ghostonbutterbread/sqli
skills/sqli/SKILL.md
Use when testing SQL injection, SQLi, database query injection, parameter tampering against SQL-backed endpoints, error-based injection, boolean/time-based injection, or stacked query behavior.
testing
Updated Jun 6, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness sqliInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 6, 2026, 2:28 AM84.4s1 file scanned
SKILL.md
- name:
- sqli
- description:
- Use when testing SQL injection, SQLi, database query injection, parameter tampering against SQL-backed endpoints, error-based injection, boolean/time-based injection, or stacked query behavior.
SQL Injection Testing
Test for SQL Injection vulnerabilities.
Caution: Non-destructive tests only. Do not extract data.
Required Preflight
Read shared state in this order before testing:
notes/summary.mdnotes/observations.mdchecklist.md(SQLi items only)todo.md(SQLi items only)
Also load:
general-security-testing-policylive-testing-policyinjection-testing-policy
No visible error or response delta from the first SQLi probe is not a stop reason by itself. Classify the likely query context and control first, then run paired error, boolean, timing, or result-shaping probes as allowed.
Primary Harness
There is no dedicated agents/sqli_hunter.py in this repo. Treat your browser/proxy request replay workflow as the primary execution surface and use agents/payload_mutator.py to generate context-aware SQLi variants after you have classified the sink.
python agents/payload_mutator.py "' OR 1=1--" --type sqli --count 12
Files
- Playbook:
$HARNESS_ROOT/prompts/sqli-playbook.md - Payload Catalog:
$HARNESS_ROOT/prompts/sqli-payloads.md - Shared Root:
$HARNESS_SHARED_BASE/{program}/agent_shared/ - SQLi Findings:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/sqli/findings.md - SQLi Artifacts:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/sqli/
Mode Matrix
| Mode | Use When | What It Confirms |
|------|----------|------------------|
| error | Input causes syntax changes or stack traces | Whether the backend leaks parser or database fingerprints |
| boolean | Response changes without explicit errors | Whether the query logic is injectable without noisy output |
| time | Output is blind but the request timing is observable | Whether a delay primitive is reachable safely |
| union | The sink appears to return query results inline | Whether result-shaping and column control are possible without extraction |
Helper Command
Use the mutator only after you know which lane you are in.
python agents/payload_mutator.py "' OR 1=1--" --type sqli --count 12
CLI Notes
agents/payload_mutator.py
| Option | Description |
|--------|-------------|
| payload | Seed payload to mutate |
| --type | One of xss, sqli, or generic |
| --count | Number of variants to emit |
| --all-encodings | Include heavier encoding and obfuscation variants |
Workflow
- Complete the required preflight reads in shared state order.
- Read
prompts/sqli-playbook.md. - Use
prompts/sqli-payloads.mdonly after you have chosen the correct lane. - Replay requests manually with the minimum payload needed for that lane.
- Write findings to
agent_shared/findings/sqli/findings.md. - Update SQLi entries in
checklist.md,todo.md, and relevant notes.
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/reflected-xss
content-media
VerifiedTrustedCommunity
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/pwnfox
data-ai
VerifiedTrustedCommunity
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026