sqlipy icon indicating copy to clipboard operation
sqlipy copied to clipboard

Published 20 hours ago verified publisher icon codewatchorg

SQLMap API not starting

Open Bruno-Macedo opened this issue 2 years ago • 17 comments

Hello,

I'm trying to use sqlipy in the default configuration, but I am not able to start it. Below there details about the configuration and installation:

jython2.7.3

Log of Extender:

Calling: C:\Python27\python.exe C:\Users\bruno\AppData\Roaming\BurpSuite\bapps\f154175126a04bfe8edc6056f340f52e\sqlmap\sqlmapapi.py -s -H 127.0.0.1 -p 9090

Failed to start the SQLMap API

15:09:44] [INFO] Running REST-JSON API server at '127.0.0.1:9090'..
15:09:44] [DEBUG] REST-JSON API server connected to IPC database
15:09:44] [DEBUG] Using adapter 'wsgiref' to run bottle
raceback (most recent call last):

Configuration on SQLMap API: image

Configuration on Proxy: image

What am I doing wrong in this case and how could I fix it to use the extension?

Kind Regards, Bruno

Bruno-Macedo avatar Oct 04 '22 13:10 Bruno-Macedo

You are trying to run a proxy on the same port as you are running sqlmapapi. That won't work, you can't have Burp listen on the same ports as sqlmapapi - you don't need a proxy listenting on port 9090 for the API to run.

codewatchorg avatar Oct 04 '22 13:10 codewatchorg

Hello,

thank you for the fast reply. I made the following change: image

And the log gives me this message:

Calling: C:\Python27\python.exe C:\Users\bruno\AppData\Roaming\BurpSuite\bapps\f154175126a04bfe8edc6056f340f52e\sqlmap\sqlmapapi.py -s -H 127.0.0.1 -p 9090

Failed to start the SQLMap API

15:35:43] [INFO] Running REST-JSON API server at '127.0.0.1:9090'..
15:35:43] [DEBUG] REST-JSON API server connected to IPC database
15:35:43] [DEBUG] Using adapter 'wsgiref' to run bottle

The default configuration looks like that: image

As you can see I still haven't manage to start it.

Kind regards, Bruno

Bruno-Macedo avatar Oct 04 '22 13:10 Bruno-Macedo

interestingly it actually looks like it really is running since the logs show it starting up. have you run netstat to see if anything is listening on port 9090? the checks to validate whether it is running might be happening faster than it starts up making the extension think it hasn't started.

I would also just try running the above from the command line to see what errors you get. If it isn't starting, that sounds like a sqlmapapi issue, which I don't develop.

codewatchorg avatar Oct 04 '22 14:10 codewatchorg

Port 9090 is available and there is nothing running on it. I tried to run the extension with another port also.

From the command line I get the following:

[17:20:21] [INFO] Running REST-JSON API server at '127.0.0.1:9090'..
[17:20:21] [INFO] Admin (secret) token: ************************************************************
[17:20:21] [DEBUG] IPC database: 'c:\users\bruno\appdata\local\temp\sqlmapipc-dj5kye'
[17:20:21] [DEBUG] REST-JSON API server connected to IPC database
[17:20:21] [DEBUG] Using adapter 'wsgiref' to run bottle

And on the browser: image

Bruno-Macedo avatar Oct 04 '22 15:10 Bruno-Macedo

FYI, you can still use the extension without starting the API from within the extension. It looks like starting from the command line works, so you would just manually set the SQLMap API IP (in the "SQLMap Scanner" tab) to 127.0.0.1 and the port to the right port and you can send requests to the API, retrieve the logs, stop scans, and any successful results will show up in the issues tab.

Unfortunately, I don't have enough in the above to know what is going wrong. The logs indicate that it is starting the API but that the test to validate startup occurs to quickly. The API works from the command line. I cannot replicate this issue.

What version of Python 2.7 is installed? What OS are you running on? What version of Burp?

codewatchorg avatar Oct 04 '22 15:10 codewatchorg

Hi, thanks for the reply.

Python: 2.7 and 3.8 Os: Windows 11 and WSL Ubuntu Burp: Professional v2022.8.5

Bruno-Macedo avatar Oct 05 '22 09:10 Bruno-Macedo

I don't have Windows 11, but I am using Python 2.7.18, with Burp Pro v2022.8.5, and starting it from Windows 10 using those versions works fine. I can't reproduce this error (note that I have tested with 3.10.1 and at least that 3.x branch of Python does not work with the version of sqlmapapi bundled with the extension - I need to update the bundle).

codewatchorg avatar Oct 05 '22 13:10 codewatchorg

What version of Java are you using? Unfortunately, the extension was written in Python so it relies on Jython. Last I checked, Jython requires Java 1.7 or 1.8 (not the newer releases of Java).

codewatchorg avatar Oct 05 '22 14:10 codewatchorg

Sorry for the late reply.

