SQL Injection 💉

HACK3R Challenge!

🐛 Report Bugz · 📫 Contact me · ☕Buy me Coffee

Show your support and give this repo a 💫

ℹ️ Table of Content

1. Overview
2. Requirements
3. Source Code
4. Screenshot
5. Demonstration
6. Setup Instructions
7. Usage
8. Discussions
9. Contact me
10. License

💡Overview

SQL injection is a type of cybersecurity attack that targets data-driven applications by inserting or "injecting" malicious SQL statements in the input field of a web page. Run this script, and try to execute a SQL Injection attack on a mock database that was designed for this challenge. If successful, you’ll have an opportunity to answer some fun Bonus Challenge Questions.

💥 Bonus Challenge Questions

After succefully dumping the database, try solving the following Bonus Questions:

1. Decrypt the administrator’s password. Hint: MD(101)
2. What 1995 "crime/action/romance" movie did these users played in? Hint: Solve the first bonus question.

Requirements

Required	Version
Python	3.0 +
sqlite3	3.39.2
requests	2.28.1

⚡Source Code

Click to view source code

import sqlite3
import requests

# SQL statements:
CREATE_USERS_TABLE = "CREATE TABLE IF NOT EXISTS usernames (id INTEGER PRIMARY KEY, username TEXT, password TEXT);"
INSERT_USER_DATA = "INSERT INTO usernames (username, password) VALUES (?, ?)"


def get_userdata() -> list:
    """Returns username, and password in tuple from online username.dat file."""
    # url to username and password file
    URL = "https://pastebin.com/raw/ih7szSSv"
    raw = [i.strip() for i in requests.get(URL).text.split('\n')]
    output = []
    for i in raw:
        users = i.split(', ')[0].split(',')[0]
        passwords = i.split(', ')[0].split(',')[1]
        output.append((users, passwords))
    return output


# Create database in memory
conn = sqlite3.connect(":memory:")
# Get usernames and passwords
user_data = get_userdata()

# Create table
conn.execute(CREATE_USERS_TABLE)
# Insert username, passwords into database
conn.executemany(INSERT_USER_DATA, user_data)


while True:
    INJECTION = input("Enter your SQL Injection:\n>  ")
    sql = f"SELECT * FROM usernames WHERE id = 776 {INJECTION}"
    try:
        results = conn.execute(sql).fetchall()
        if results:
            print(f"\n\033[92m" + "Good job, you did it!" + "\033[0m")
            with conn:
                for row in results:
                    print(row)
            conn.close()
            break
    except sqlite3.OperationalError as e:
        print("\n\033[91m" + "Nope, try again!" + "\033[0m")
        pass

Screenshot

Demonstration

Setup Instructions

Create a Virtual Environment using Pipenv

1. Download zip file
2. Extract zip files
3. Change directory into the sql-injection-attack-challenge\app directory:

$ cd sql-injection-attack-challenege

4. Install from Pipfile:

$ pipenv install  

5. Run the application from within virtual environment:

$ pipenv run python app/script.py

ℹ️ Virtual Environment Reference.

Usage

Once you run the script, you will be prompted to "Enter you SQL Injection". Keep trying until you successfully achieve a SQL Injection attack! For more information read documentation.

Reporting Issues

For instructions on reporting issues please read our Contributing Guidelines.

Discussions

Have any Questions or suggestions? Visit Discussions which is a space for our community to have conversations, ask questions and post answers without opening issues. Please read our Code of Conduct which defines the standards for engaging with the community!

Contact me

If you have any questions or wish to collaborate please contact me please feel free to contact me:

• Seraph : seraph776@gmail.com

License

MIT © Seraph 天

[↑] Back to top