codewatchorg
Not getting same results in cli sqlmap
Is there some kind of magic happening between sqlipy in burp and the sqlmapapi? I take the exact command used in sqlipy in burp that will find a sql injection in a post request. I take the same command in the command line and it doesn't find it...
Also where is sqlipy storing it's found sql injections?
Thanks!
Not that I am aware. The sqlmapapi script from the sqlmap project really just stands up a RESTful API server that turns requests into full sqlmap commands passed and creates instances of sqlmap using those commands.
So you are saying you are finding issues within the extension that you ARE NOT finding just using the command line? That is interesting if so. Are you using the same version on the command line (the one bundled with the extension)?
Are you using BurpSuite Pro or the free version? If using Pro, then any findings are populated in the "Issues" section of the "Target" tab for the URL. If using the free version, then findings are created as .html files with the long sqlmapapi task ID as the file name - these should get saved in either the root folder for the extension or the path where Burp resides.
Thanks for the reply, I am using Burp Pro, and I have tried the most recent version of sqlmap as well as the sqlmap.py that is within the .Burpsuite etc etc etc folder that houses the extension. When I take the request as shown in the log of the extension within burp suite, it does not find the sql injection, However when I save the request from within Burp and run sqlmap with -r it works fine I found out. Just a strange thing happening. Using --flush-session with the -r function finds it again. However when taking the sqlmap.py command shown in the extension log (which finds the sql injection within the extension) and trying to re create it from command line it does not find it.
The version of sqlmap included with the extension is not the most current, maybe that is your issue. If not, then it is a sqlmap issue and not anything I can resolve.