controller import start
from lib.core.common import setPaths
from lib.core.convert import hexencode from lib.core.convert import hexencode
from lib.core.convert import stdoutencode
from lib.core.data import paths from lib.core.data import paths
from lib.core.datatype import AttribDict from lib.core.datatype import AttribDict
from lib.core.data import cmdLineOptions from lib.core.data import cmdLineOptions
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
from lib.core.log import FORMATTER
from lib.core.log import LOGGER_HANDLER
from lib.core.log import LOGGER_OUTPUT from lib.core.log import LOGGER_OUTPUT
from lib.core.exception import SqlmapMissingDependence from lib.core.exception import SqlmapMissingDependence
from lib.core.option import init from lib.core.option import init
from lib.core.settings import UNICODE_ENCODING from lib.core.settings import UNICODE_ENCODING
from lib.core.settings import RESTAPI_SERVER_PORT from _sqlmap import modulePath
RESTAPI_SERVER_HOST = "127.0.0.1"
RESTAPI_SERVER_PORT = 8775
# Local global variables # Local global variables
adminid = "" adminid = ""
@ -238,6 +246,8 @@ def scan_start(taskid):
for key, value in request.json.items(): for key, value in request.json.items():
tasks[taskid][key] = value tasks[taskid][key] = value
print "TASKS:", tasks
# Overwrite output directory (oDir) value to a temporary directory # Overwrite output directory (oDir) value to a temporary directory
tasks[taskid].oDir = tempfile.mkdtemp(prefix="sqlmap-") tasks[taskid].oDir = tempfile.mkdtemp(prefix="sqlmap-")
@ -317,9 +327,9 @@ def download(taskid, target, filename):
else: else:
abort(500) abort(500)
def restAPISetup(host="0.0.0.0", port=RESTAPI_SERVER_PORT): def restAPIRun(host="0.0.0.0", port=RESTAPI_SERVER_PORT):
""" """
Setup REST-JSON API REST-JSON API server
""" """
global adminid global adminid
global tasks global tasks
@ -330,38 +340,56 @@ def restAPISetup(host="0.0.0.0", port=RESTAPI_SERVER_PORT):
logger.info("running REST-JSON API server at '%s:%d'.." % (host, port)) logger.info("running REST-JSON API server at '%s:%d'.." % (host, port))
logger.info("the admin task ID is: %s" % adminid) logger.info("the admin task ID is: %s" % adminid)
def restAPIRun(host="0.0.0.0", port=RESTAPI_SERVER_PORT): # Wrap logger stdout onto a custom file descriptor (LOGGER_OUTPUT)
""" def emit(self, record):
Run REST-JSON API message = stdoutencode(FORMATTER.format(record))
""" print >>LOGGER_OUTPUT, message.strip('\r')
LOGGER_HANDLER.emit = types.MethodType(emit, LOGGER_HANDLER, type(LOGGER_HANDLER))
# Wrap standard output onto a custom file descriptor
sys.stdout = StringIO.StringIO()
#sys.stderr = StringIO.StringIO()
# Run RESTful API
run(host=host, port=port, quiet=False, debug=False) run(host=host, port=port, quiet=False, debug=False)
def client(host, port): def client(host=RESTAPI_SERVER_HOST, port=RESTAPI_SERVER_PORT):
""" """
REST-JSON API client REST-JSON API client
""" """
addr = "http://%s:%d" % (host, port) addr = "http://%s:%d" % (host, port)
print "[*] starting debug REST-JSON client to '%s'..." % addr logger.info("starting debug REST-JSON client to '%s'..." % addr)
# TODO: write a simple client with urllib2, for now use curl from command line # TODO: write a simple client with requests, for now use curl from command line
print "[!] not yet implemented, use curl from command line instead for now, for example:" logger.error("not yet implemented, use curl from command line instead for now, for example:")
print "\n\t$ curl --proxy http://127.0.0.1:8080 http://127.0.0.1:%s/task/new" % port print "\n\t$ curl http://%s:%d/task/new" % (host, port)
print "\t$ curl --proxy http://127.0.0.1:8080 -H \"Content-Type: application/json\" -X POST -d '{\"url\": \"http://testphp.vulnweb.com/artists.php?artist=1\"}' http://127.0.0.1:%d/scan/<taskID>/start" % port print "\t$ curl -H \"Content-Type: application/json\" -X POST -d '{\"url\": \"http://testphp.vulnweb.com/artists.php?artist=1\"}' http://%s:%d/scan/:taskid/start" % (host, port)
print "\t$ curl --proxy http://127.0.0.1:8080 http://127.0.0.1:8775/scan/<taskID>/output" print "\t$ curl http://%s:%d/scan/:taskid/output" % (host, port)
print "\t$ curl --proxy http://127.0.0.1:8080 http://127.0.0.1:8775/scan/<taskID>/log\n" print "\t$ curl http://%s:%d/scan/:taskid/log\n" % (host, port)
if __name__ == "__main__": if __name__ == "__main__":
""" """
REST-JSON API wrapper function REST-JSON API main function
""" """
# Set default logging level to debug
logger.setLevel(logging.DEBUG)
paths.SQLMAP_ROOT_PATH = modulePath()
setPaths()
# Enforce batch mode and disable coloring
cmdLineOptions.batch = True
cmdLineOptions.disableColoring = True
parser = optparse.OptionParser() parser = optparse.OptionParser()
parser.add_option("-s", "--server", help="Act as a REST-JSON API server", default=RESTAPI_SERVER_PORT, action="store_true") parser.add_option("-s", "--server", help="Act as a REST-JSON API server", default=RESTAPI_SERVER_PORT, action="store_true")
parser.add_option("-c", "--client", help="Act as a REST-JSON API client", default=RESTAPI_SERVER_PORT, action="store_true") parser.add_option("-c", "--client", help="Act as a REST-JSON API client", default=RESTAPI_SERVER_PORT, action="store_true")
parser.add_option("-H", "--host", help="Host of the REST-JSON API server", default="0.0.0.0", action="store") parser.add_option("-H", "--host", help="Host of the REST-JSON API server", default=RESTAPI_SERVER_HOST, action="store")
parser.add_option("-p", "--port", help="Port of the the REST-JSON API server", default=RESTAPI_SERVER_PORT, action="store") parser.add_option("-p", "--port", help="Port of the the REST-JSON API server", default=RESTAPI_SERVER_PORT, type="int", action="store")
(args, _) = parser.parse_args() (args, _) = parser.parse_args()
if args.server is True: if args.server is True:
restAPIrun(args.host, args.port) restAPIRun(args.host, args.port)
elif args.client is True: elif args.client is True:
client(args.host, args.port) client(args.host, args.port)