codewatchorg / sqlipy Goto Github PK

Preface - I tried following the troubleshooting steps in the other issue regarding the API not starting but it didn't solve it.

I'm on the latest version of Kali Linux VM using VirtualBox. Latest version of BurpSuite Community Edition.
Jython version is jython-standalone-2.7.3.jar

When I try and start SQLMap API through burp it doesn't work, so I launch it through the CLI and (see screen shot below) it looks like it's run successfully but Burp still shows that the API is not running.

So far I've tried using python 3 and python 2, different ports and reinstalling burp all to no avail.

Greatly appreciate any help, thx.

Java Version:

SQL Map API Successfully running in CLI:

BurpSuite UI:

Hello,

Have seen it quite a few times where Burp finds a parameter is an FP when further testing identifies the injection point is actually valid. This would be great to record as informational or FP in the Issues view.

It would be useful to display whether the API is running on the API tab.

For this to be trustworthy, it should do some kind of check that the API really has started.

Hi!
I'm working with Burpsuite v2021.3.2, I have python 2.7 installed, also added jython 2.7.2 to Burpsuite extensions. SQLiPy is installed with the last available version, SQLMAP API is also running.
The problem is that when I set the scan parameters and configuration, and click "Start Scan", nothing is shown in the scan list in the "SQLMAP logs" tab.
I am running Java SE 14, with python 2.7
I have tried many things but none solved the issue.

Note: I can see a new python process appear in the windows task manager every time I start a scan, but nothing shows within the SQLiPy log tab.

Hello,

I'm trying to use sqlipy in the default configuration, but I am not able to start it. Below there details about the configuration and installation:

jython2.7.3

Log of Extender:

Calling: C:\Python27\python.exe C:\Users\bruno\AppData\Roaming\BurpSuite\bapps\f154175126a04bfe8edc6056f340f52e\sqlmap\sqlmapapi.py -s -H 127.0.0.1 -p 9090

Failed to start the SQLMap API

15:09:44] [INFO] Running REST-JSON API server at '127.0.0.1:9090'..
15:09:44] [DEBUG] REST-JSON API server connected to IPC database
15:09:44] [DEBUG] Using adapter 'wsgiref' to run bottle
raceback (most recent call last):

Configuration on SQLMap API:

Configuration on Proxy:

What am I doing wrong in this case and how could I fix it to use the extension?

Kind Regards,
Bruno

As an option.. Instead of having to send and then navigate to the tab and starting the scan. For me, I'm always using my last configured scan settings so going to the tab to configure options isn't necessary.

I'm, wondering if it would be possible to incorporate a Burp session management functionality. When I perform tests, I'm kicked out of the session by WAF. Since Burp already contains session management and is able to create a session again; would it be feasible to use this as well?
Thanks for this great tool:)

Hi,

Is it possible to add a tor option to the scanner at all?

the latest sqlmap has an option for it and could not see an option for socks proxy on the addon.

root@kali:~/sqlipy# python SQLiPy.py
Traceback (most recent call last):
File "SQLiPy.py", line 25, in
from burp import IBurpExtender
ImportError: No module named burp

I'm running burp 2021.5.2. Just added sqlipy sqlmap integration from the BAapp store. The SQLipy tab appears, but not the right click integration. I've restarted burp, reinstalled the extension, but no go.

I'm running jython 2.7.2.

Any ideas?

Hi Team
I would like ask about sqlmap integrate with Burp.The issue is about keep setting by sqlmap .All time when I start Burp extension do not hold path for python.
I have to manual show path .It is any option to remember path for sqlmaps.

This is my path for python which should be keep by extension all time .??

I was able to start a scan and got to this stage, however, I am not seeing any results for this scan.

As shown above, the scan gets to the "[15:29:47] [DEBUG] (ae8432fcc683d818) Retrieved scan data and error messages" step.

Here is the config of my scan.

The sqlmap logs tab shows nothing.

I am running python 2.7.18.
I have jython 2.7 standalone jar installed.

What should I be seeing if the tool is working as intended?

