This is a quick tutorial on how to use SQLMap within Burp Suite (Community and Pro Edition). This is extremely useful when doing security evaluations, bug bounties, and penetration tests. There are quite a few tutorials across the Internet on how to do this, but I found most of them to be old and/or fragmented.
Installing Jython Standalone
Jython is the JVM implementation of python. To utilize Burp extensions in Python, you must have the standalone version installed on your machine:
- Install jython standalone:
- Point Burp to the location of your previously downloaded standalone jython file under Extender->Options->Python Environment. As you can see, mine is located in the /usr/local/bin directory:
Installing SQLiPy extension in Burp
- Download the SQLiPy extension in Burp under Extender->BApp Store. I already have the extension installed, but if you don’t you should see an ‘Install’ button where my ‘Reinstall’ button is located:
Using the SQLiPy Extension in Burp
To use the Burp SQLipy extension you must first start the SQLMap API server. To do so, head over to the SQLiPy->SQLMap API tab. From here you can specify the Listen IP (I would keep this at 127.0.0.1), the Listen Port, the Python directory** (automatically populated), and the *SQLMap API (automatically populated):
Click the Start API button:
Once the server has successfully started, you can start scanning requests that you see through your proxy tab. Note, this will work with HTTP GET and POST requests:
After you send a request to the SQLiPy Scanner (SQLiPy->SQLMap Scanner) you can configure all your scan options, such as threads, DBMS Backend, Delay, etc. At a minimum, you will need to specify the parameter you want to test. Once you have configured any additional options required, click the scan button at the bottom of the window:
You can see live updates of the results in the SQLiPy->SQLMap Logs tab:
I hope this serves as a useful reference for quickly setting up Burp Suite with SQLMap. Having them both in the same environment has been a lifesaver!