AdministratorJuly 13, 2021 at 9:58 pm
Burp, sqlmap, and Commix serve very different purposes. Yes, Burp does have some tooling that can do scans for sqli or OS command injections, but sqlmap is dedicated to finding sqli and Commix is dedicated to finding OS command injections. Those tools were built for very specific purposes instead of trying to do everything under the sun.
This is a terrible analogy, but my brain is mush right now and I can’t think of a better one: it’s kind of like if you bought a weed eater and asked if you could cut your grass with it. Technically you could, but it’ll take longer and won’t look even or good at all. So instead, you go and get a tool dedicated to the task: a lawnmower. The lawnmower will do a great job of cutting your grass, but it won’t help with your edges or the rest of your yard.
So oftentimes, you’ll use a proxy tool like Burp or ZAP to thoroughly check out your target, and if you find interesting endpoints that you want to test for sqli, you’ll pull out sqlmap and use the information you’ve proxied from Burp to craft attacks with sqlmap.