Skip to content
sqlmap embed in burpsuite
Branch: master
Clone or download
Latest commit aad2998 Aug 15, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
src get stand output Nov 1, 2016
.gitignore add .gitignore and suitfor both windows and linux Nov 1, 2016 Update Aug 15, 2018





  1. 首先安装sqlmap,传送门:

  2. 将sqlmap.py加入到path中(在cmd中输入sqlmap.py不会报找不到文件)

  3. 下载依赖的jar包: commons-io-2.4.jar,放置到burpsuite java 插件的classpath下,burpsuite中配置路径为:extender-->options-->Java Environment

  4. 编译此项目为单独的一个jar文件,添加到burpsuite的java插件中,配置路径为:extender-->extentions-->add

  5. 之后你将会看到在主页面中会新增一个tab,名字叫做Sqlmap


本插件实现原理:将目标请求的数据存放到临时文件中,然后调用" -r $file"来启动对请求的sql注入检测 在Sqlmap tab中,你可以配置sqlmap除 -r外的其他参数,比如:

加入配置中写:"--level 3",真实执行时是 -r $file --level 3

回到burpsuite主页面,在任何请求连接上右键,会看到新增"send to Sqlmap",点击后会开启cmd窗口,针对此请求进行sql注入检测


  1. 本插件在windows下开发并使用,其他系统需要自行做一些调整

  2. 关于本插件有任何问题,参考提问的智慧, 再提issues

a sqlmap plugin for burpsuite


  1. install sqlmap link is:

  2. set to your path

  3. download the dependent jar:commons-io-2.4.jar,put it in your burpsuite java plugin's classpath

  4. build this project to a single jar,add this jar to burpsuite's java plugin

  5. you will find a new tab named "sqlmap" added to the main tabs


  1. this plugin dumps a target request into a temp file,and then call the "sqlmap -r $file" to start sql injection check.

  2. in the sqlmap tab,you can add other parameters to the

eg: config "--level 3" means "sqlmap -r $file --level 3"

  1. now,back to the request list(eg: in proxy->history),right click mouse,find "send to Sqlmap",click it,it will start a dos-window for the sql injection check


  1. this tool is made on windows,other os need some modifications
You can’t perform that action at this time.