jgillam / burp-co2 Goto Github PK

I have to change risk level every time I send request to SQLMapper, because it is setted to 0:

I would like to prepare pull request, but could you tell me how to load project in IntellijIDEA?

I tried version 1.1.11 from BAppStore and jar builded from latest code, but checking for updates does not work for both:

Hi,

I'm using quite often the CeWLer module of CO2 to extract words from web pages and then use those words with intruder for attacks such as parameter pollution. However, I just noticed that the CeWLer extraction doesn't include words with "-" and "_" characters.

Do you think it is possible to add an option to include special characters like hyphen and underscore?

This will be particularly interesting when trying to extract variables.

Cheers,

That reminds me - you could also add few new commands: "--safe-url="; "--safe-freq=" and "--safe-post=" parameters for a basic session management into CO2, I think it could be used by many people:) Although I couldn't find "--safe-post=" in the official documentation but it does work and when I need to do a POST with to login page with some data (e.g. "username=user&password=password1") it is possible to do so.

Copied from #8

I am having an issue where even after selecting a specific db like mysql for the dbms field and having it register in the command line, that sqlmap presents a warning "using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'. If I remove cookies then sqlmap registers that a dbms has been defined.

I am thinking that there is a character that is "hiding" the rest of the command. Suggest at a minimum reordering the arguments to place --dbms and other arguments that are not likely to have unpredictable data to the front of the command line.

Example command line, as generated by CO2:

-u "http://www.REDACTED.com:80/sea?q=tired&Search=&t%5B%5D=60&t%5B%5D=59&t%5B%5D=20&t%5B%5D=17" --cookie="94d67bced54846a78374da8a9e1923d9=4r5p7c9rnen9u34p5kajrp1c00; __utma=219911813.1445517679.1465752379.1461003756.1451012151.7; __utmc=219911513; __utmz=219911813.1460752379.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 3add0229b872e48831e0e4883c960c74=3vft7gcain5ifhqmndh77k0rr3; __utmb=219911813.6.10.1461012151; __utmt=1" --dbms="mysql"

Currently if you send a request with multiple cookies in it SQLMap will truncate it. This seems to be due to a flaw in SQLMap where a space separator between cookies causes all but the first to be truncated from the input (this was checked by running SQLMap through Burp). However this behavior is also due to a flaw in the SQLMapper module which adds spaces between cookies. If this space is removed and cookie names and values are trimmed (of whitespace on end), SQLMapper should be able to send SQLMap cookies in the correct format regardless of any flaw in SQLMap.

1. Session management
   As Burp has already a session management built-in, would it be possible to incorporate it within the SQLMapper? Or even a half way (if returned XZY in response, I'm out of session, invoke Burp session management macro, get a fresh session parameter YZX and use it in header within cookies).
2. Dropdown menus for technologies used
   I have to go into manual and search for possible DBMS (e.g. mssql) and OS (e.g. Windows). Would it be possible to simply choose these from dropdown menus?
3. Run button
   When path to sqlmap.py is not set, Run button is grayed out. Would it be possible to have some asterisk/question mark nearby? As "Config" appears to belong to "Extra SQLmap params" rather than to Run button; and I'm probably not the only one who had a hard time figuring it out for the first time.
4. Active scan
   I can see that it is possible to scan 1 request at a time. However, would it be possible to actually incorporate this into an Active scan? Hence many more requests could be scanned.

Run button When path to sqlmap.py is not set, Run button is grayed out. Would it be possible to have some asterisk/question mark nearby? As "Config" appears to belong to "Extra SQLmap params" rather than to Run button; and I'm probably not the only one who had a hard time figuring it out for the first time.

Copied from #8

The default risk level should be 1, but SLQMapper UI is defaulting to 0.

