p0wnpr0xy - Proxy for SQLMap

[Fi8sVrs]

p0wnpr0xy.py is a simply python script that acts as a http/https proxy and launches commands such as sqlmap against targets that are in-scope. It relies on httpservers.py from gnucitizen to do the heavy lifting. You can download his module from here and save it to the same directory as p0wnpr0xy.

When you launch p0wnpr0xy you supply it with two arguments:

1) Part of the domain name for the in-scope hosts

2) The full command line for the tool you want to use against the target URL

p0wnpr0xy will start a proxy listener on port 8080. You modify your browsers proxy settings to browse through the proxy. The proxy will collect in-scope URLs and the cookies associated with each URL. It then walks you through all of the URL that have been collected and gives you the option to launch the specified command on each URL. If you choose to attack the URL it will launch the command specified on the command line replacing the string "{url}" with the URL collected and the string "{cookies}" with cookies it has collected.

Pretty simple, but it can make repetitive tasks easier. Here is an demonstration of how you can use p0wnpr0xy along with sqlmap.

http://vimeo.com/14667308

# p0wnpr0xy.py by Mark Baggett

# Download from www.pauldotcom.com

# create a self signed certificate and modify /path/to/cert/file string to avoid HTTPS socket errors

# download httpservers.py from http://code.google.com/p/gnucitizen/source/browse/trunk/httpservers.py and place it in the same directory

import httpservers

import SocketServer

from Queue import Queue

from threading import Thread

import time,re,sys,os

import pdb

class Handler(httpservers.SimpleObservableProxyHTTPReque stHandler):

def observe_request(self, data):

#pdb.set_trace()

global inscopeurls, target_domain

#print "REQ>>"+repr(data)[:50]

matchstring="Host:\s[\w_.]+%s" % target_domain

matchscope = re.findall(matchstring, data, re.I)

if matchscope:

inscopeurls.put(repr(data))

return data

def observe_response(self, data):

#print "RSP<<"+repr(data)[:50]

return data

def log_request(self, code):

pass

class Server(SocketServer.ThreadingMixIn, httpservers.SimpleObservableProxyHTTPServer):

pass

def proxyserver():

print 'Starting server on localhost:8080...'

srv = Server(('localhost', 8080), Handler, '/path/to/cert/file')

srv.serve_forever()

def printhelp():

print """Here is your help.

sample p0wnpr0xy.py -t targetdomain.com -c "./sqlmap -u {url} --cookie: {cookies}"

"""

# Set up some global variables

num_attack_threads = 2

inscopeurls = Queue()

if not "-t" in sys.argv or not "-c" in sys.argv:

printhelp()

sys.exit(2)

for i in range(1,len(sys.argv),1):

if sys.argv == '-t':

target_domain=str(sys.argv[i+1])

elif sys.argv == '-c':

cmd = " ".join(sys.argv[i+1:])

elif sys.argv == '-v':

verbose=1

proxythread = Thread(target=proxyserver)

proxythread.setDaemon(True)

proxythread.start()

while 1:

if inscopeurls.qsize()==0:

#print "Nothing in Queue, Waiting."

time.sleep(5)

continue

queueitem = inscopeurls.get()

matches = re.findall("GET (/[\w._/\\-?=&]+).*Host:\s([\w_.]+)", queueitem, re.I)

if matches:

matchuri,matchdomain = matches[0]

checkit = raw_input(":"+str(inscopeurls.qsize())+":P0wn http://"+matchdomain+matchuri+"? [Y/N/Q]")

if checkit == "q" or checkit == "Q":

sys.exit(2)

if checkit =="y" or checkit=="Y":

cookies = "".join(re.findall("cookie:\s([\w+;= ]+)", queueitem, re.I))

cmd1 = cmd.replace("{cookies}",cookies)

cmd2 = cmd1.replace("{url}","http://"+matchdomain+matchuri)

print "Launching "+cmd2

os.system(cmd2)

Source: PaulDotCom: Archives