Any help would be greatly appreciated.

Hi Josh,

First of all thank you for writing this awesome burp extension, it comes real handy in identifying parameters vulnerable to sql injection using SQLMap. However, I have been facing this issue where I don't see "Start Scan" button in SQLMAP Scanner Tab. I reached out to Burp Support and they were able to see the "Start Scan" button somehow.

I have tried the following things:

1. Changing Display UI to Metal, OS x and Nimbus.
2. Using it with updated Oracle Java installed.
3. Using it on Burp pro and Burp Free
4. Using it on Mac OS x and Kali Linux (Both Free and Pro Version)
5. Re-Installing SQLipy Extension
6. Re-installing Jython

but nothing seems to be working, I am using Burp (Paid and Free) and Jython latest version.

There are no errors generated only the following output:

Calling: /usr/bin/python /usr/share/sqlmap/sqlmapapi.py -s -H 127.0.0.1 -p 8888

[06:36:49] [INFO] Running REST-JSON API server at '127.0.0.1:8888'..
[06:36:49] [INFO] Admin ID: 683e40ffbf9de08abf671fe0baec0532
[06:36:49] [DEBUG] IPC database: /tmp/sqlmapipc-sHXl8u
[06:36:49] [DEBUG] REST-JSON API server connected to IPC database

What do you think could be causing this issue?

Let us know your thoughts on this.

-Ishan

Is there some kind of magic happening between sqlipy in burp and the sqlmapapi? I take the exact command used in sqlipy in burp that will find a sql injection in a post request. I take the same command in the command line and it doesn't find it...

Also where is sqlipy storing it's found sql injections?

Thanks!

The App in BurpSuite does not have an option to specify technique thus requiring the user to manually copy and paste the sqlmap command into a terminal in order to specify the technique

After setting IP/Port in SQLMap API tab and clicking "Start API", but nothing happens.

Hi,

I think it would be great to have an option to see a table view of results:

Columns would look like:

Endpoint | Parameter | Options | Success | False Positive | Raw Output

Where False Positive is anytime SQLMAP preliminarily flags the parameter as a possible injection point.

Hey man, great job!

I have a small issue

St [op]/St [art] ? ! :)

Trying with both local or remote api, the extension detects the API running, clicking on "Start Scan" literally does nothing

.

Hello,

I use Burp(Version: 1.7.19) and sqlmap(Version: 1.1.11#stable) just now, and i use sqlipy to connect them as usual.

But i found that sqlipy can not report SQL Injection Vulnerability as the blog says. So i modify the source code, add some traceback information and re-run, something interesting has been found.

sqlipy raise EXCEPTION when parse sqlmap api resonse JSON data.

I adjustment some parameters in the sqlipy and all thing work well. Just as fllow.

Maybe sqlmap api response JSON has been changed. So it's better to update sqlipy to follow sqlmap.

Using Jython Standalone 2.7.2 (not sure if that is relevant) and Python 3.12 I was unable to start the sqlmap API using the Burp panel. Instead, I downloaded sqlmap and manually started the sqlmapapi.py server. I connect to my manual API instance using the correct port and 127.0.0.1

When attempting to Start Scan on any host, I receive the following error in the console window where the API is running:

PS C:\Users\ianfr\sqlmap-1.7.12\sqlmap > python .\sqlmapapi.py -s -H 127.0.0.1 -p 9191
[08:37:55] [INFO] Running REST-JSON API server at '127.0.0.1:9191'..
[08:37:55] [INFO] Admin (secret) token: af51a5ad488cef25452f7917e160a097
[08:37:55] [DEBUG] IPC database: 'C:\Users\ianfr\AppData\Local\Temp\sqlmapipc-ezu6cbci'
[08:37:55] [DEBUG] REST-JSON API server connected to IPC database
[08:37:55] [DEBUG] Using adapter 'wsgiref' to run bottle
[08:38:16] [WARNING] [0] Invalid task ID provided to scan_status()
[08:38:53] [DEBUG] Created new task: '68247d953bd5bd53'
[08:38:53] [DEBUG] (68247d953bd5bd53) Requested to set options
[08:38:53] [DEBUG] (68247d953bd5bd53) Listed task options
[08:38:53] [DEBUG] (68247d953bd5bd53) Started scan
[08:38:54] [CRITICAL] you have provided an invalid and/or unreadable configuration file ('AttributeError: 'UnicodeRawConfigParser' object has no attribute 'readfp'')

I have downloaded jython into "C:\jython2.7.0"

I'm unable to start start api by click on 'Start API' button on below screenshot.

