API区添加用户名密码entry

Author: needle-wang

README.md

@@ -36,12 +36,12 @@ from sqlmap's FAQ:
 - 继续重构, 优化
 
 #### ABOUT
-1. V0.3.3  
-   2019-05-14 23:56:35  
-   作者: needle wang ( [email protected] )
-2. 使用PyGObject(Gtk+3: python3-gi)重写sqm.py
-3. 感谢[sqm](https://github.com/kxcode/gui-for-sqlmap)带来的灵感, 其作者: [KINGX](https://github.com/kxcode) (sqm UI 使用的是python2 + tkinter)
+1. V0.3.4  
+   2019-05-17 21:35  
+   作者: needle wang ( [email protected] )  
+2. 使用PyGObject(Gtk+3: python3-gi)重写sqm.py  
+3. 感谢[sqm](https://github.com/kxcode/gui-for-sqlmap)带来的灵感, 其作者: [KINGX](https://github.com/kxcode) (sqm UI 使用的是python2 + tkinter)  
 
 #### REFERENCE
-1. Gtk+3教程: https://python-gtk-3-tutorial.readthedocs.io/en/latest/
-2. Gtk+3 API: https://lazka.github.io/pgi-docs/Gtk-3.0/
+1. Gtk+3教程: https://python-gtk-3-tutorial.readthedocs.io/en/latest/  
+2. Gtk+3 API: https://lazka.github.io/pgi-docs/Gtk-3.0/  

handler_api.py

@@ -24,9 +24,15 @@ def task_new(self, button):
     @get("/task/new") 创建新任务
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       try:
-        _resp = requests.get('http://%s/task/new' % _host)
+        _resp = requests.get('http://%s/task/new' % _host,
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           self.task_view_append('%s: 创建成功.' % _resp['taskid'])
@@ -39,9 +45,15 @@ def admin_list(self, button):
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
     _token = self.m._page4_admin_token_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host and _token:
       try:
-        _resp = requests.get('http://%s/admin/%s/list' % (_host, _token))
+        _resp = requests.get('http://%s/admin/%s/list' % (_host, _token),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         # print(_resp)
         if _resp['success']:
@@ -104,9 +116,15 @@ def option_list(self, button, taskid):
     @get("/option/<taskid>/list") 获取指定任务的options
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       try:
-        _resp = requests.get('http://%s/option/%s/list' % (_host, taskid))
+        _resp = requests.get('http://%s/option/%s/list' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           for _key, _value in _resp['options'].items():
@@ -121,6 +139,8 @@ def option_get(self, button, taskid):
     '''
     _host = self.m._page4_api_server_entry.get_text()
     _buffer_text = self.m._page4_option_get_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     _options = {}
     for _tmp in _buffer_text.split():
       _options[_tmp] = None
@@ -130,7 +150,11 @@ def option_get(self, button, taskid):
         _headers = {'Content-Type': 'application/json'}
         _resp = requests.post('http://%s/option/%s/get' % (_host, taskid),
                               json = _options,
-                              headers = _headers)
+                              headers = _headers,
+                              auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           if _resp['options'].items():
@@ -152,6 +176,8 @@ def option_set(self, button, taskid):
     '''
     _host = self.m._page4_api_server_entry.get_text()
     _buffer_text = self._get_buffer_text(self.m._page4_option_set_view)
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     try:
       _json = ast.literal_eval(_buffer_text)
     except Exception as e:
@@ -162,9 +188,15 @@ def option_set(self, button, taskid):
       if _host:
         try:
           _headers = {'Content-Type': 'application/json'}
+          # data, json参数都要求是字典类型, 而非字符串
+          # 另外, 字典的格式比json的宽松(json不能使用单引号, 不能多个逗号)
           _resp = requests.post('http://%s/option/%s/set' % (_host, taskid),
                                 json = _json,
-                                headers = _headers)
+                                headers = _headers,
+                                auth = (_username, _password))
+          if not _resp:
+            _resp.raise_for_status()
+
           _resp = _resp.json()
           if _resp['success']:
             _mesg += '设置成功'
@@ -181,9 +213,15 @@ def admin_flush(self, button):
     '''
     _host = self.m._page4_api_server_entry.get_text()
     _token = self.m._page4_admin_token_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host and _token:
       try:
-        _resp = requests.get('http://%s/admin/%s/flush' % (_host, _token))
+        _resp = requests.get('http://%s/admin/%s/flush' % (_host, _token),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           for _a_child in self.w._api_admin_list_rows.get_children():
@@ -197,9 +235,15 @@ def task_delete(self, button, *data):
     @get("/task/<taskid>/delete") 删除指定任务
     '''
     _host = self.m._page4_api_server_entry.get_text().strip()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       try:
-        _resp = requests.get('http://%s/task/%s/delete' % (_host, data[1]))
+        _resp = requests.get('http://%s/task/%s/delete' % (_host, data[1]),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           self.w._api_admin_list_rows.remove(data[0])
@@ -213,13 +257,19 @@ def scan_start(self, button, taskid):
     要求发送json, 会执行/option/<taskid>/set
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s: ' % taskid
       try:
         _headers = {'Content-Type': 'application/json'}
         _resp = requests.post('http://%s/scan/%s/start' % (_host, taskid),
                               json = {},
-                              headers = _headers)
+                              headers = _headers,
+                              auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _mesg = '%sengineid: %s' % (_mesg, _resp['engineid'])
@@ -235,10 +285,16 @@ def scan_stop(self, button, taskid):
     @get("/scan/<taskid>/stop") 指定任务 停止扫描
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s: ' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/stop' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/stop' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _mesg += 'ok, stoped.'
@@ -253,10 +309,16 @@ def scan_kill(self, button, taskid):
     @get("/scan/<taskid>/kill") kill -9 指定任务
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s: ' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/kill' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/kill' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _mesg += 'ok, killed.'
@@ -272,10 +334,16 @@ def scan_data(self, button, taskid):
                                 data若有内容说明存在注入
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s:\n' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/data' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/data' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         # print(_resp)    # _resp['data'], _resp['error'] are list
         if _resp['success']:
@@ -290,10 +358,16 @@ def scan_log(self, button, taskid):
     @get("/scan/<taskid>/log") 查看指定任务的扫描日志
     '''
     _host = self.m._page4_api_server_entry.get_text()
+    _username = self.m._page4_username_entry.get_text().strip()
+    _password = self.m._page4_password_entry.get_text().strip()
     if _host:
       _mesg = '%s:\n' % taskid
       try:
-        _resp = requests.get('http://%s/scan/%s/log' % (_host, taskid))
+        _resp = requests.get('http://%s/scan/%s/log' % (_host, taskid),
+                             auth = (_username, _password))
+        if not _resp:
+          _resp.raise_for_status()
+
         _resp = _resp.json()
         if _resp['success']:
           _logs = ''

model.py

@@ -366,6 +366,10 @@ def __init__(self):
     self._page4_admin_list_btn = btn.new_with_label('显示任务')
     self._page4_admin_flush_btn = btn.new_with_label('删除所有任务')
     self._page4_clear_task_view_btn = btn.new_with_label('清空反馈的结果')
+    self._page4_username_label = label.new('用户名:')
+    self._page4_username_entry = et()
+    self._page4_password_label = label.new('密码:')
+    self._page4_password_entry = et()
     self._page4_option_get_entry = et()
     self._page4_option_set_view = tv()
     self._page4_task_view = tv()