Created
June 29, 2012 20:18
-
-
Save brandonprry/3020398 to your computer and use it in GitHub Desktop.
wapiti_to_sqlmap_2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| #require 'active_support/secure_random' | |
| require 'rexml/document' | |
| wapiti_path = '/home/bperry/tools/wapiti/trunk/src/' | |
| sqlmap_path = '/home/bperry/tools/sqlmap/' | |
| wapiti_report_path = '/home/bperry/tmp/wapiti_report_' + rand(99999).to_s + '.xml' | |
| remote_host = ARGV[0] | |
| p "Running wapiti..." | |
| `#{wapiti_path}wapiti.py #{ARGV[0]} -f xml -o #{wapiti_report_path}` | |
| p "Report saved to #{wapiti_report_path}" | |
| p "Parsing results" | |
| results = [] | |
| report = ::File.open(wapiti_report_path, "rb") | |
| doc = REXML::Document.new report.read | |
| doc.elements.each('/report/bugTypeList/bugType') do |element| | |
| bug_type = element.attributes["name"] | |
| next if bug_type != "SQL Injection" | |
| p "Parsing " + bug_type | |
| result = {} | |
| element.elements.each("bugList/bug") do |bug| | |
| result[:type] = bug_type | |
| bug.elements.each do |child| | |
| if child.name == "url" | |
| result[:url] = child.text | |
| elsif child.name == "parameter" | |
| result[:parameter] = child.text | |
| end | |
| end | |
| results << result | |
| result = {} | |
| end | |
| end | |
| results.each do |result| | |
| next if result[:type] !~ /SQL Injection/ | |
| if result[:url].index(result[:parameter]) | |
| url = result[:url].gsub("%BF%27%22%28", "abcd") | |
| params = result[:url].split("?")[1].split("&") | |
| skipped_params = [] | |
| params.each do |param| | |
| skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28") | |
| end | |
| `#{sqlmap_path}sqlmap.py --purge-output` | |
| p "Running GET sql injection test on url: " + url | |
| sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --smart --skip=\"#{skipped_params.join(",")}\" --technique=BEUST --flush-session --fresh-queries --level=3 --risk=2 --batch" | |
| printf "\nRunning Command: #{sqlmap_command}\n" | |
| `#{sqlmap_command}` | |
| file = File.open("#{sqlmap_path}output/#{remote_host}/log", "r") | |
| contents = file.read | |
| if contents.length > 0 | |
| printf contents | |
| else | |
| printf "SQLMap couldn't exploit the injection point. Try altering the SQLMap options to get more coverage.\n\n" | |
| end | |
| else | |
| url = result[:url] | |
| p "Running POST sql injection test on url: " + url | |
| p "With data: " + result[:parameter] | |
| parameter = result[:parameter].gsub("%BF%27%22%28", "abcd") | |
| params = result[:parameter].split("&") | |
| skipped_params = [] | |
| params.each do |param| | |
| skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28") | |
| end | |
| `#{sqlmap_path}sqlmap.py --purge-output` | |
| sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --data=\"#{parameter}\" --skip=\"#{skipped_params.join(",")}\" --smart --technique=BEUST --flush-session --fresh-queries --level=3 --risk=2 --batch" | |
| printf "\nRunning Command: #{sqlmap_command}\n" | |
| `#{sqlmap_command}` | |
| file = File.open("#{sqlmap_path}output/#{remote_host}/log", "r") | |
| contents = file.read | |
| if contents.length > 0 | |
| printf contents | |
| else | |
| puts "SQLMap couldn't exploit the injection point. Try altering the SQLMap options to get more coverage.\n\n" | |
| end | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment