hunt-sqli

Solid

Hunting skill for sqli vulnerabilities. Built from 12 public bug bounty reports including modern NoSQL injection (Rocket.Chat CVE-2021-22911 MongoDB $regex, Mongoose ORM CVE-2024-53900 $where bypass), modern ORM raw-fragment SQLi (Django CVE-2024-42005, Sequelize GHSA-wrh9-cjv3-2hpw), second-order SOQL injection (HackerOne Salesforce), time-based blind SQLi in GraphQL resolvers, and SQLi on OIDC-proxy backends. Use when hunting SQLi / NoSQLi on any target.

API & Backend 1,380 stars 195 forks Updated 4 days ago NOASSERTION

Install

View on GitHub

Quality Score: 85/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

## Crown Jewel Targets SQL injection remains one of the highest-paying vulnerability classes in bug bounty because it directly threatens data confidentiality, integrity, and availability at scale. **Highest-value targets:** - **SaaS platforms with multi-tenant databases** — one injection can expose all customer data - **E-commerce/payment systems** — PII, card data, transaction records - **Search endpoints** — user-controlled input passed directly to queries (e.g., Rockstar Games `/search`) - **Analytics/tracking subdomains** — often built fast, tested less (e.g., `sctrack.email.uber.com.cn`) - **Third-party plugins on enterprise installs** — WordPress plugins, CMS extensions running on corporate domains (Uber's Huge IT Video Gallery) - **Internal tooling exposed externally** — Apache Airflow, GitHub Enterprise, admin dashboards - **NoSQL backends (MongoDB)** — often overlooked, same injection class, different syntax **Asset types that pay most:** - Production APIs with `/search`, `/filter`, `/sort`, `/report` parameters - Subdomains with legacy stacks (`.cn`, `.co`, `.io` regional variants) - Self-hosted open-source tools (Airflow, GitLab, Jenkins) on bounty scope - Email tracking and analytics infrastructure --- ## Attack Surface Signals **URL patterns that suggest injectable parameters:** ``` /search?q= /filter?category= /sort?by=&order= /report?start_date=&end_date= /api/v1/items?id= /index.php?id= /gallery?album_id= /track?uid=&campaign= ?page=&limit=&offset= ``` ...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
3 weeks ago
Last Updated
4 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI GitLab · DevTools Jenkins · DevTools MongoDB · Database Django · Backend WordPress · CMS GraphQL · API

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Solid

hunt-graphql

Hunting skill for graphql vulnerabilities. Built from 12 public bug bounty reports across IDOR via node() / GID, mutation IDOR including AI/LLM features, cross-tenant IDOR, SSRF via argument, batching-DoS, query-cost-bypass, SQLi via argument, broken-object-level-authz, auth-bypass via unscoped mutations, and PII exposure from missing field-level authz. Use when hunting graphql on any target.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-misc

Hunting skill for misc vulnerabilities. Built from 225 public bug bounty reports. Use when hunting misc on any target.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-xss

Hunting skill for xss vulnerabilities. Built from 174 public bug bounty reports. Use when hunting xss on any target.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-csrf

Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-ssrf

Hunting skill for ssrf vulnerabilities. Built from 15 public bug bounty reports including AWS metadata SSRF (HackerOne $25k Analytics PDF, Shopify Exchange $25k, Capital One 106M-record breach, Dropbox/HelloSign $4,913), GCP metadata SSRF (Snapchat $4k), Azure IMDS SSRF (Azure DevOps $15k chain, ChatGPT Custom Actions MSRC), DNS rebinding SSRF (Concrete CMS, GitLab UrlBlocker), gopher-protocol-to-Redis-RCE (Yahoo Mail $15k), link-preview SSRF (Reddit Matrix $6k), and headless-browser PDF-generator SSRF chains. Use when hunting SSRF on any target — OOB Collaborator confirmation mandatory for blind cases.

1,380 Updated 4 days ago
elementalsouls