API区添加用户名密码entry

needle-wang · May 17, 2019 · 4a46192 · 4a46192
1 parent eaedbb9
commit 4a46192
Show file tree

Hide file tree

Showing 13 changed files with 109 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -36,12 +36,12 @@ from sqlmap's FAQ:
 - 继续重构, 优化
 
 #### ABOUT
-1. V0.3.3  
-   2019-05-14 23:56:35  
-   作者: needle wang ( [email protected] )
-2. 使用PyGObject(Gtk+3: python3-gi)重写sqm.py
-3. 感谢[sqm](https://github.com/kxcode/gui-for-sqlmap)带来的灵感, 其作者: [KINGX](https://github.com/kxcode) (sqm UI 使用的是python2 + tkinter)
+1. V0.3.4  
+   2019-05-17 21:35  
+   作者: needle wang ( [email protected] )  
+2. 使用PyGObject(Gtk+3: python3-gi)重写sqm.py  
+3. 感谢[sqm](https://github.com/kxcode/gui-for-sqlmap)带来的灵感, 其作者: [KINGX](https://github.com/kxcode) (sqm UI 使用的是python2 + tkinter)  
 
 #### REFERENCE
-1. Gtk+3教程: https://python-gtk-3-tutorial.readthedocs.io/en/latest/
-2. Gtk+3 API: https://lazka.github.io/pgi-docs/Gtk-3.0/
+1. Gtk+3教程: https://python-gtk-3-tutorial.readthedocs.io/en/latest/  
+2. Gtk+3 API: https://lazka.github.io/pgi-docs/Gtk-3.0/  
diff --git a/handler_api.py b/handler_api.py
@@ -24,9 +24,15 @@ def task_new(self, button):
     @get("/task/new") 创建新任务
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       try:
-        _resp = requests.get('http://%s/task/new' % _host)
+        _resp = requests.get('http://%s/task/new' % _host,
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           self.task_view_append('%s: 创建成功.' % _resp['taskid'])
@@ -39,9 +45,15 @@ def admin_list(self, button):
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
     _token = self.m._page4_admin_token_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host and _token:
       try:
-        _resp = requests.get('http://%s/admin/%s/list' % (_host, _token))
+        _resp = requests.get('http://%s/admin/%s/list' % (_host, _token),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         # print(_resp)
         if _resp['success']:
@@ -104,9 +116,15 @@ def option_list(self, button, taskid):
     @get("/option/<taskid>/list") 获取指定任务的options
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       try:
-        _resp = requests.get('http://%s/option/%s/list' % (_host, taskid))
+        _resp = requests.get('http://%s/option/%s/list' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           for _key, _value in _resp['options'].items():
@@ -121,6 +139,8 @@ def option_get(self, button, taskid):
     '''
     _host = self.m._page4_api_server_entry.get_text()
     _buffer_text = self.m._page4_option_get_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     _options = {}
     for _tmp in _buffer_text.split():
       _options[_tmp] = None
@@ -130,7 +150,11 @@ def option_get(self, button, taskid):
         _headers = {'Content-Type': 'application/json'}
         _resp = requests.post('http://%s/option/%s/get' % (_host, taskid),
                               json = _options,
-                              headers = _headers)
+                              headers = _headers,
+                              auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           if _resp['options'].items():
@@ -152,6 +176,8 @@ def option_set(self, button, taskid):
     '''
     _host = self.m._page4_api_server_entry.get_text()
     _buffer_text = self._get_buffer_text(self.m._page4_option_set_view)
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     try:
       _json = ast.literal_eval(_buffer_text)
     except Exception as e:
@@ -162,9 +188,15 @@ def option_set(self, button, taskid):
       if _host:
         try:
           _headers = {'Content-Type': 'application/json'}
+          # data, json参数都要求是字典类型, 而非字符串
+          # 另外, 字典的格式比json的宽松(json不能使用单引号, 不能多个逗号)
           _resp = requests.post('http://%s/option/%s/set' % (_host, taskid),
                                 json = _json,
-                                headers = _headers)
+                                headers = _headers,
+                                auth = (_username, _password))
+          if not _resp:
+            _resp.raise_for_status()
+
           _resp = _resp.json()
           if _resp['success']:
             _mesg += '设置成功'
@@ -181,9 +213,15 @@ def admin_flush(self, button):
     '''
     _host = self.m._page4_api_server_entry.get_text()
     _token = self.m._page4_admin_token_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host and _token:
       try:
-        _resp = requests.get('http://%s/admin/%s/flush' % (_host, _token))
+        _resp = requests.get('http://%s/admin/%s/flush' % (_host, _token),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           for _a_child in self.w._api_admin_list_rows.get_children():
@@ -197,9 +235,15 @@ def task_delete(self, button, *data):
     @get("/task/<taskid>/delete") 删除指定任务
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       try:
-        _resp = requests.get('http://%s/task/%s/delete' % (_host, data[1]))
+        _resp = requests.get('http://%s/task/%s/delete' % (_host, data[1]),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           self.w._api_admin_list_rows.remove(data[0])
@@ -213,13 +257,19 @@ def scan_start(self, button, taskid):
     要求发送json, 会执行/option/<taskid>/set
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s: ' % taskid
       try:
         _headers = {'Content-Type': 'application/json'}
         _resp = requests.post('http://%s/scan/%s/start' % (_host, taskid),
                               json = {},
-                              headers = _headers)
+                              headers = _headers,
+                              auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _mesg = '%sengineid: %s' % (_mesg, _resp['engineid'])
@@ -235,10 +285,16 @@ def scan_stop(self, button, taskid):
     @get("/scan/<taskid>/stop") 指定任务 停止扫描
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s: ' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/stop' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/stop' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _mesg += 'ok, stoped.'
@@ -253,10 +309,16 @@ def scan_kill(self, button, taskid):
     @get("/scan/<taskid>/kill") kill -9 指定任务
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s: ' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/kill' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/kill' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _mesg += 'ok, killed.'
@@ -272,10 +334,16 @@ def scan_data(self, button, taskid):
                                 data若有内容说明存在注入
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s:\n' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/data' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/data' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         # print(_resp)    # _resp['data'], _resp['error'] are list
         if _resp['success']:
@@ -290,10 +358,16 @@ def scan_log(self, button, taskid):
     @get("/scan/<taskid>/log") 查看指定任务的扫描日志
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s:\n' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/log' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/log' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _logs = ''

