Sqlmap plugin for BurpSuite

What is this post?

Today we present a free plugin, developed by me, so you can use the sqlmap from BurpSuite so really comfortable.

Why this plugin?

Almost always we audit a website the first thing we usually do is put an intermediate proxy to have more control over what we send to it. For some reasons I use as a proxy BurpSuite.

Do not you think it would be great when we are auditing a site can redirect a URL or request directly to the sqlmap with a simple click of a mouse? Yes, right? I think so too. For this I developed this plugin to do just that.

How do I load the plugin?

The first is to download the plugin. You can download it here: http://code.google.com/p/gason/downloads/list store it in the same folder that is the Burp.

Then we must put the following command to run the Burp with the plugin:

Linux:

java -classpath burpplugins.jar:”BurpSuite_v1.4.01.jar” burp.StartBurp

Windows:

java -classpath burpsuite_v1.4.01.jar;burpplugins.jar burp.StartBurp

My version of Burp is “v1.4.01″. If this is not your case, replace it you have.

Importantly, the plugin run either the free version and non-free version.

You don’t need Linux. Fou use it in Windows, you only need to specify path of sqlmap.

How do you use?

Once you may have loaded the plugin, use it is very simple. Just have to click the right mouse button over the url you want to test with sqlmap and you will have the option popup:

After clicking on the option “Sent to sqlmap” we see a new window that will allow us to configure sqlmap:

Once we configured the sqlmap click on “Run”. This will open a new tab with the execution of program. We can make a lot of simultaneous execution tabs with different instances, for example. Here is a sample of an execution tab:

If sqlmap requires some action on our part, we only have to click the run box and write what we need.

What else can we do?

In addition to the basic execution, we can looking for text in the run box. To do this we need only enter the text you want to search the text box “Search“. Automatically highlighting words found:

We can also save the contents of the running box int a text file. As simple as clicking a button “Save to file…“:

What next?

Using BurpSuite’s API we can do much more. Comming soon I will explain how to make your own plugin reusing libraries that I have used for this plugin. You see as it is very simple.

Also, soon I will release another plugin to integrate wfuzz.

—————

Follow me on: @ggdaniel | Linkedin: http://es.linkedin.com/in/garciagarciadaniel

Thank Alejandro (@z0mbiehunt3r), Rubén (@boken_), Dani (@dan1t0)  and Alex(@ocixela) for their suggestions and comments. And Jaime (@NighterMan) for his initial plugin, which is based the plugin.

Tags: , , , , ,

Written by
Subir

2 Responses to “Sqlmap plugin for BurpSuite”

  1. Hi I am having trouble kicking off burp with this addon enabled. I am getting the following error:

    Execption in thread “main” java.lang.NoClassDefFoundError: burp.StartBurp

    Any ideas guys?

Leave a Reply

You must be logged in to post a comment.