@@ -147,6 +147,34 @@ def task_flush(taskid):
147147# sqlmap core interact functions #
148148##################################
149149
150+ @get ("/status/<taskid>" )
151+ def status (taskid ):
152+ """
153+ Verify the status of the API as well as the core
154+ """
155+ if is_admin (taskid ):
156+ busy = kb .get ("busyFlag" )
157+ tasks_num = len (tasks )
158+ return jsonize ({"busy" : busy , "tasks" : tasks_num })
159+ else :
160+ abort (401 )
161+
162+ @get ("/cleanup/<taskid>" )
163+ def cleanup (taskid ):
164+ """
165+ Destroy all sessions except admin ID and all output directories
166+ """
167+ global tasks
168+ if is_admin (taskid ):
169+ for task in tasks :
170+ if task == adminid :
171+ continue
172+ os .removedirs (options [task ]["oDir" ])
173+ tasks = [ adminid ]
174+ return jsonize ({"success" : True })
175+ else :
176+ abort (401 )
177+
150178@get ("/option/<taskid>/list" )
151179def option_list (taskid ):
152180 """
@@ -211,16 +239,6 @@ def scan(taskid):
211239
212240 return jsonize ({"success" : True })
213241
214- @get ("/scan/<taskid>/status" )
215- def scan_status (taskid ):
216- """
217- Verify if sqlmap core is currently running
218- """
219- if taskid not in tasks :
220- abort (500 , "Invalid task ID" )
221-
222- return jsonize ({"busy" : kb .get ("busyFlag" )})
223-
224242@get ("/scan/<taskid>/output" )
225243def scan_output (taskid ):
226244 """
@@ -243,6 +261,10 @@ def download(taskid, target, filename):
243261 if taskid not in tasks :
244262 abort (500 , "Invalid task ID" )
245263
264+ # Prevent file path traversal - the lame way
265+ if target .startswith ("." ):
266+ abort (500 )
267+
246268 path = os .path .join (paths .SQLMAP_OUTPUT_PATH , target )
247269 if os .path .exists (path ):
248270 return static_file (filename , root = path )
0 commit comments