diff --git a/model.py b/model.py
@@ -366,6 +366,10 @@ def __init__(self):
     self._page4_admin_list_btn = btn.new_with_label('显示任务')
     self._page4_admin_flush_btn = btn.new_with_label('删除所有任务')
     self._page4_clear_task_view_btn = btn.new_with_label('清空反馈的结果')
+    self._page4_username_label = label.new('用户名:')
+    self._page4_username_entry = et()
+    self._page4_password_label = label.new('密码:')
+    self._page4_password_entry = et()
     self._page4_option_get_entry = et()
     self._page4_option_set_view = tv()
     self._page4_task_view = tv()

diff --git a/screenshots/sqlmap-ui1.png b/screenshots/sqlmap-ui1.png
diff --git a/screenshots/sqlmap-ui2.png b/screenshots/sqlmap-ui2.png
diff --git a/screenshots/sqlmap-ui3.png b/screenshots/sqlmap-ui3.png
diff --git a/screenshots/sqlmap-ui4.png b/screenshots/sqlmap-ui4.png
diff --git a/screenshots/sqlmap-ui5.png b/screenshots/sqlmap-ui5.png
diff --git a/screenshots/sqlmap-ui6.png b/screenshots/sqlmap-ui6.png
diff --git a/screenshots/sqlmap-ui7.png b/screenshots/sqlmap-ui7.png
diff --git a/screenshots/sqlmap-ui8.png b/screenshots/sqlmap-ui8.png
diff --git a/screenshots/sqlmap-ui9.png b/screenshots/sqlmap-ui9.png
diff --git a/sqlmap_gtk.py b/sqlmap_gtk.py
@@ -375,6 +375,10 @@ def _build_page4(self):
     _row2.pack_start(m._page4_admin_list_btn, False, True, 0)
     _row2.pack_start(m._page4_admin_flush_btn, False, True, 0)
     _row2.pack_start(m._page4_clear_task_view_btn, False, True, 0)
+    _row2.pack_end(m._page4_password_entry, False, True, 0)
+    _row2.pack_end(m._page4_password_label, False, True, 0)
+    _row2.pack_end(m._page4_username_entry, False, True, 0)
+    _row2.pack_end(m._page4_username_label, False, True, 0)
 
     _row3 = Frame()
     _paned = g.Paned()
@@ -389,13 +393,14 @@ def _build_page4(self):
 
     _rbox = Box(orientation=VERTICAL)
     m._page4_option_get_entry.set_text('url risk level')
-
+    _page4_option_set_view_tip = label(label = '所有选项见sqlmap目录中的optiondict.py',
+                                       halign = g.Align.START)
     m._page4_option_set_view.set_wrap_mode(g.WrapMode.CHAR)
     _option_set_view_textbuffer = m._page4_option_set_view.get_buffer()
     _options_example = ("{\n"
                         "  'url': 'http://www.site.com/vuln.php?id=1',\n"
                         "  'level': 1, 'risk': 1,\n\n"
-                        "}\n# 所有选项见sqlmap目录中的optiondict.py\n")
+                        "}\n")
     _option_set_view_textbuffer.set_text(_options_example, len(_options_example.encode('utf8')))
     # 貌似scrollwindow要直接包含textview,
     # 不然一直回车后, 页面不会向上滚
@@ -405,6 +410,7 @@ def _build_page4(self):
     _option_set_scrolled.add(m._page4_option_set_view)
 
     _rbox.pack_start(m._page4_option_get_entry, False, True, 2)
+    _rbox.pack_start(_page4_option_set_view_tip, False, True, 2)
     _rbox.pack_start(_option_set_scrolled, True, True, 2)
 
     # Warning: don't edit pack1(), pack2() again, or it would be strange.
@@ -514,10 +520,11 @@ def _build_page6(self):
     box = Box()
 
     _about_str = '''
-    1. VERSION: 0.3.3
-       2019年 05月 14日 星期二 23:56:35 CST
+    1. VERSION: 0.3.4
+       2019年 05月 17日 星期五 21:35:32 CST
        required: python3.5+, python3-gi, sqlmap(require: python2.6+)
-       作者: needle wang ( [email protected] )\n
+       作者: needle wang ( [email protected] )
+       https://github.com/needle-wang/sqlmap-ui/\n
     2. 使用PyGObject(Gtk+3: python3-gi)重写sqm.py\n
     3. Gtk+3教程: https://python-gtk-3-tutorial.readthedocs.io/en/latest\n
     4. Gtk+3 API: https://lazka.github.io/pgi-docs/Gtk-3.0/\n\n