# Assess SQL Injection with sqlmap

SQL injection testing can be risky and hard to document consistently. This skill structures authorized sqlmap workflows for detection, validation, enumeration, and remediation reporting.

## Install

```bash
npx skillstore add agentsecops/webapp-sqlmap
```

## Metadata

- - Slug: agentsecops-webapp-sqlmap
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/offsec/webapp-sqlmap
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: external\_commands, network, filesystem, env\_access, scripts
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-webapp-sqlmap
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-webapp-sqlmap/manifest

## Capabilities

- Plans authorized SQL injection testing workflows with scope and data handling checks.
- Explains sqlmap options for GET, POST, cookie, header, and request-file testing.
- Guides database fingerprinting, database enumeration, table listing, and controlled data extraction.
- Provides reporting guidance with OWASP, CWE, MITRE ATT&CK, PCI-DSS, and ISO references.
- Includes operational safeguards for rate limiting, session handling, logging, and cleanup.
- Adds defensive remediation guidance for parameterized queries, least privilege, and monitoring.

## Use Cases

- Authorized Penetration Test: Structure a scoped sqlmap assessment, validate injection points, and document database exposure with remediation guidance.
- Developer Vulnerability Validation: Reproduce a reported SQL injection issue in a controlled environment and confirm that a fix blocks exploitation.
- Audit Evidence Preparation: Prepare concise evidence, impact statements, and control mappings for an authorized web application assessment.

## Prompt Templates

### Plan a Basic Check

```
Help me plan an authorized sqlmap check for one in-scope URL. Include authorization, safe test settings, evidence to collect, and reporting notes.
```

### Review a Request File

```
Review this captured HTTP request for in-scope SQL injection testing. Identify likely parameters, safe sqlmap options, and data handling precautions.
```

### Validate a Finding

```
I have approval to validate a suspected SQL injection. Build a minimal sqlmap workflow that confirms impact without dumping unnecessary sensitive data.
```

### Prepare an Assessment Report

```
Convert these authorized sqlmap results into a professional finding with impact, evidence summary, CWE and OWASP mapping, risk rating, and remediation steps.
```

## Limitations

- Requires explicit written authorization before testing any target system.
- Does not replace human judgment for scope, legal approval, or production safety decisions.
- Can produce invasive commands that may disrupt applications or expose sensitive data.
- Does not verify that a target, credential, or request file is within the approved assessment scope.

## Best Practices

- Confirm written authorization, scope, test window, and data handling rules before running sqlmap.
- Start with low-impact detection and increase risk only when the engagement rules allow it.
- Report summarized evidence and redact sensitive values from all deliverables.

## Anti Patterns

- Testing public or third-party targets without explicit written permission.
- Dumping full databases when a smaller proof of impact is sufficient.
- Using WAF bypass, shell, or file-write options outside a clearly approved objective.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-28T06:35:40.86\+00:00
- - Summary: The static findings are mixed: generic reference templates create many false positives, but the main skill contains confirmed dual-use offensive sqlmap guidance. The skill is not deceptive and includes authorization warnings, but it provides explicit workflows for data extraction, file access, OS shells, WAF evasion, and Tor use, so it should not be published without strict marketplace controls.

## Stats

- - Views: 229
- - Downloads: 9
- - Favorites: 0
- - Popularity score: 0