Skip to content
SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
Python HTML
Branch: master
Clone or download
Pull request Compare This branch is 11 commits ahead of codewatchorg:master.
Latest commit 4097a3c Sep 13, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
BappDescription.html Update description Jan 5, 2018
BappManifest.bmf Added support for auth Aug 31, 2018
LICENSE Initial commit Sep 22, 2014
LICENSE - sqlmap Usability Enhancements Dec 21, 2017 Bugfixes for Starting/Stopping sqlmapapi via SQLiPy Jun 22, 2018 Added support for auth Aug 31, 2018 Bad sqlmap zip Dec 22, 2017


SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.

SQLMap comes with a RESTful based server that will execute SQLMap scans. This plugin can start the API for you or connect to an already running API to perform a scan.


Jython 2.7 beta, due to the use of json
Java 1.7 or 1.8 (the beta version of Jython 2.7 requires this)


SQLiPy relies on a running instance of the SQLMap API server. You can manually start the server with:

  python -s -H <ip> -p <port>

Or, you can use the SQLMap API tab to select the IP/Port on which to run, as well as the path to python and on your system.

Once the SQLMap API is running, it is just a matter of right mouse clicking in the 'Request' sub tab of either the Target or Proxy main tabs and choosing 'SQLiPy Scan'.

This will populate the SQLMap Scanner tab of the plugin with information about that request. Clicking the 'Start Scan' button will execute a scan.

If the page is vulnerable to SQL injection, then a thread from the plugin will poll the results and add them to the Scanner Results tab.

For more information, see the post here:


The extension can start the script, but this is not recommended. It has been observed in numerous instances that the API becomes unresponsive when started this way. Updates have been made to solve this issue, but I still recommend starting the API from a command shell.

You can’t perform that action at this time.