Jon,
On Sat, Jul 25, 2009 at 2:16 PM, Andres Riancho<andres.rian...@gmail.com> wrote:
> Steven,
>
> On Sat, Jul 25, 2009 at 12:40 PM, Steven
> Pinkham<steve.pink...@mavensecurity.com> wrote:
>> Andres Riancho wrote:
>>> Jon,
>>>
>>> On Fri, Jul 24, 2009 at 3:06 PM, jrose<jr...@owasp.org> wrote:
>>>> Hey,
>>>>
>>>> I've extended the importResult plugin to parse burp logs for input since I
>>>> often use burp when reviewing applications.
>>>
>>> I also use burp frequently and I never saw how to save/export the
>>> proxy logs. After some searching in the burpsuite help I found the the
>>> save state appears in the professional version only. Is that right?
>>
>> Save state and proxy logs are two different things. Save state is only
>> for the Pro version, but proxy log saving is in all versions. At least
>> it used to be, doubt he has changed it in the latest version. Go to
>> Options tab, look for logging options.
>
> Thanks!
>
>> sqlmap also is able to take those burp logs and test the parameters for
>> SQL injection, which is cool. Burp is so widely used it's a good idea
>> to be able to integrate with it.
>
> @Jon: You should also take a look at this, maybe the sqlmap guys
> already have a 100% working module for this and we are reinventing the
> wheel. I would have that!
For what I understand from the sqlmap code (Line 195 of options.py):
if os.path.isfile(conf.list):
__feedTargetsDict(conf.list, addedTargetUrls)
elif os.path.isdir(conf.list):
files = os.listdir(conf.list)
files.sort()
for reqFile in files:
if not re.search("([\d]+)\-request", reqFile):
continue
__feedTargetsDict(os.path.join(conf.list, reqFile), addedTargetUrls)
And from the configuration file (Line 7 sqlmap.conf):
# Parse targets from Burp or WebScarab logs
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
# or WebScarab proxy
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
# 'conversations/' folder path
list =
I think that webscarab and burpsuite use the same log format. The only
difference is that webscarab saves the information across multiple
files inside a "conversations" directory, and burp uses only one file.
With all this new information, I patched the original importResults.py
file. It still needs to get improved a little bit, because the parser
is reading all the requests, not only the requests that are from the
w3af target host.
http://w3af.svn.sourceforge.net/viewvc/w3af?view=rev&revision=2995
Please test the code with your log files and let me know if it's
working properly, THANKS!
Cheers,
> Cheeers,
>
>> --
>> | Steven E. Pinkham |
>> | Security Researcher, Maven Security |
>> | http://www.mavensecurity.com |
>> | GPG public key ID CD31CAFB |
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
