SKILL: SQL Injection — Expert Attack Playbook

AI LOAD INSTRUCTION: Advanced SQLi techniques. Assumes basic UNION/error/boolean-blind fundamentals known. Focuses on: per-database exploitation, out-of-band exfiltration, second-order injection, parameterized query bypass scenarios, filter evasion, and escalation to OS. For real-world CVE cases, SMB/DNS OOB exfiltration, INSERT/UPDATE injection patterns, and framework-specific exploitation (ThinkPHP, Django GIS), load the companion SCENARIOS.md.

0. RELATED ROUTING

• ghost-bits-cast-attack when the backend is Java with Jackson and your SQL keywords are WAF-blocked — Jackson's charToHex table is indexed by ch & 0xFF, so a Unicode character like 丰 (U+4E30) resolves to hex digit 0 inside a \uXXXX escape sequence, letting you smuggle UNION, SELECT, 1, etc. without the WAF ever seeing them

1. QUICK START

Extended Scenarios

Also load SCENARIOS.md when you need:

• SMB out-of-band exfiltration via LOAD_FILE + UNC paths (Windows MySQL)
• KEY injection / URI injection / non-parameter injection points
• INSERT/DELETE/UPDATE statement injection differences
• ThinkPHP5 array key injection (updatexml error-based)
• Django GIS Oracle utl_inaddr.get_host_name CVE
• ORDER BY / LIMIT injection techniques