I tried to start through command prompt and not working still

The sqlmapapi reported:
[23:23:09] [DEBUG] [9fb2cdda8d37dd3e] Retrieved scan data and error messages

Burp extender output reported:
Scan for task 9fb2cdda8d37dd3e completed. Gathering results.
If the page was vulnerable, then findings for task 9fb2cdda8d37dd3e have been reported.

Using an environment with a small window, the "Start Scan" button is hidden.

The scrollbar in burp goes until the "Tamper Scripts" input but stops at that. The button is effectively below the viewport of burp.

I expect the problem lies in these two lines:
self._jButtonStartScan.setBounds(346, 1047, 103, 29)
self._jScanPanel.setPreferredSize(awt.Dimension(1010,1010))

I noticed today when updating my system which required a reboot, when I reopened Burp i noticed the logs from scans I had run previously were gone.

It would be nice to have an input field to save the output when a scan is finished or ended.

SQLiPy relies on a running instance of the SQLMap API server. You can manually start the server with:
python sqlmapapi.py -s -H <ip> -p <port>

AND? There is no such file in this repo!

Hello

This is a great plugin!... but it doesn't return results from the scan. I have a test app that sqlmap scans the injection just fine when you run without the plugin but when using the plugin the output returns no results even though the logs say it was able to inject and retrieve data. Any ideas?

jython beta1 and beta3 tested and still nothing
python 2.7
latest sqlmap from github repo.
burp 1.6.05 pro

java -version returns the following:
java version "1.7.0_60"
Java(TM) SE Runtime Environment (build 1.7.0_60-b19)
Java HotSpot(TM) 64-Bit Server VM (build 24.60-b09, mixed mode)

Great job!

Here are a few things that could be nice additions I think. Better overview of what scans are running. Show SQLiPY tests in the scan queue of Burp? Currently you would have to go the extender and look at the output to see “Scan for task 9fb2cdda8d37dd3e is still running.”. I don’t know if this is possible with sqlmapapi, but for a specific SQLiPy scan it would be nice to have some kind of status, what type of injections are currently being tested for example.

SQLmap uses Python 2, so distributions like Arch that default to Python 3 need to use python2.

On Windows, many users do not add Python to the path, but the location is available in the registry.

If Python 2 is not available, it would be useful to provide the user with a message.

Hi dear.
I have some problems with running, here the picture :

and Really I going around for 2 hours and at the end I didn't able to solve this problem.
can you give me some help and tips ?
tanks so much my friend.

Hello,

Often, I do not want to scan cookies. Can there be an option to just scan query and body parameters?

If you use injection point (* or %INJECT HERE%) in a POST Data request with JSON (e.g. { "name" : "value*" }) sqlmap is actually URL encoding the special characters (e.g. %7B%20%22name%22%20%3A%20%22value%22%20%7D) before sending to the server.
I've noticed this problem because I'm intercepting all the sqlmap requests with a proxy.
Without SQLipy extension sqlmap do not perform the URL encoding.

Hello @maintainer

It would be better if can get the logs and progress as live rather than clicking on get button, same as the flow like sqlmap cli

Hi codewatchorg,
I've installed the plugin and installation went fine. There is a tab which shows sqlmap api, scanner, etc. But when i right-click on proxy tab url , the option to send to SQLiPy tab is missing. I'm using java version 8. Burp version - 2020.2

Update the tamper button to allow multiple tamper script selection as well as an option to clear out the selection.