A Burp Suite extension that launches and tracks sqlmap runs from inside Burp. Right-click a request → "Send to sqlmap" → it pre-fills a request file, you tweak the options in a dedicated tab, and the extension spawns sqlmap and surfaces its output without leaving Burp.
SQL-injection testing is intrusive. Use this only against systems you own or are explicitly authorized to test (pentest engagement, bug-bounty in-scope, CTF, lab).
The store extension for this was clunky; this one is a thin, predictable wrapper — Burp hands a captured request straight to sqlmap, you keep one tab for options/output, and you never lose Burp's session/scope context.
flowchart LR
subgraph BURP["Burp Suite + this extension"]
REQ["a request in Proxy / Repeater"] -->|"right-click → Send to sqlmap (GUI)"| CTX["SqlmapExtension<br/>(context-menu provider)"]
CTX -->|"pre-fill a request file + options"| TAB["SqlmapPanel<br/>the 'sqlmap' suite tab — options + output"]
TAB -->|"Run / Stop"| CTX
end
CTX -->|"spawns: sqlmap -r request.txt <options>"| SQLMAP["sqlmap process"]
SQLMAP -->|stdout/stderr| TAB
SQLMAP -->|HTTP requests| TARGET[(target web app)]
Requirements: Burp Suite (Montoya API), JDK 17+ to build, sqlmap on PATH.
./gradlew shadowJar # -> build/libs/*.jar
# Burp: Extensions → Add → Java → select the jar- In the proxy/repeater, right-click a request → Send to sqlmap (GUI).
- The sqlmap tab opens pre-filled; adjust the target/options.
- Run; sqlmap's output streams into the tab. Stop from the same tab.
src/main/java/com/example/sqlmap/
├── SqlmapExtension.java # BurpExtension + context-menu provider; spawns sqlmap
├── SqlmapPanel.java # the "sqlmap" suite tab (options + output)
└── SqlmapSettings.java # options model
build.gradle # Java 17, shadowJar
burp-gobuster— content-discovery / fuzzing inside Burp (withgocrawlerd).
Part of my work — more at zz0r0.fr.