Some ideas about sqlipy HOT 16 CLOSED

That's good feedback. The API provides log information that I might be able to add to the scan queue or if not, maybe I could add it somewhere else. It wouldn't quite be real time as it would be a thread polling the API on some regular basis, but that would still be a good addition.

from sqlipy.

One more idea, It would be really nice if there was a field where it's possible to put other config options which can not be set by the UI. For example --prefix="'" --suffix="'" --time-sec=2.

from sqlipy.

I just pushed an update that adds a tab from which you can select a scan ID and then get the logs associated with that ID (up to that point).

I'm not sure how to address the extra config options issue. I thought about trying to add that at first, but the problem is that the config option names don't line up with the JSON variables. So I would have to track all the other options and write if/else statements to attempt to align submitted options and their values with the write variables for the JSON API.

Eventually, I just might add all the available options. For now, I am just trying to get a good working sqlmap integration plugin with some of the key features.

Let me know if the new SQLMap Logs tab is close to what you were wanting.

from sqlipy.

Nice, this is a great improvement!

I just tested it with an actual pentest I’m doing. In the ‘logs’ tab I can now nicely see what sqlmap has been doing and if any important messages were output (for example, there is a possibility that the target (or WAF) is dropping 'suspicious' requests), which I could use to investigate a URL or parameter more closely. However, I usually start a bunch of SQLi scans at the same time and currently I can’t see what URL and sqlmap settings have been used for a specific scan. I only have the log. I can only see what the settings were for the last scan that was started. Is this something that you could fix?

from sqlipy.

Would it help to print the URL and options that were run for each scan at the top of the logs output? I should be able to whip that up pretty quick.

from sqlipy.

I updated the log display to show the sqlmap command that was run for each task. The command is displayed at the top of the log results. I think this should make it easier to tell the status of each scan. Let me know if you have a better idea for where to display this info.

from sqlipy.

Perfect, thanks!

Is it possible to change the tamper button (file select) to a more convenient mutiple selectbox? Normally I would simply do something like "--tamper=between,space2plus".

from sqlipy.

Perhaps it is a good idea to put the URL in het selectbox with the scan ID's? This way it easier to get the status of a specific scan.

from sqlipy.

I just pushed out an update that adds a dash and the URL to the end of the scan ID. It seems to be working as expected, hopefully that helps.

from sqlipy.

I also created a new issue for enhancing the tamper script selection button.

from sqlipy.

I pushed another update out that adds the ability to select multiple files using the "Tamper" button. In addition, you can now clear out any selected files.

from sqlipy.

Thank you very much! I’ll let you know if more ideas come to mind :)

from sqlipy.

How about a button to cancel/stop a running scan?

from sqlipy.

That is a good idea, and I began working on it this evening. In testing the Sqlmap API, I tried manually killing a running scan using both "GET /scan//stop" and "GET /scan//kill" and neither worked.

I submitted the issue to the sqlmap team. If it gets fixed, I will add the feature. There is no way for me to kill it until this part of the API is resolved (I've been playing around with the API code to see if I could figure out an OS agnostic way as well).

from sqlipy.

The sqlmap guys fixed the API issue of killing/stopping scans within hours, so I have added this feature to the plugin.

There is now a tab that allows you to pick a scan and stop it. Note that this requires an update to sqlmap as of 10/10/2014 (it was fixed 7 or so hours ago).

from sqlipy.

Fixes made and features added months ago. Forgot to close this out.

from sqlipy.