A dead simple demonstration of SQL injection in an SQLite database
Python Makefile
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
assets
thanos
.coveragerc
.gitignore
.travis.yml
CONTRIBUTING.rst
LICENSE
Makefile
README.rst
requirements.txt
sare_log.db
tests.py

README.rst

1   thanos

Build Status percentagecov grade Requirements Status License

http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Author:Tasdik Rahman

2   About

[Back to top]

A little taste of what can happen when you pass parameterized arguments in your query strings.

Will be using a GUI as an interface between the user and the database and try out different vulnerable strings and see if we can acess the database

NOTE:

Vulnerabilities (demo) mitigated version
thanos/vulnerable thanos/input-validation

2.1   Plan of action

  • [✓] Test for SQL Injection vulnerabilities
  • [✓] Test for Input validation techniques
  • [✓] Suggest fixes to the vulnerabilities found(if any)
  • [✓] making the GUI using tkinter
  • [ ] Writing testcases

2.2   Mitigation techniques

  • [✓] Validating email entered by using custom regex
  • [✓] Replacing the parameterized SQL constructs in the code and replace it with pythonic API

3   DEMO

NOTE This is the secure version of the demo. Refer the vulnerable one here

The database has the following user credentials in it

tasdik at Acer in ~/Dropbox/projects/thanos on input-validation
$ sqlite3 sare_log.db
-- Loading resources from /home/tasdik/.sqliterc

SQLite version 3.9.2 2015-11-02 18:31:45
Enter ".help" for usage hints.
sqlite> select * from users;
email            name        serial_no   password
---------------  ----------  ----------  ----------
admin@gmail.com  Admin       1           admin123
foo@outlook.com  bar         2           foo123
john@yahoo.com   doe         3           john123
sqlite>

When you enter correct user credentials which are there in the database.

If a wrong user details are entered. Notice that the SQL statements don't get executed

SQL injection anybody?

The threat was mitigated as the malicious SQL query was not executed

4   Running it

[Back to top]

Urm. So how do I run it?

4.1   Installing the dependencies

I prefer to use virtual environments for keeping the global python interpreter clutter free. But you are free to do a system wide install for the dependencies.

You should have `make` installed on your system.

$ git clone https://github.com/prodicus/thanos && cd thanos
$ make install

If make install gives you an error. Try this

$ pip install -r requirements.txt

4.2   Running it!

$ make run

Cleaning it up

$ make clean

4.3   When in doubt

$ make help

5   FAQ

[Back to top]

5.1   Okay, But what does it do?

  • So there's this database called sare_log.db, (which translates to all_people in english). We have some users details stored inside this database.
  • We try to exploit the database testing for some common vulnerabilities like - SQL injection - input validation
  • More to come

5.2   Will I be able to run it on my PC?

I have tested this on MAC and Linux based systems currently

5.3   What's with the name?

Nothing! It's just that I read a lot of Marvel comics.

5.4   The code looks messy!

Well, so does your mom!

Jokes apart. As I said, this is still a work in progress.

6   Contributing

[Back to top]

Refer CONTRIBUTING.rst

6.1   Issues

[Back to top]

This project is still work in progress so feel free to make PR or give suggestions by creating an issue

6.2   Contributers

[Back to top]

Built with ♥ and after a lot of marshmellows by

7   Legal Stuff

[Back to top]

Built and maintained by Tasdik Rahman released under the MIT License. See the bundled LICENSE file for more details.