Burp SQLmap plugin for Windows

Posted on Saturday, November 17, 2012 by Nathan Sportsman

The current SQLmap plugin release for Burp Suite of has one major shortcoming — it was not written with the intent of being run in a Windows environment.

Burp Suite provides a very basic SDK known as Burp Extender. Burp Extender allows third parties to extend the features of an already powerful web application testing suite. In March of this year, Daniel Garcia (cr0hn) created a SQLmap plugin for Burp using the Burp Extender SDK. With Daniel’s SQLmap plugin, automated SQL injection discovery and exploitation is now seamless between two of our favorite web application pentesting tools.

The current SQLmap plugin release for Burp Suite of has one major shortcoming — it was not written with the intent of being run in a Windows environment. While people have come up with workarounds, nobody to date has modified the SQLmap plugin code to work seamlessly with Windows — until now:

Download SQLmap plugin for Windows »


The Problem:

Given that Linux is the preferred platform of most penetration testers, default path and script execution values assume the tool will be run in Linux. Unfortunately, attempting to directly execute sqlmap.py without invoking the interpreter will result in an exception on Windows. The screenshot below shows the I/O exception that will be thrown when the Windows CreateProcess() function attempts to execute the python script.

CreateProcess() throws an I/O exception on Windows


The Solution:

The Windows portability issue has been known for several months and the original bug submission can be found here. To date, this is the only outstanding defect for the plugin and it is currently rated a medium. While the person reporting the issue was not able to modify the code to fix the problem, they did come up with a workaround. In Windows, rather than calling the python script directly, you can call the python script indirectly through a Windows bat file. Although this works, it is not the cleanest solution. Since our services organization leverages both Linux and Windows, I decided to spend a few minutes (this post took longer to write than it took to update the code) porting the code to Windows. I also made a few cosmetic tweaks to field and label sizes while making the updates.

The missing java/class file became apparent when comparing our jar file size to the size of the current jar file available for download (and the fact our integrated plugin did not work).



Code Modification:

After a few minor tweaks to sqlmapGUI.java, file paths and execution decisions are now determined by the underlying OS. Relevant code changes are shown below.

Code changes tagged with “nathan sportsman” in comments

private ArrayList tabs = new ArrayList(20);

    // default sqlmap path value for Unix
    private static String command = "/usr/bin/sqlmap";
    
    // Obtain operating system info for multi platform support - nathan sportsman
    private static String OS = System.getProperty("os.name");

    public sqlmapGUI()
    {
        initComponents();

        this.getRootPane().setDefaultButton(this.bnt_run);
        this.setLocationRelativeTo(null);
        this.setVisible(false);

    	// Adjust the default sqlmap path if underlying OS is Windows - nathan sportsman
    	if(sqlmapGUI.OS.startsWith("Windows"))
       	  sqlmapGUI.command = "C:\\sqlmap\\sqlmap.py";
    }

    public void AddURL(IHttpRequestResponse URLs_) throws Exception{

        if(URLs_ != null && URLs_.getUrl().toString() != null)
        {
// Add command
        
        //Windows CreateProcess() cannot call the python script directly. For Windows, we need to append python.exe to the command string - nathan sportsman
        if(sqlmapGUI.OS.startsWith("Windows"))
	  	l_params.add("python.exe");	

        l_params.add(txt_bin.getText());

        String m_url = url;

        //
        // Action
        //
        l_params.add(l_action[cmb_action.getSelectedIndex()]);



Use the new plugin:

Burp shortcut The source code was rebuilt and archived into a new jar file (gason-0.9.6.jar). We kept the same naming convention as the original author who revved the minor release. To use the plugin, you will need to run a command similar to the following:

You can also edit the properties of your Burp shortcut and modify the Target variable as shown in the picture to the right. The plugin code will be called when Burp is launched. When Burp identifies that a parameter is vulnerable to SQL injection, send the specific request that triggered the result to the SQLmap plugin. This can be performed by right clicking in the request area and selecting the “send to sqlmap” action as shown in the screenshot below.

 

Send to SQLmap

Daniel has created a GUI interface for sqlmap’s command lines options. As before, set the appropriate SQLmap options and click “Run”.

 

SQLmap options

A child process for SQLmap will be created and run in a new tab as shown in the screenshot above. The script will output its execution in the new tab window. In the screenshot below, the plugin is used to enumerate the underlying database technology. The ported plugin can be downloaded here.

 

Figure 9. Child process created for sqlmap in new tab

↑ Back to top