SQLi Lab
Cheatsheet Start →
Interactive · Browser-based · No backend

SQL Injection Lab

Five interactive levels covering classic auth bypass, UNION-based exfiltration, blind boolean injection, error-based fingerprinting, and second-order stored attacks. Real SQL execution in your browser via SQL.js — your inputs hit a real SQLite engine, not a simulation. Toggle between vulnerable and parameterized implementations to see exactly why one breaks and the other doesn't.

i
How this works
Everything runs locally in your browser. Each tab gets its own isolated SQLite database loaded via WebAssembly. Nothing you type leaves your machine — the server never sees your queries. Refresh to reset the DB at any time.

The five levels

[ START WITH 01 ]
LEVEL 01

Login bypass

The classic ' OR 1=1 -- and friends. Authenticate as admin without a password, and learn why string concatenation is fundamentally broken.

Open level →
LEVEL 02

UNION-based exfiltration

Use UNION SELECT to pull data from tables the application never intended to expose. Find the secret flag.

Open level →
LEVEL 03

Blind boolean injection

No data leaks visibly. Extract admin's password one character at a time using only true/false oracle responses.

Open level →
LEVEL 04

Error-based

DB errors leak query structure. Use them as a feedback channel to fingerprint the database and craft working payloads progressively.

Open level →
LEVEL 05

Second-order injection

The trickiest. The INSERT is parameterized and looks safe. The bug is in a different file, in the read path. Plant once, trigger later.

Open level →
REFERENCE

Cheatsheet

Payload reference, common bypass techniques (encoding, comment splitting, keyword nesting), DB-specific syntax (SQLite/MySQL/PostgreSQL), and the actual fixes.

Open reference →

Suggested progression

[ TIPS ]
  1. Start with Level 1 in vulnerable mode. Try the classic ' OR 1=1 -- in the username field. Read the executed query and see what your input becomes.
  2. Switch the same level to Safe mode and try the exact same payload. Watch it fail. That's the entire point of parameterized queries.
  3. Move to Level 2. Goal: extract the contents of the secrets table. There's a FLAG{...} waiting for you.
  4. Level 3 — try writing a small script (browser console works) that recovers admin's password through the boolean oracle.
  5. Level 4 lets you progressively craft payloads using error feedback.
  6. Level 5 — plant a payload as a stored author name, then trigger it on read. Realize that "sanitize on input" doesn't actually solve anything.
  7. Read the cheatsheet last for the bigger picture.

Test accounts (for reference)

[ SEED DATA ]

Accounts seeded in the lab database. The whole point of injection is that you don't actually need to know these to log in as them — they're listed for reference so you know what's in the DB.

UsernamePasswordRole
adminadmin_p4ssw0rd!admin
alicepa55word123user
bobqwerty2024user
guestguestuser