The SQLMap API server must be started in order to perform scans. Configure the path to the plugin as shown below: Next, you need to load the plugin by navigating to the “Extender->Extensions” tab and clicking the add button. Navigate to the “Extender->Options” tab in Burp and configure the path to Jython as show in the screenshot below: Note that this version of Jython relies on Java 1.7 or 1.8 – it will not run on older versions. The 2.7 beta version is required as the plugin uses the JSON module and older stable releases do not include this module. #Sql injection burp suite downloadThe first thing that you need to do is download the beta version of Jython, which can be found on the site here. #Sql injection burp suite how toThe source of the following plugins was reviewed to help me understand how to build this: #Sql injection burp suite codeI reviewed the source code for numerous plugins to help me understand the nuances of working with Python/Jython/Java and integrating with Burp. See points 1 & 2 above and add in the fact that I’m not a developer. The code probably looks awful and I need more comments.This is also the first time I’ve used Jython, or used any Java GUI code.The fact that I was able to do so with relative ease shows how easy the Burp guys have made it. This is the first time I’ve attempted to develop a Burp plugin.Some general notes on the plugin development: I have limited ability to test so I appreciate anyone that can use the plugin and provide feedback. Addition of information enumerated from successful SQLMap scans to the Burp Scanner Results list.Īll of those features have been integrated into this first release.A thread that continuously checks up on executed scans to identify whether there were any findings.A menu for editing and configuring the request prior to sending to SQLMap.A context menu option for sending a request in Burp to the plugin.Note that this is not recommend as one of the limitations of Jython is that when you start a process with popen, you can’t get the PID, which means you can’t stop the process from within Jython (you have to manually kill it). The ability to start the API from within Burp.The key features that I wanted to integrate were: Once I had the API down I set out to write the plugin. The following blog post outlines the API. I began researching the API and was very fortunate that someone already did the leg work for me. This immediately struck me as an easy way in which to integrate Burp with SQLMap. The sqlmapapi.py file is essentially a web server with a RESTful interface that enables you to configure, start, stop, and get the results from SQLMap scans by passing it options via JSON requests. I’d never noticed it before (I’m not sure why), but when I did I immediately started looking into the purpose of the script. I’m not much of a developer, so I never really considered attempting to integrate the two myself until the other day that I was browsing in the SQLMap directory on my machine recently and noticed the file sqlmapapi.py.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |