I perform quite a few web app assessments throughout the year. Two of the primary tools in my handbag for a web app assessment are Burp Suite Pro and SQLMap. Burp Suite is a great general purpose web app assessment tool, but if you perform web app assessments you probably already know because you are probably already using it. SQLMap complements Burp Suite nicely with its great SQL injection capabilities. It has astounded me in the past, as flexible and extensible as Burp is, that no one has written a better plugin to integrate the two (or maybe they did and I just missed it).
The plugins that I have come across in the past fit in one of two categories:
- They generate the command line arguments that you want to run, and then you have to copy those arguments to the command line and run SQLMap yourself (like co2); or
- They kick off a SQLMap scan and essentially display what you would see if run in a console window (like gason)
I’m not much of a developer, so I never really considered attempting to integrate the two myself until the other day that I was browsing in the SQLMap directory on my machine recently and noticed the file sqlmapapi.py. I’d never noticed it before (I’m not sure why), but when I did I immediately started looking into the purpose of the script. The sqlmapapi.py file is essentially a web server with a RESTful interface that enables you to configure, start, stop, and get the results from SQLMap scans by passing it options via JSON requests. This immediately struck me as an easy way in which to integrate Burp with SQLMap.
I began researching the API and was very fortunate that someone already did the leg work for me. The following blog post outlines the API: http://volatile-minds.blogspot.com/2013/04/unofficial-sqlmap-restful-api.html. Once I had the API down I set out to write the plugin. The key features that I wanted to integrate were:
- The ability to start the API from within Burp. Note that this is not recommend as one of the limitations of Jython is that when you start a process with popen, you can’t get the PID, which means you can’t stop the process from within Jython (you have to manually kill it).
- A context menu option for sending a request in Burp to the plugin.
- A menu for editing and configuring the request prior to sending to SQLMap.
- A thread that continuously checks up on executed scans to identify whether there were any findings.
- Addition of information enumerated from successful SQLMap scans to the Burp Scanner Results list.
All of those features have been integrated into this first release. I have limited ability to test so I appreciate anyone that can use the plugin and provide feedback. Some general notes on the plugin development:
- This is the first time I’ve attempted to develop a Burp plugin. The fact that I was able to do so with relative ease shows how easy the Burp guys have made it.
- This is also the first time I’ve used Jython, or used any Java GUI code.
- The code probably looks awful and I need more comments. See points 1 & 2 above and add in the fact that I’m not a developer.
I reviewed the source code for numerous plugins to help me understand the nuances of working with Python/Jython/Java and integrating with Burp. The source of the following plugins was reviewed to help me understand how to build this:
The first thing that you need to do is download the beta version of Jython, which can be found on the site here. The 2.7 beta version is required as the plugin uses the JSON module and older stable releases do not include this module. Note that this version of Jython relies on Java 1.7 or 1.8 – it will not run on older versions. Navigate to the “Extender->Options” tab in Burp and configure the path to Jython as show in the screenshot below:
Next, you need to load the plugin by navigating to the “Extender->Extensions” tab and clicking the add button. Configure the path to the plugin as shown below:
The SQLMap API server must be started in order to perform scans. This can be performed in the “SQLiPy->SQLMap API” tab of the plugin by entering the appropriate IP, port, path to Python, and path to the sqlmapapi.py file as displayed in the options below:
The other and better option would be to manually start the SQLMap API server on your system (or any other system on which SQLMap is installed). This is better as a limitation of Jython is that it doesn’t return the PID of the process executed by popen, as describe above, and therefore there is no way to kill the process from within Burp (it has to be done manually). The command line options are as follows:
python sqlmapapi.py -s -H <IP> -p <Port>
Now that you have setup Jython in Burp, the plugin is loaded, and the SQLMap API is running, you can get ready to start some SQLMap scans. The plugin creates a context menu option of “SQLiPy Scan” that can be used by right mouse clicking from the “Request” tab within the “Proxy” or “Target” interfaces as shown in the screenshot:
This will take the request and auto populate information in the “SQLiPy->Sqlmap Scanner” tab similar to what you see below:
Configure the options that you want for the injection testing and make sure to set the SQLMap API IP and Port if you didn’t use the plugin to start the API (otherwise these are prefilled in). Then you are ready to begin injection testing after clicking the “Start Scan” button. Progress and informational messages on scans and other plugin activities are displayed in the extensions “Output” tab similar to what is shown below:
Starting a scan will result in a thread being executed that periodically checks on the process of the injection attack. Updates on the status of plugin tasks will show up in the extensions “Output” tab, including completion of an injection test. If the tested page is vulnerable to SQL injection, then the plugin will add an entry to the “Scanner->Results” tab that includes everything SQLMap was able to enumerate on the vulnerable host based on the options you chose in the “SQLiPy->SQLMap Scanner” tab. The results will look similar to the following screenshot:
This plugin has been tested on:
- Burp Suite 1.6 and 1.6.05
- SQLMap 1.0
- Python 2.7.2 and 2.7.7
- Java 1.7.0_03, 1.7.0_60, and 1.8.0_11
- Jython 2.7 Beta 3
- Windows 7 and 8.1
- Linux (Fedora 20)
Some things I would like to do with the plugin in the future:
- Use a real layout manager instead of null (I know this is a bad practice)
- Convert to Java for performance and other reasons
- Separate functionality out into smaller classes
- Add more and better comments
- Cleanup variable names and such
- Possible addition of other SQLMap options
You can grab the plugin on my GitHub page at here. Enjoy!