From 1421e6a9d4370a091d0e4c9f6f637deaf61a79b3 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Fri, 14 Dec 2012 16:18:45 +0000 Subject: [PATCH] implemented cleanup and status admin methods --- lib/utils/restapi.py | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/lib/utils/restapi.py b/lib/utils/restapi.py index cbbfc7b11..a0a4f5ac1 100644 --- a/lib/utils/restapi.py +++ b/lib/utils/restapi.py @@ -147,6 +147,34 @@ def task_flush(taskid): # sqlmap core interact functions # ################################## +@get("/status/") +def status(taskid): + """ + Verify the status of the API as well as the core + """ + if is_admin(taskid): + busy = kb.get("busyFlag") + tasks_num = len(tasks) + return jsonize({"busy": busy, "tasks": tasks_num}) + else: + abort(401) + +@get("/cleanup/") +def cleanup(taskid): + """ + Destroy all sessions except admin ID and all output directories + """ + global tasks + if is_admin(taskid): + for task in tasks: + if task == adminid: + continue + os.removedirs(options[task]["oDir"]) + tasks = [ adminid ] + return jsonize({"success": True}) + else: + abort(401) + @get("/option//list") def option_list(taskid): """ @@ -211,16 +239,6 @@ def scan(taskid): return jsonize({"success": True}) -@get("/scan//status") -def scan_status(taskid): - """ - Verify if sqlmap core is currently running - """ - if taskid not in tasks: - abort(500, "Invalid task ID") - - return jsonize({"busy": kb.get("busyFlag")}) - @get("/scan//output") def scan_output(taskid): """ @@ -243,6 +261,10 @@ def download(taskid, target, filename): if taskid not in tasks: abort(500, "Invalid task ID") + # Prevent file path traversal - the lame way + if target.startswith("."): + abort(500) + path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target) if os.path.exists(path): return static_file(filename, root=path)