A state-of-the-art, visually stunning interactive laboratory for ethical hackers and penetration testers. 100% Zero-Configuration. Built with an attacker's mindset, documented for defenders.
SQL Injection (SQLi) is an attack technique where malicious SQL code is inserted into an input field to manipulate backend database queries. A successful exploit can allow an attacker to:
- 📖 Read sensitive data from the database
- ✏️ Modify records (Insert / Update / Delete)
- 🛑 Execute admin-level database operations (e.g. shutdown)
- 📂 Recover files from the server filesystem
- 💻 In some cases, execute OS-level commands
SQLi is especially prevalent in PHP and ASP applications due to older functional interfaces. Java and ASP.NET apps are comparatively less vulnerable due to safer programmatic interfaces — but not immune.
⚠️ Severity is limited only by the attacker's skill and imagination. Consider SQL Injection a high impact vulnerability.
Unlike most SQL injection tutorials that just simulate strings or require you to set up bulky Docker/MySQL containers, SQLVulnInjector uses a real, auto-generating SQLite database engine.
- Zero Configuration: No XAMPP, no Docker, no MySQL setup required. Just run PHP. The lab generates a real
database.sqlitefile on the fly. - 100% Authentic Execution: Every single payload you enter is executed natively by the SQLite engine. If your payload is malformed, you fail. If it's brilliant, you succeed.
- Mini-CTF (Capture The Flag): The auto-generated database includes a hidden
secret_flagstable. Your ultimate goal across the scenarios is to useUNION SELECTand Blind SQLi techniques to extract these flags! - Glassmorphic UI: A dark, glowing interface that visualizes exactly how your payload manipulates the backend query in real-time.
No complex setups required. Just a standard PHP environment.
git clone https://github.com/ashfiexe/SQLVulnInjector.git
cd SQLVulnInjector
# Serve with PHP's built-in robust server
php -S localhost:8000Navigate to http://localhost:8000/. The lab will instantly build the database and you are ready to hack.
Goal: Bypass authentication and extract all user credentials.
| Field | Malicious Input |
|---|---|
| Username | " OR ""=" |
| Password | " OR ""=" |
Query becomes:
SELECT * FROM users WHERE name = "" OR ""="" AND pass = "" OR ""=""OR ""="" always evaluates to true — returns every row in the table.
Goal: Permanently destroy a table using stacked queries.
| Field | Malicious Input |
|---|---|
| Username | nuclearfusion; DROP TABLE Suppliers |
| Password | password |
Query becomes:
SELECT * FROM users WHERE username = "nuclearfusion"; DROP TABLE stockPortfolio;DROP TABLE is an auto-committed statement — unlike DELETE, it cannot be rolled back. The data and table structure are gone permanently.
The ultimate, industry-standard defense. Parameters are treated strictly as variable data, not executable SQL code. Try your hardest payloads here—they will fail to alter the query logic.
The server hides all database errors and does not return the actual tables rows. To extract data, an attacker is forced to ask the database True/False questions (Boolean Blind). To measure time delays in SQLite, attackers can use heavy computational functions like randomblob().
Try injecting: ' AND (SELECT randomblob(1000000000)) --
Shows how a payload can be safely inserted into the database using prepared statements, only to detonate later when an unsuspecting admin script or background job reads that exact stored payload and injects it unsafely into a second query. Can you extract the secret_flags from here?
Modern REST APIs receive JSON objects. This simulation takes a raw JSON string. Break the JSON schema to construct a malicious query.
Try injecting: {"user_id": "1' UNION SELECT id, flag_name, flag_value FROM secret_flags --"}
SQL parameters treat all user input as literal values, never as executable SQL. They are added to the query at execution time, not during construction.
name = getRequestString("PatientName")
addr = getRequestString("Address")
city = getRequestString("City")
zipc = getRequestString("Zip")
txtSQL = "INSERT INTO Patients (PatientName,Address,City,Zip) VALUES(@0,@1,@2,@3)"
db.Execute(txtSQL, name, addr, city, zipc)In PHP using PDO:
$stmt = $dbh->prepare("INSERT INTO Patients (PatientName,Address,City,Zip) VALUES (:name, :addr, :city, :zipc)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':addr', $addr);
$stmt->bindParam(':city', $city);
$stmt->bindParam(':zipc', $zipc);
$stmt->execute();The SQL engine validates each parameter against its expected column type. Injected SQL is treated as a string — not executed.
SQLVulnInjector/
├── api/
│ ├── setup-db.php # Auto-generates the SQLite database & CTF flags
│ ├── getdata.php # Level 1: Raw Injection
│ ├── getdata-encoding.php # Level 2: Encoding Bypass
│ ├── getdata-prepare.php # Level 3: Parameterized (Safe)
│ ├── getdata-blind.php # Level 4: Time-Based / Blind
│ ├── getdata-second-order.php # Level 5: Second-Order
│ ├── getdata-json.php # Level 6: JSON Structure Injection
│ └── database.sqlite # Auto-generated by setup-db.php
├── public/
│ ├── index.html # Main laboratory interface
│ ├── style.css # Glassmorphism styling
│ └── script.js # Frontend API interaction logic
└── README.md
git clone https://github.com/ashfiexe/SQLVulnInjector.git
cd SQLVulnInjector
# Serve using PHP's built-in robust server, explicitly pointing to the public directory
php -S localhost:8000 -t publicNavigate to http://localhost:8000/. The lab will instantly build the database and you are ready to hack.
Tested in a local environment. Never deploy on a public server.
This project is for educational and research purposes only. All demonstrations are conducted in an isolated local environment. Unauthorized use of these techniques against systems you do not own is illegal. The author bears no responsibility for misuse.
MIT © ashfiexe