Comment from blog post:

Just a suggestion is ask the user to add an enval $sqlmap_path with the path to 
the sqlmap in the system and add a button to call the sqlmap (opening the 
cmd/terminal) using the $sqlmap_path with the parameters. This approach is much 
better than copy the command and open the terminal and paste the command to 
run... Just a suggestion.

Original issue reported on code.google.com by [email protected] on 23 Feb 2014 at 9:15

When you indicate in the GUI that the DBMS server is SQL SERVER, in the code it creates, it puts a space after the name before the quote, and always gives error, it must be modified.

I mean this:
--level = 5 --risk = 3 --dbms = 'Microsoft SQL Server'
That space before the comma gives error.

Thank you !!!

On the Detection tab, add Crawl with a pop-up (1-10).

Dropdown menus for technologies used I have to go into manual and search for possible DBMS (e.g. mssql) and OS (e.g. Windows). Would it be possible to simply choose these from dropdown menus?

copied from #8

I want to check out help, but after clicking button with question mark it opens http://co2.professionallyevil.com/help-sqlmapper.php which is not working.

What steps will reproduce the problem?
1. Run SQLMapper from Linux
2.
3.

What is the expected output? What do you see instead?

XTerm window should stay open but it is closing.

Original issue reported on code.google.com by [email protected] on 4 Dec 2014 at 11:24

CeWLer can't parse non-ASCII characters, which results in incomplete words and useless dictionaries on sites in which content is written in another language than English.

For example:

disposici --> disposición
distribu --> distribución

I think it would be useful to have another text box which lets users decide if they want to standardize output, like this way:
disposici --> disposicion
distribu --> distribucion

In cewl I work around this by setting the regex to something like &[[:alpha:]]*; and then I clean the words with unicodedata.normalize('NFKD', data).encode('ASCII', 'ignore') but i cannot find the right way to do this with your extension.

Great extension by the way!

Hello,

The Proxy Connection Tab in SQL Mapper is a great feature; however, it does not appear to utilize the proper syntax:

Example: --proxy=192.168.1.2:8080

This should be corrected to: --proxy='(http|https|socks4|socks5)://address:port'

Example: --proxy='https://192.168.1.2:8080'

Keep up the great work!

-kevcody

On the General/Misc. tab, add User Agent with a pop-up (random, etc).

I've tried installing the CO2 extension in Burp Suite several times, and Bitdefender repeatedly identifies the co2-all.jar as a trojan:

Threat successfully deleted.
Feature: Antivirus
An infected file attempted to run on your device.
Threat name: Trojan.Generic.32433175
Path: /Users/[USER]/.BurpSuite/bapps/c5071c7a7e004f72ae485e8a72911afc/build/libs/co2-all.jar
We deleted the file to prevent malicious commands from being executed on your device.

I checked the release notes and searched the entire repo and unless I'm missing it, I don't see any mention of this. To reproduce:

1. Install Bitdefender Antivirus.
2. Install the CO2 extension in Burp.

You can uninstall, reinstall repeatedly, same behavior.

Any idea why this is? I have no problem with any other Burp Suite extensions. Would be nice to eliminate it if (presumably) it is a false positive. I look forward to your reply.

Thx, axzhandul

On the Enumeration tab, add DBMS with a pop-up (MSSQL. MySQL, Oracle, etc).

Let's say in the post data I have the following:
AuthenticationMethod=MemberAuthenticator&Email=a&Password=a

It seems to only scan AuthenticationMethod and exits sqlmap immediately

SQLMap supports adding extra headers, which can be useful for adding in currently valid authorization tokens when an application isn't using traditional cookies.

What steps will reproduce the problem?
1. using a password string with a special char in "Options tab" to use basic 
authentication with sqlmap

What is the expected output? What do you see instead?
The server returns 401 http code... but using sqlmap manually it works fine. I 
tried also using "password!" and password\!

