Skills

hunt-sqli

Installation
SKILL.md

Crown Jewel Targets

SQL injection remains one of the highest-paying vulnerability classes in bug bounty because it directly threatens data confidentiality, integrity, and availability at scale.

Highest-value targets:

  • SaaS platforms with multi-tenant databases — one injection can expose all customer data
  • E-commerce/payment systems — PII, card data, transaction records
  • Search endpoints — user-controlled input passed directly to queries (e.g., Rockstar Games /search)
  • Analytics/tracking subdomains — often built fast, tested less (e.g., sctrack.email.uber.com.cn)
  • Third-party plugins on enterprise installs — WordPress plugins, CMS extensions running on corporate domains (Uber's Huge IT Video Gallery)
  • Internal tooling exposed externally — Apache Airflow, GitHub Enterprise, admin dashboards
  • NoSQL backends (MongoDB) — often overlooked, same injection class, different syntax

Asset types that pay most:

  • Production APIs with /search, /filter, /sort, /report parameters
  • Subdomains with legacy stacks (.cn, .co, .io regional variants)
  • Self-hosted open-source tools (Airflow, GitLab, Jenkins) on bounty scope
  • Email tracking and analytics infrastructure
Installs
34
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
May 24, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
hunt-sqli — elementalsouls/claude-bughunter