December 16, 2012

Sqlmap plugin for BurpSuite - make it work on Windows

I was looking for a good solution to use Sqlmap in BurpSuit and found the post in bugBlog. After this great discover, I decided to check how it works on Windows.. guess what... It doesn't.

Anyway, I figured out how to make it work. The steps are:
1. Install pre-requirements: Python 2.7.x (not newer), Download latest  Burp and Sqlmap.
2. Extract sql map to folder, e.g. c:\Toolz\sqlmap
3. Download Gason (the plugin for burp) and save it in the path with the Burp.
4. Gason won't run if the Sqlmap is not binary in Windows, Therefore, download Py2Exe according to your version (Python + operating system) and install it.
5. Use Py2Exe tutorial to create binary files (store the file "" in Sqlmap folder,  and replace the name in the script from "" to "").
6. Navigate to the Sqlmap folder and run the commands from the tutorial.
7. Now the Sqlmap should be ready in the folder "dist" under Sqlmap's folder. Copy all files from "dist" to the root folder of  Sqlmap, e.g from c:\Toolz\sqlmap\dist to c:\Toolz\sqlmap.
8. Run the following command from Burp's folder: java -classpath burpsuite_pro_v1.5.jar;gason-0.9.5.jar burp.StartBurp (replace your Burp\Gason versions)

Now it should work!!

Disclaimer: if you want to use the Sqlmap to test SOAP requests by using the "-r" parameter, then it is impossible in Gason\Burp. In this case (as mine), I still should use the CLI.