codewatchorg / sqlipy Goto Github PK
View Code? Open in Web Editor NEWSQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
License: The Unlicense
SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
License: The Unlicense
Hello,
Often, I do not want to scan cookies. Can there be an option to just scan query and body parameters?
Hello,
Have seen it quite a few times where Burp finds a parameter is an FP when further testing identifies the injection point is actually valid. This would be great to record as informational or FP in the Issues view.
root@kali:~/sqlipy# python SQLiPy.py
Traceback (most recent call last):
File "SQLiPy.py", line 25, in
from burp import IBurpExtender
ImportError: No module named burp
Is there some kind of magic happening between sqlipy in burp and the sqlmapapi? I take the exact command used in sqlipy in burp that will find a sql injection in a post request. I take the same command in the command line and it doesn't find it...
Also where is sqlipy storing it's found sql injections?
Thanks!
I'm, wondering if it would be possible to incorporate a Burp session management functionality. When I perform tests, I'm kicked out of the session by WAF. Since Burp already contains session management and is able to create a session again; would it be feasible to use this as well?
Thanks for this great tool:)
Hello
This is a great plugin!... but it doesn't return results from the scan. I have a test app that sqlmap scans the injection just fine when you run without the plugin but when using the plugin the output returns no results even though the logs say it was able to inject and retrieve data. Any ideas?
jython beta1 and beta3 tested and still nothing
python 2.7
latest sqlmap from github repo.
burp 1.6.05 pro
java -version returns the following:
java version "1.7.0_60"
Java(TM) SE Runtime Environment (build 1.7.0_60-b19)
Java HotSpot(TM) 64-Bit Server VM (build 24.60-b09, mixed mode)
Hi Team
I would like ask about sqlmap integrate with Burp.The issue is about keep setting by sqlmap .All time when I start Burp extension do not hold path for python.
I have to manual show path .It is any option to remember path for sqlmaps.
This is my path for python which should be keep by extension all time .??
I noticed today when updating my system which required a reboot, when I reopened Burp i noticed the logs from scans I had run previously were gone.
It would be nice to have an input field to save the output when a scan is finished or ended.
SQLmap uses Python 2, so distributions like Arch that default to Python 3 need to use python2.
On Windows, many users do not add Python to the path, but the location is available in the registry.
If Python 2 is not available, it would be useful to provide the user with a message.
Hi!
I'm working with Burpsuite v2021.3.2, I have python 2.7 installed, also added jython 2.7.2 to Burpsuite extensions. SQLiPy is installed with the last available version, SQLMAP API is also running.
The problem is that when I set the scan parameters and configuration, and click "Start Scan", nothing is shown in the scan list in the "SQLMAP logs" tab.
I am running Java SE 14, with python 2.7
I have tried many things but none solved the issue.
Note: I can see a new python process appear in the windows task manager every time I start a scan, but nothing shows within the SQLiPy log tab.
Hi,
Is it possible to add a tor option to the scanner at all?
the latest sqlmap has an option for it and could not see an option for socks proxy on the addon.
Hello @maintainer
It would be better if can get the logs and progress as live rather than clicking on get button, same as the flow like sqlmap cli
I'm running burp 2021.5.2. Just added sqlipy sqlmap integration from the BAapp store. The SQLipy tab appears, but not the right click integration. I've restarted burp, reinstalled the extension, but no go.
I'm running jython 2.7.2.
Any ideas?
Great job!
Here are a few things that could be nice additions I think. Better overview of what scans are running. Show SQLiPY tests in the scan queue of Burp? Currently you would have to go the extender and look at the output to see “Scan for task 9fb2cdda8d37dd3e is still running.”. I don’t know if this is possible with sqlmapapi, but for a specific SQLiPy scan it would be nice to have some kind of status, what type of injections are currently being tested for example.
As an option.. Instead of having to send and then navigate to the tab and starting the scan. For me, I'm always using my last configured scan settings so going to the tab to configure options isn't necessary.
Using an environment with a small window, the "Start Scan" button is hidden.
The scrollbar in burp goes until the "Tamper Scripts" input but stops at that. The button is effectively below the viewport of burp.
I expect the problem lies in these two lines:
self._jButtonStartScan.setBounds(346, 1047, 103, 29)
self._jScanPanel.setPreferredSize(awt.Dimension(1010,1010))
Hi Josh,
First of all thank you for writing this awesome burp extension, it comes real handy in identifying parameters vulnerable to sql injection using SQLMap. However, I have been facing this issue where I don't see "Start Scan" button in SQLMAP Scanner Tab. I reached out to Burp Support and they were able to see the "Start Scan" button somehow.
I have tried the following things:
but nothing seems to be working, I am using Burp (Paid and Free) and Jython latest version.
There are no errors generated only the following output:
Calling: /usr/bin/python /usr/share/sqlmap/sqlmapapi.py -s -H 127.0.0.1 -p 8888
[06:36:49] [INFO] Running REST-JSON API server at '127.0.0.1:8888'..
[06:36:49] [INFO] Admin ID: 683e40ffbf9de08abf671fe0baec0532
[06:36:49] [DEBUG] IPC database: /tmp/sqlmapipc-sHXl8u
[06:36:49] [DEBUG] REST-JSON API server connected to IPC database
What do you think could be causing this issue?
