Support Headers, Arbitrary URLS, #1 #2 #3

BKreisel · BKreisel · commit f2f15e964955 · 2023-11-04T14:03:08.000-06:00
diff --git a/.gitignore b/.gitignore
@@ -1,129 +1,6 @@
-# Byte-compiled / optimized / DLL files
 __pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
+.vscode/
 build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-pip-wheel-metadata/
-share/python-wheels/
+.ruff_cache/
 *.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-*.py,cover
-.hypothesis/
-.pytest_cache/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-db.sqlite3-journal
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-.python-version
-
-# pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow
-__pypackages__/
-
-# Celery stuff
-celerybeat-schedule
-celerybeat.pid
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
+dist/
diff --git a/README.md b/README.md
@@ -5,20 +5,18 @@ Heavily based on an excellent writeup from Rayhan Ahmed: [Automating Blind SQL i
 
 ## Example
 ```
-sqlmap-websocket-proxy -u ws://sketchyurl.htb:8081 -p '{"uid_of_some_sort": "%param%"}' --json
+sqlmap-websocket-proxy -u ws://sketcy.lol:1337 -p '{"id": "%param%"}'
 python3 sqlmap.py -u  http://localhost:8080/?param1=1
 ```
 ## Usage
 ```bash
-usage: sqlmap-websocket-proxy [-h] -u URL -p PAYLOAD [-o PORT] [--json]
+usage: sqlmap-websocket-proxy [-h] -u URL -d DATA [-p PORT]
 
 options:
   -h, --help            show this help message and exit
-  -u URL, --url URL     URL to the websocket
-  -p PAYLOAD, --payload PAYLOAD
-                        String with params for the playload encoded as %param% (example: {"uid_of_some_sort": "%param%"})
-  -o PORT, --port PORT  Proxy Port (default: 8080)
-  --json                Escape text for JSON payloads
+  -u URL, --url URL     URL to the websocket (example: ws://vuln_server:1337/ws)
+  -d DATA, --data DATA  Paylod with injectable fields encoded as '%param%' (example: {"id": "%param%"})
+  -p PORT, --port PORT  Proxy Port (default: 8080)
 ```
 
 ## Installation
@@ -30,9 +28,15 @@ python3 -m pip install sqlmap-websocket-proxy
 
 ### Manual 
 ```bash
-python3 -m pip install sqlmap_websocket_proxy-1.0.0-py3-none-any.whl
+python3 -m pip install sqlmap_websocket_proxy-1.1.0-py3-none-any.whl
 ```
-[Download Latest Release](https://github.com/BKreisel/sqlmap-websocket-proxy/releases/download/1.0.0/sqlmap_websocket_proxy-1.0.0-py3-none-any.whl)
+
+### Git 
+```bash
+python3 -m pip install .
+```
+
+[Download Latest Release](https://github.com/BKreisel/sqlmap-websocket-proxy/releases/download/1.1.0/sqlmap_websocket_proxy-1.1.0-py3-none-any.whl)
 
 ## Demo
 [![demo](https://asciinema.org/a/550190.svg)](https://asciinema.org/a/550190?autoplay=1)
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,13 +4,13 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sqlmap-websocket-proxy"
-version = "1.0.0"
+version = "1.1.0"
 authors = [
   { name="Brandon Kreisel", email="BKreisel@users.noreply.github.com" },
 ]
 description = "HTTP Proxy for using sqlmap against websockets"
 readme = "README.md"
-requires-python = ">=3.8"
+requires-python = ">=3.11"
 classifiers = [
     "Programming Language :: Python :: 3",
     "License :: OSI Approved :: MIT License",
@@ -22,9 +22,18 @@ dependencies = [
     "rich",
 ]
 
+[project.optional-dependencies]
+dev = [
+    "ruff"
+]
+
 [project.scripts]
-sqlmap-websocket-proxy = "sqlmap_websocket_proxy.main:cli"
+sqlmap-websocket-proxy = "sqlmap_websocket_proxy.main:main"
 