Java 1.8.

On burp it did not work, but I was able to use it with the terminal.

Bruno-Macedo avatar Oct 06 '22 10:10 Bruno-Macedo

Actually, it does appear to work with newer versions. I had a VM that I didn't realize was using jdk-11.0.7 and it works on that version. I don't think that is the issue, as in the past it worked fine on 1.8, but I can't be sure.

In any case, I can't seem to replicate this issue on my host. Does anything get printed in the "Errors" tab (in Burp's Extender tab, click on the extension after trying to start the API and then click on the "Errors" tab below instead of "Output").

If you open the extension for editing and add "import traceback" at the top of the extension and then add: print(traceback.format_exc())

Above each line where it says: print 'Failed to start the SQLMap API\n'

That might help me resolve the issue. You would need to unload and then reload the extension, and then try to start the API again.

codewatchorg avatar Oct 06 '22 14:10 codewatchorg

Using the latest Burp Suite Professional Stable version on Windows 11 with Python 3.10.7. Clicking Start API button does not work and nothing is printed in logs. It starts the sqlmapapi.py briefly and the REST-service is accessible with a web browser for 2 seconds but all fails after that.

Running the sqlmapapi.py manually in terminal works just fine. Connecting to it directly via SQLMap Scanner tab does nothing.

bountyflow avatar Oct 07 '22 15:10 bountyflow

The connecting directly is curious as the extension doesn't require that sqlmapapi be started by the extension. Using the right IP/port should be fine.

It definitely will not work with Python 3. There is an issue with the bundled version of sqlmapapi and Python 3. I need to find some time to update the bundled version of sqlmap to the latest version in order to work with v3.

codewatchorg avatar Oct 07 '22 15:10 codewatchorg

Actually, it does appear to work with newer versions. I had a VM that I didn't realize was using jdk-11.0.7 and it works on that version. I don't think that is the issue, as in the past it worked fine on 1.8, but I can't be sure.

In any case, I can't seem to replicate this issue on my host. Does anything get printed in the "Errors" tab (in Burp's Extender tab, click on the extension after trying to start the API and then click on the "Errors" tab below instead of "Output").

If you open the extension for editing and add "import traceback" at the top of the extension and then add: print(traceback.format_exc())

Above each line where it says: print 'Failed to start the SQLMap API\n'

That might help me resolve the issue. You would need to unload and then reload the extension, and then try to start the API again.

What should I edit? The .py file? or where can I open the extension to edit?

Bruno-Macedo avatar Oct 10 '22 12:10 Bruno-Macedo

Yes, the .py file. Another thing to try, just for kicks, is setting the actual IP versus the loopback.

codewatchorg avatar Oct 10 '22 13:10 codewatchorg

Ok, I just updated the version of sqlmap used by the extension. You can download this GitHub project and load in Burp and test to see if that resolves the issue. Please test with a newer version of Java, I am testing with JDK 11. If that doesn't resolve the issue, then it might be something to do with Windows 11.

codewatchorg avatar Oct 11 '22 14:10 codewatchorg

thank you, ill do that and let you know.

Bruno-Macedo avatar Oct 11 '22 15:10 Bruno-Macedo

The update now enables support for Python 3.x as well. I successfully used it with 3.10.1.

codewatchorg avatar Oct 11 '22 15:10 codewatchorg

This appears to be a bug in Jython 2.7.3 - I have been using 2.7.2. When I used the latest Jython (2.7.3) I had the same issue but when I used 2.7.2 it worked.

codewatchorg avatar Nov 22 '22 16:11 codewatchorg

Hi guys, i had the same problem in linux with this configuration:

  • burp v. 2022.7.1 community edition
  • java v. 11.0.16
  • sqlmap v. 1.6.7
  • jython v. 2.7.3

After debugging the code i found that the problem was in file "SQLiPy.py" and the way urllib handles request/response. The issue lies in the request unicode object and response format "unicode" received from the api and this python lib doesn't like unicode values. For me, converting format to string solved the issue.

I tested this "SQLiPy.py" fix (you can find it in my fork) with both the previous plugin installed via BApp Store (with SQLiPy version 0.8.2) and using the latest files in the repo (with SQLiPy version 0.8.3). Both work while maintaining the same environment (version of java, jython, burp above). It also works with manual run sqlmapi on terminal or/and using python3. If anyone has the same problem, i hope it can help.

PS. I haven't tested it in windows OS yet.

h3xstone avatar Dec 02 '22 21:12 h3xstone

Just added the above fixes from h3xstone, didn't appear to break anything (tested on Windows).

codewatchorg avatar Dec 07 '22 17:12 codewatchorg

These updates have now been merged in the latest version within the BApp Store.

codewatchorg avatar Dec 20 '22 21:12 codewatchorg