Let us know your thoughts on this.
-Ishan
Hi,
I think it would be great to have an option to see a table view of results:
Columns would look like:
Endpoint | Parameter | Options | Success | False Positive | Raw Output
Where False Positive is anytime SQLMAP preliminarily flags the parameter as a possible injection point.
Hello,
I'm trying to use sqlipy in the default configuration, but I am not able to start it. Below there details about the configuration and installation:
jython2.7.3
Log of Extender:
Calling: C:\Python27\python.exe C:\Users\bruno\AppData\Roaming\BurpSuite\bapps\f154175126a04bfe8edc6056f340f52e\sqlmap\sqlmapapi.py -s -H 127.0.0.1 -p 9090
Failed to start the SQLMap API
15:09:44] [INFO] Running REST-JSON API server at '127.0.0.1:9090'..
15:09:44] [DEBUG] REST-JSON API server connected to IPC database
15:09:44] [DEBUG] Using adapter 'wsgiref' to run bottle
raceback (most recent call last):
What am I doing wrong in this case and how could I fix it to use the extension?
Kind Regards,
Bruno
The App in BurpSuite does not have an option to specify technique thus requiring the user to manually copy and paste the sqlmap command into a terminal in order to specify the technique
Hello,
I use Burp(Version: 1.7.19
) and sqlmap(Version: 1.1.11#stable
) just now, and i use sqlipy to connect them as usual.
But i found that sqlipy can not report SQL Injection Vulnerability as the blog says. So i modify the source code, add some traceback information and re-run, something interesting has been found.
sqlipy raise EXCEPTION when parse sqlmap api resonse JSON data.
I adjustment some parameters in the sqlipy and all thing work well. Just as fllow.
Maybe sqlmap api response JSON has been changed. So it's better to update sqlipy to follow sqlmap.
If you use injection point (*
or %INJECT HERE%
) in a POST Data request with JSON (e.g. { "name" : "value*" }
) sqlmap is actually URL encoding the special characters (e.g. %7B%20%22name%22%20%3A%20%22value%22%20%7D) before sending to the server.
I've noticed this problem because I'm intercepting all the sqlmap requests with a proxy.
Without SQLipy extension sqlmap do not perform the URL encoding.
Preface - I tried following the troubleshooting steps in the other issue regarding the API not starting but it didn't solve it.
I'm on the latest version of Kali Linux VM using VirtualBox. Latest version of BurpSuite Community Edition.
Jython version is jython-standalone-2.7.3.jar
When I try and start SQLMap API through burp it doesn't work, so I launch it through the CLI and (see screen shot below) it looks like it's run successfully but Burp still shows that the API is not running.
So far I've tried using python 3 and python 2, different ports and reinstalling burp all to no avail.
Greatly appreciate any help, thx.
SQL Map API Successfully running in CLI:
BurpSuite UI:
Using Jython Standalone 2.7.2 (not sure if that is relevant) and Python 3.12 I was unable to start the sqlmap API using the Burp panel. Instead, I downloaded sqlmap and manually started the sqlmapapi.py server. I connect to my manual API instance using the correct port and 127.0.0.1
When attempting to Start Scan on any host, I receive the following error in the console window where the API is running:
PS C:\Users\ianfr\sqlmap-1.7.12\sqlmap > python .\sqlmapapi.py -s -H 127.0.0.1 -p 9191
[08:37:55] [INFO] Running REST-JSON API server at '127.0.0.1:9191'..
[08:37:55] [INFO] Admin (secret) token: af51a5ad488cef25452f7917e160a097
[08:37:55] [DEBUG] IPC database: 'C:\Users\ianfr\AppData\Local\Temp\sqlmapipc-ezu6cbci'
[08:37:55] [DEBUG] REST-JSON API server connected to IPC database
[08:37:55] [DEBUG] Using adapter 'wsgiref' to run bottle
[08:38:16] [WARNING] [0] Invalid task ID provided to scan_status()
[08:38:53] [DEBUG] Created new task: '68247d953bd5bd53'
[08:38:53] [DEBUG] (68247d953bd5bd53) Requested to set options
[08:38:53] [DEBUG] (68247d953bd5bd53) Listed task options
[08:38:53] [DEBUG] (68247d953bd5bd53) Started scan
[08:38:54] [CRITICAL] you have provided an invalid and/or unreadable configuration file ('AttributeError: 'UnicodeRawConfigParser' object has no attribute 'readfp'')
It would be useful to display whether the API is running on the API tab.
For this to be trustworthy, it should do some kind of check that the API really has started.
I was able to start a scan and got to this stage, however, I am not seeing any results for this scan.
As shown above, the scan gets to the "[15:29:47] [DEBUG] (ae8432fcc683d818) Retrieved scan data and error messages" step.
Here is the config of my scan.
The sqlmap logs tab shows nothing.
I am running python 2.7.18.
I have jython 2.7 standalone jar installed.
What should I be seeing if the tool is working as intended?
Any help would be greatly appreciated.
Update the tamper button to allow multiple tamper script selection as well as an option to clear out the selection.
SQLiPy relies on a running instance of the SQLMap API server. You can manually start the server with:
python sqlmapapi.py -s -H <ip> -p <port>
AND? There is no such file in this repo!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.