 [project.urls]
 "Homepage" = "https://github.com/BKreisel/sqlmap-websocket-proxy"
-"Bug Tracker" = "https://github.com/BKreisel/sqlmap-websocket-proxy/issues"
+"Bug Tracker" = "https://github.com/BKreisel/sqlmap-websocket-proxy/issues"
+
+[tool.ruff.lint]
+select = ["ALL"]
+extend-ignore=["T201", "DTZ005"]
diff --git a/src/sqlmap_websocket_proxy/__init__.py b/src/sqlmap_websocket_proxy/__init__.py
@@ -0,0 +1 @@
+"""sqlmap websocket proxy."""
diff --git a/src/sqlmap_websocket_proxy/console.py b/src/sqlmap_websocket_proxy/console.py
@@ -0,0 +1,32 @@
+"""Console output functions."""
+import sys
+from datetime import datetime
+
+import rich
+
+
+def error(msg: str, depth: int = 0) -> None:
+    """Print an error message."""
+    print("")
+    _rich_print("red", "⛔", msg, depth=depth)
+    sys.exit(1)
+
+def status(msg: str, depth: int = 0, symbol: str = "[*]") -> None:
+    """Print a status message."""
+    _rich_print("blue", symbol, msg, depth=depth)
+
+def success(msg: str, depth: int = 0) -> None:
+    """Print a success message."""
+    _rich_print("green", "[+]", msg, depth=depth)
+
+def warning(msg: str, depth: int = 0) -> None:
+    """Print a success message."""
+    _rich_print("yellow", "[!]", msg, depth=depth)
+
+def _rich_print(color: str, symbol: str, msg: str, depth: int = 0) -> None:
+    """Format and print messages with rich."""
+    rich.print(f"{depth * '   '}[{color}]{symbol}[/{color}] {msg}")
+
+def timestamp() -> str:
+    """Get the current timestamp."""
+    return datetime.now().strftime("%H:%M:%S")
diff --git a/src/sqlmap_websocket_proxy/handler.py b/src/sqlmap_websocket_proxy/handler.py
@@ -0,0 +1,112 @@
+"""HTTP Payload Handler."""
+import contextlib
+import json
+import sys
+from functools import partial
+from http.server import SimpleHTTPRequestHandler
+from json import JSONDecodeError
+from socketserver import TCPServer
+from typing import Any, Self
+from urllib.parse import parse_qsl, unquote
+
+import rich
+import websocket
+
+from sqlmap_websocket_proxy.console import error, status, timestamp
+
+# Don't proxy these headers
+SKIPPED_HEADERS = [
+    "connection",
+    "accept-encoding",
+    "accept",
+]
+
+class HTTPHandler(SimpleHTTPRequestHandler):
+    """HTTP Endpoint that Proxies to the  weboscket."""
+
+    def __init__(
+        self: Self,
+        url: str,
+        data: str,
+        *args: Any,  # noqa: ANN401
+        **kwargs: dict[Any],
+    ) -> None:
+        """Init."""
+        self.url = url
+        self.data = data
+
+        self.json_encode = False
+        with contextlib.suppress(JSONDecodeError):
+            json.loads(data)
+            self.json_encode = True
+            status("Detected JSON input. Auto-escaping.")
+
+        # Suppress default logging
+        self.log_message = lambda *_args: None
+
+        super().__init__(*args, **kwargs)
+
+    def do_GET(self: Self) -> None:  # noqa: N802
+        """Handle GET requests."""
+        self.send_response(200)
+        self.end_headers()
+        resp = send_inject(
+            self.url,
+            self.path,
+            self.data,
+            self.headers,
+            self.json_encode,
+        )
+        self.wfile.write(resp)
+
+def send_inject(
+    url: str,
+    path: str,
+    data: str,
+    headers: dict,
+    json_encode: bool,  # noqa: FBT001
+) -> bytes:
+    """Send sqlmap inject acrossthe websocket."""
+    params = [x for _, x in parse_qsl(path)]
+
+    if json_encode:
+        params = [unquote(x).replace('"',"'") for x in params]
+
+    for x in params:
+        data = data.replace("%param%", x, 1)
+
+    try:
+        ws = websocket.create_connection(
+            url,
+            header=[
+                f"{k}: {v}"
+                for k, v in headers.items()
+                if k.lower() not in SKIPPED_HEADERS
+            ],
+        )
+    except Exception as e:  # noqa: BLE001
+        error(f"Websocket Connection Failed: {e}")
+
+    try:
+        ws.send(data)
+        rich.print(f"[{timestamp()}] Proxied: {data}")
+        data = ws.recv()
+        return data.encode("utf-8") if data else b""
+    except Exception as err:  # noqa: BLE001
+        rich.print(f"[yellow]Request Failed: {err!s}[/yellow]")
+    finally:
+        ws.close()
+
+
+def run_server(port: int, url: str, data: str) -> None:
+    """Run the Proxy Server."""
+    try:
+        handler = partial(HTTPHandler, url, data)
+        with TCPServer(("", port), handler) as httpd:
+            status("Server Started (Ctrl+c to stop)\n")
+            httpd.serve_forever()
+    except KeyboardInterrupt:
+        status("Quitting...")
+        sys.exit(0)
+    except Exception as err:  # noqa: BLE001
+        error(f"Exception: {err}")
diff --git a/src/sqlmap_websocket_proxy/main.py b/src/sqlmap_websocket_proxy/main.py