What version of the product are you using? On what operating system?
Burp 1.6, burp-co2 1.1.7, python 2.7.9 on Windows 7 64 bit :(

Original issue reported on code.google.com by [email protected] on 26 Jan 2015 at 12:44

Attachments:

• burp.png

Hi,
Would be great if there was an option in the SQLMapper tab to specify the python path/version to use since a lot of distros (Arch Linux for example) use Python 3 by default which isn't supported yet by SQLMap.
Thanks, love this project btw :)

Hi, forgive me if this is the wrong place to post this, but i noticed that the cookie value removes the last character from the request when selection to send to SQLMapper.

for example the following request

GET /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1
Host: 192.168.93.155
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.93.155/dvwa/vulnerabilities/sqli/
Cookie: security=low; PHPSESSID=m5m4pg0bq0qp3s2ner1vpo6kb3
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

clearly the cookie is set to Cookie: security=low; PHPSESSID=m5m4pg0bq0qp3s2ner1vpo6kb3

once right clicked and chosen to send to SQLMapper the cookie gets populated with the following
security=low;PHPSESSID=m5m4pg0bq0qp3s2ner1vpo6kb; where it is missing the 3 at the end.

Thanks

Steps:

1. Go to User Generator
2. Check the +Common Nicknames box
3. Press the Add Combos button

Notice that surnames are getting nicknames as well (e.g. Smith is showing up as 
"Smitty").  This isn't a huge deal since these are additional names but they 
are cluttering top results with some much less-likely.

Original issue reported on code.google.com by [email protected] on 24 Feb 2014 at 3:13

im a new bie but i dont understand this laudanum, can yu place a shell via laudanum?? if yes how ??

What steps will reproduce the problem?
1. loading the burp-co2 in burp pro 1.5.09 using extender
2. V0.4 and v0.5 will generate a tab, v0.6 just produced the error below.
3. No version will produce a context menu.

What is the expected output? What do you see instead?
    at com.professionallyevil.co2.cewler.CewlerTab.<init>(CewlerTab.java:77)
    at com.professionallyevil.co2.Co2Extender.registerExtenderCallbacks(Co2Extender.java:68)
    at burp.BurpExtender.registerExtenderCallbacks(BurpExtender.java:11)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at burp.jqc.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

What version of the product are you using? On what operating system?
Kali GNU/Linux 1.0.9
java version "1.7.0_67"
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
BurpSuite Pro 1.5.09

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 24 Sep 2014 at 1:28

I sent my HTTP request to CO2 SQLmapper. I set following options in GUI:
--text-only -p "search" --dbms="mssql" --os="windows" --threads=1
I configured path to sqlmap.py and pressed Run. However, I can see in CMD that it is ignoring parameters which I entered, because it is trying to use "PostgreSQL", "MySQL", and other technologies.
When I just copy+paste the same SQLMap command generated into another instance of SQLMap, it is working as expected and only MSSQL is used. Hence I guess that after pressing "Run", parameters are somehow not correctly propagated into the CMD window launched by Burp CO2.

What steps will reproduce the problem?
1. loading the burp-co2 in burp pro 1.5.21 using extender


What is the expected output? What do you see instead?
java.lang.UnsupportedClassVersionError: burp/BurpExtender : Unsupported 
major.minor version 51.0
    at java.lang.ClassLoader.defineClass1(Native Method)
    at java.lang.ClassLoader.defineClassCond(Unknown Source)
    at java.lang.ClassLoader.defineClass(Unknown Source)
    at java.security.SecureClassLoader.defineClass(Unknown Source)
    at java.net.URLClassLoader.defineClass(Unknown Source)
    at java.net.URLClassLoader.access$000(Unknown Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Unknown Source)
    at burp.e5b.a(Unknown Source)
    at burp.e5b.<init>(Unknown Source)
    at burp.gb.a(Unknown Source)
    at burp.au.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

What version of the product are you using? On what operating system?
windows 7 64 
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b05)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)
burp pro 1.5.21
Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 24 Feb 2014 at 3:29