LabEx
Log InJoin Free

Integrate sqlmap with a Proxy like Burp Suite

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to integrate sqlmap, a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws, with an intercepting proxy like Burp Suite.

Using a proxy with sqlmap is a crucial skill for security professionals. It allows you to see the exact payloads sqlmap is sending, understand its testing logic, debug potential issues, and even modify requests on the fly. This visibility is invaluable for both learning how SQL injection attacks work and for performing more advanced, customized security assessments.

By the end of this lab, you will be able to route sqlmap's traffic through Burp Suite, observe the generated requests, and analyze the automated attack patterns.

Configure Burp Suite to Listen on a Local Port

In this step, you will launch Burp Suite and verify that its proxy listener is active. Burp Suite acts as a web proxy server, sitting as a man-in-the-middle between your browser (or in this case, sqlmap) and the target application. By default, it listens for incoming connections on port 8080 of the local machine (127.0.0.1).

First, let's launch Burp Suite. You can find it in the application menu.

  1. Click on the Application Menu (the icon in the top-left corner of the screen).
  2. Navigate to Web -> Burp Suite Community Edition.
  3. A dialog box will appear. You can leave the defaults and click Next.
  4. Another dialog will ask you to select a project. Choose Use Burp defaults and click Start Burp.

Once Burp Suite has loaded, you need to check its proxy settings.

  1. Click on the Proxy tab.
  2. Click on the Options sub-tab within the Proxy tab.
  3. Look for the "Proxy Listeners" section. You should see an entry with the interface 127.0.0.1:8080 and the "Running" checkbox ticked.

This confirms that Burp Suite is actively listening for traffic on the local port 8080. Any application configured to send traffic to this address and port will have its requests intercepted and logged by Burp Suite.

Configure sqlmap to Use the Proxy with --proxy=http://127.0.0.1:8080

In this step, you will learn how to instruct sqlmap to send its network traffic through the Burp Suite proxy we just configured.

sqlmap provides a simple command-line argument, --proxy, to specify an HTTP proxy. You need to provide the proxy's address in the format http://<host>:<port>.

Since Burp Suite is listening on 127.0.0.1:8080, the correct argument to use is:

--proxy=http://127.0.0.1:8080

When you add this argument to your sqlmap command, instead of sending requests directly to the target web server, sqlmap will send them to http://127.0.0.1:8080. Burp Suite will then receive these requests, log them, and forward them to the final destination.

In the next step, we will combine this proxy argument with a target URL to perform a scan. For now, it's important to understand that this single parameter is all that's needed to integrate the two tools.

Execute a Basic sqlmap Scan

In this step, you will execute a basic sqlmap scan against the test web application, routing the traffic through Burp Suite. We will ask sqlmap to enumerate the databases on the server.

Open a terminal. We will construct a command that includes:

  • The target URL: -u "http://127.0.0.1/index.php?id=1"
  • The proxy configuration: --proxy=http://127.0.0.1:8080
  • The action to perform: --dbs (to enumerate databases)
  • A non-interactive flag: --batch (to automatically answer 'yes' to all questions)

Now, run the complete command in your terminal:

sqlmap -u "http://127.0.0.1/index.php?id=1" --proxy=http://127.0.0.1:8080 --dbs --batch

You will see sqlmap's output in the terminal as it starts testing the target. It will first confirm the parameter id is vulnerable and then list the available databases.

The output should look similar to this (the version numbers and some details may vary):

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.x.x#dev}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[INFO] starting @ ...
...
[INFO] GET parameter 'id' is 'MySQL >= 5.0 boolean-based blind' injectable
[INFO] GET parameter 'id' is 'MySQL >= 5.0.12 stacked queries' injectable
[INFO] GET parameter 'id' is 'MySQL >= 5.0.12 time-based blind' injectable
...
[INFO] fetching database names
[INFO] the following databases are available [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys

[INFO] fetched data logged to text files under '/home/labex/.sqlmap/output/127.0.0.1'

While sqlmap is running, it is sending hundreds of requests through Burp Suite.

Observe the sqlmap-generated Traffic in Burp Suite's HTTP History

In this step, you will switch back to Burp Suite to see the traffic that sqlmap generated during its scan.

Bring the Burp Suite window to the front.

  1. Ensure you are on the Proxy tab.
  2. Click on the HTTP history sub-tab.

You will now see a table filled with HTTP requests. All of these requests were sent by sqlmap to the target server via the Burp proxy.

Take a moment to observe the list:

  • Host: All requests are directed to 127.0.0.1.
  • Method: Most requests are GET requests.
  • URL: The URL is always /index.php, but the id parameter in the query string changes with every request.

This view provides a complete log of sqlmap's activity. You can see the sheer volume of requests an automated tool generates to test for a single vulnerability class. This is the primary benefit of using a proxy: it makes the tool's "black box" operations visible.

Analyze the Payloads Sent by sqlmap through the Proxy

In this step, you will take a closer look at the individual requests to understand the specific payloads sqlmap uses to detect and exploit SQL injection vulnerabilities.

In the Burp Suite HTTP history tab, click on any request in the list. When you select a request, two new panels will appear below the list: Request and Response.

Click on the Request panel to view the raw HTTP request sent by sqlmap. Pay close attention to the id parameter in the URL. You will see various payloads being tested.

For example, you might find a boolean-based blind payload like this:

GET /index.php?id=1%20AND%208003=8003 HTTP/1.1
Host: 127.0.0.1
...

Here, sqlmap is testing if the application responds differently when a true condition (AND 8003=8003) is injected. The %20 is the URL-encoded representation of a space.

You might also find a time-based blind payload:

GET /index.php?id=1%20AND%20(SELECT%202079%20FROM%20(SELECT(SLEEP(5)))IImL) HTTP/1.1
Host: 127.0.0.1
...

With this payload, sqlmap is injecting a SLEEP(5) command. If the server takes 5 seconds longer to respond, sqlmap knows the injection was successful and the database is vulnerable.

By analyzing these requests, you gain a much deeper understanding of how automated scanners work. You can see the logic they use to confirm vulnerabilities, which is far more educational than just seeing the final result in the terminal.

Summary

In this lab, you successfully integrated the sqlmap automated scanning tool with the Burp Suite intercepting proxy.

You learned how to:

  • Launch Burp Suite and confirm its proxy listener is running on 127.0.0.1:8080.
  • Use the --proxy argument in sqlmap to route all its traffic through Burp Suite.
  • Execute a scan with the proxy enabled to generate traffic.
  • Observe the full list of HTTP requests in Burp Suite's HTTP history tab.
  • Analyze individual requests to understand the specific boolean-based and time-based SQL injection payloads that sqlmap uses to identify vulnerabilities.

This technique is fundamental for any web security tester, as it provides critical insight into the behavior of automated tools and allows for greater control and analysis during a penetration test.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux