SQL Injection labs

sqli.vulnlab.dev

Five labs covering the SQLi detection surface most tools care about: in-band UNION extraction, error-based extraction via verbose exceptions, blind boolean oracle, blind time-based via SLEEP(), and second-order through stored input.

All labs sit on top of a single MariaDB schema (vulnlab_sqli) seeded with users, products, and a secrets table whose rows are the per-lab flags.

Labs

In-band UNION-based SQLi string-concatenated SELECT
Product category filter concatenated into SQL; result rows are rendered.
Error-based SQLi (login) string-concatenated SELECT + raw exception render
Login query concatenates user input AND the app renders raw SQL errors.
Blind SQLi (boolean oracle) string-concatenated SELECT (no error reflection)
Product lookup leaks only existence. No errors, no reflection.
Blind SQLi (time-based) string-concatenated SELECT (no response variation)
Username availability returns identical responses; only query time leaks.
Second-order SQLi stored input -> later string-concatenated SELECT
Registration is parameterized; profile view re-uses stored input unsafely.

For tool builders

Source for every lab is published. Each lab page links to its own source via /source/<slug>. Each lab also exposes a JSON detection hint at /meta/<slug> (and an index at /meta/) describing what a scanner should report: CWE, subtype, sinks, exploit examples, success markers, tags.