Skip to content

0x4meliorate/SQLBurp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
gradle/wrapper
gradle/wrapper
 
 
src/main/java/com/sqlburp
src/main/java/com/sqlburp
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

🗡️ SQLBurp

Java Burp Suite sqlmap

A Burp Suite extension that integrates the sqlmap REST API into your testing workflow. Send requests from anywhere in Burp, track multiple scans concurrently, and review persisted results. All scan data is stored directly in the Burp project file with no external database required.

Note: Scan persistence requires Burp Suite Professional. Community edition users can run scans but history will not be saved between sessions.

image

🚀 Setup

1. Download the jar

Download the latest SQLBurp.jar from the Releases page.

2. Start the sqlmap REST API

python sqlmapapi.py -s -H 127.0.0.1 -p 8775

No --database flag needed.

3. Load the extension

Extensions -> Add -> Extension Type: Java -> select SQLBurp.jar.

The SQLBurp tab will appear. Use the Ping button to verify the API is reachable.

📖 Usage

Sending a request

Right-click any request in Proxy, Repeater, Target, or anywhere else in Burp and select Send to SQLMap API. The scan is submitted immediately using the current configuration panel settings.

⚡ Configuration panel

Setting Description
API URL Address of the running sqlmapapi server
Level Detection level (1-5)
Risk Risk level (1-3)
Threads Concurrent HTTP requests (1-10)
Technique SQLi techniques to test (e.g. BEUSTQ)
DBMS Force a specific backend, or leave as (auto)
Tamper Comma-separated tamper scripts (e.g. space2comment,randomcase)
Batch Non-interactive mode (always use defaults)
Random Agent Randomise the User-Agent header
Parse Forms Discover and test forms on the target page
Enum DBs Enumerate databases on injection confirmation
Current User Retrieve the current database user
Banner Retrieve the DBMS banner
Is DBA Check whether the current user has DBA privileges
Poll (s) How often to poll for status updates

Settings are snapshotted at submission time, so each scan row remembers the exact options it was run with. Changing the panel after submission does not affect running scans.

📊 Scan table

Each submitted request appears as a row. Columns are sortable. Click any row to view its live log and option snapshot in the detail panel below.

Status Meaning
Queued Submitted, not yet started
Running Actively scanning
Finished Completed, no injections found
Vulnerable Injection confirmed
Stopped Manually stopped
Error Scan failed

🖱️ Right-click menu

Action Description
Stop Task Sends a stop signal to sqlmapapi and marks the scan as Stopped
Delete Task Stops the scan, deletes it from the API, and removes all persisted data
Remove Row Removes the row and purges persisted data without touching the API

🧰 Toolbar

Button Description
Stop All Stops all currently running scans
Remove Finished Removes all Finished, Stopped, and Error rows and purges their data

💾 Persistence

Requires Burp Suite Professional.

All scan data is stored in the Burp project file via the Montoya API's persistence().extensionData(). This is natively project-scoped, so opening a different Burp project shows only that project's scans with no cross-contamination between engagements.

  • No external database - sqlmapapi can be restarted freely without losing any scan history.
  • Incremental saving - the scan record is written on start and updated on every log line, so data is preserved even if Burp is closed mid-scan.
  • Automatic restore - all scans for the current project are loaded back into the table when the extension initialises.

Deleting a scan via right-click or Remove Finished purges it from both the API and the project permanently.

📝 Notes

  • The extension deduplicates requests, so sending the same request multiple times in a single action will only create one scan.
  • HTTPS targets are detected automatically from the HTTP service; forceSSL is set accordingly.
  • For scans that were still running when the extension was last closed, the extension will attempt to reconnect to the live API on load. If the API has been restarted in the interim, those scans will show their last known status.

🔨 Building from source

Requirements

  • Java JDK (JDK 17 or later)
  • sqlmap installed and accessible
  • Gradle (install via Scoop on Windows)

Build

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
irm get.scoop.sh | iex
scoop install gradle

Then in the project folder:

gradle wrapper
.\gradlew.bat jar

The jar is output to build\libs\SQLBurp.jar.

About

Burp Suite extension that submits requests to the SQLMap REST API, tracks concurrent scans with live log streaming, and persists all results in the Burp project file. Scoped per engagement, no external database required.

Topics

penetration-testing sql-injection pentesting sqlmap sqlmapapi burp-plugin burpsuite burp-extensions

Resources

Readme
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

SQLBurp v1.0.0 Latest
Mar 17, 2026

Contributors

Languages