1

I can successfully perform a sqlmap scan of my target from a host. However, if I run sqlmapapi from that same host and use SQLiPy from Burp, sqlmapapi returns connection errors.

The specific SQLiPy errors retrieved are:

INFO: 16:55:43 - testing connection to the target URL CRITICAL: 16:55:44 - page not found (404) WARNING: 16:55:44 - HTTP error codes detected during run: 404 (Not Found) - 1 times

The successful sqlmap scan is using the same command generated by SQLiPy.

I have also confirmed connectivity/DNS etc to the target.

So what is the difference between the manual command and the SQLiPy initiated command via sqlmapapi?

garthoid
  • 51
  • 1
  • 7
  • What error (specifically) are you getting back Burp? – HashHazard Jul 18 '16 at 21:27
  • Updated question with specific error retrieved by sqlipy. – garthoid Jul 19 '16 at 13:24
  • This sounds like the URI is wrong or missing something which is causing the 404. Can you tell *exactly* what the URI it's trying to connect to is? May want to consider opening a chat for this question if my comment doesn't trigger a lightbulb or ID the issue. Other's will likely ask additional diag questions. – HashHazard Jul 19 '16 at 13:40
  • This appears to be independent of host I have installed SQLMap on. In the Burp/SQLiPy case to a SQLMapAPI server running locally this time the same error as above appears from the SQLMap Logs tab. However if I copy and paste that exact same sqlmap command that the log identifies into a CLI locally it connects and continues testing. – garthoid Jul 19 '16 at 15:21
  • I have narrowed it down a bit in that it appears to be related to the fact that the request is a PUT request and I have used --method=PUT parameter for sqlmap. If I use another request, simple GET then there is no error returned and the scan continues from SQLiPy. This may be isolated to sqlmapapi.py usage as running sqlmap on the CLI with the same command directly does not have the same issue. My guess is that sqlmapapi cannot handle --method as I get the same result manually if I verb tamper. – garthoid Jul 19 '16 at 15:36
  • Sounds like you're on the right track. So do you have your answer? If so, I'd update your question with the additional info and maybe even answer your own question (for future viewers). – HashHazard Jul 19 '16 at 17:17
  • No answer as of yet but I believe it is sqlmapapi not passing on the --method= parameter. Once I have an answer I will post. – garthoid Jul 19 '16 at 17:33
  • So this test by the creator of sqlmap proves that its not sqlmapapi. https://github.com/sqlmapproject/sqlmap/issues/2044 – garthoid Jul 19 '16 at 22:49
  • 1
    I am the developer of SQLiPy. I will work on adding an option to change the VERB, and pass it to the sqlmapapi. Follow the project on GitHub for changes: https://github.com/codewatchorg/sqlipy – Josh Berry Aug 24 '16 at 21:00

1 Answers1

1

I have added an update to SQLiPy that will hopefully be incorporated into the BApp store soon that allows the user to toggle the HTTP method/verb. If you don't want to wait on the update in the BApp store, you can get it at https://github.com/codewatchorg/sqlipy. The latest version is 0.5.2.

Josh Berry
  • 11
  • 1