sqlmap-rs
Available on Crates.io: https://crates.io/crates/sqlmap-rs
A type-safe, asynchronous Rust orchestrator for the world's most powerful SQL injection testing tool.
sqlmap-rs spawns sqlmap's native REST server (sqlmapapi.py) on localhost (127.0.0.1) and communicates via a strictly-typed Tokio JSON pipeline. Tasks use RAII-style cleanup on drop (best-effort; task deletion requires an active Tokio runtime).
Features
- Core API coverage — start, stop, kill, log, data, option introspection
- Builder pattern — fluent
SqlmapOptions::builder()with 40+ options - Multi-format output — JSON, CSV, Markdown, and plain text
- RAII lifecycle — best-effort task cleanup on drop, daemon killed on engine drop
- Port conflict detection — prevents silent connection to wrong daemons
- Configurable polling — custom intervals and HTTP timeouts
Installation
[]
= "0.2.2"
= { = "1", = ["full"] }
Prerequisite: sqlmapapi must be in your system $PATH.
Setup (one-command)
Option A: Conda (recommended for isolation)
Option B: Setup script (auto-detects or installs conda + sqlmap)
# or with custom env name:
Option C: Manual
# verify:
Quick Start
use ;
async
Scan Lifecycle Control
// Gracefully stop a running scan
task.stop.await?;
// Force-kill a scan
task.kill.await?;
// Retrieve execution logs
let logs = task.fetch_log.await?;
// Inspect configured options
let options = task.list_options.await?;
Advanced Options
The builder covers 40+ sqlmap options including tamper scripts, Tor routing, crawling, second-order injection, and file I/O:
let opts = builder
.url
.tamper
.tor
.tor_port
.crawl_depth
.second_url
.prefix
.suffix
.get_dbs
.dump_all
.build;
Security & Memory
- Task Drop: When
SqlmapTaskleaves scope, a background task deletes the execution context from the daemon when a Tokio runtime is active. Without a runtime, cleanup is skipped (best-effort). - Engine Drop: When
SqlmapEngineis dropped, the daemon subprocess receives a kill signal (best-effort). - Port Safety: The engine detects port conflicts before spawning, preventing accidental connection to unrelated services on the same port.
- Localhost only: The API client always targets
127.0.0.1; there is no remote-daemon mode.
License
MIT License