Skip to content
This repository has been archived by the owner before Nov 9, 2022. It is now read-only.


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

1   thanos

Build Status percentagecov grade Requirements Status License
Author:Tasdik Rahman

2   About

[Back to top]

A little taste of what can happen when you pass parameterized arguments in your query strings.

Will be using a GUI as an interface between the user and the database and try out different vulnerable strings and see if we can acess the database


Vulnerabilities (demo) mitigated version
thanos/vulnerable thanos/input-validation

2.1   Plan of action

  • [✓] Test for SQL Injection vulnerabilities
  • [✓] Test for Input validation techniques
  • [✓] Suggest fixes to the vulnerabilities found(if any)
  • [✓] making the GUI using tkinter
  • [ ] Writing testcases

2.2   Mitigation techniques

  • [✓] Validating email entered by using custom regex
  • [✓] Replacing the parameterized SQL constructs in the code and replace it with pythonic API

3   DEMO

NOTE This is the secure version of the demo. Refer the vulnerable one here

The database has the following user credentials in it

tasdik at Acer in ~/Dropbox/projects/thanos on input-validation
$ sqlite3 sare_log.db
-- Loading resources from /home/tasdik/.sqliterc

SQLite version 3.9.2 2015-11-02 18:31:45
Enter ".help" for usage hints.
sqlite> select * from users;
email            name        serial_no   password
---------------  ----------  ----------  ----------  Admin       1           admin123  bar         2           foo123   doe         3           john123

When you enter correct user credentials which are there in the database.

If a wrong user details are entered. Notice that the SQL statements don't get executed

SQL injection anybody?

The threat was mitigated as the malicious SQL query was not executed

4   Running it

[Back to top]

Urm. So how do I run it?

4.1   Installing the dependencies

I prefer to use virtual environments for keeping the global python interpreter clutter free. But you are free to do a system wide install for the dependencies.

You should have `make` installed on your system.

$ git clone && cd thanos
$ make install

If make install gives you an error. Try this

$ pip install -r requirements.txt

4.2   Running it!

$ make run

Cleaning it up

$ make clean

4.3   When in doubt

$ make help

5   FAQ

[Back to top]

5.1   Okay, But what does it do?

  • So there's this database called sare_log.db, (which translates to all_people in english). We have some users details stored inside this database.
  • We try to exploit the database testing for some common vulnerabilities like - SQL injection - input validation
  • More to come

5.2   Will I be able to run it on my PC?

I have tested this on MAC and Linux based systems currently

5.3   What's with the name?

Nothing! It's just that I read a lot of Marvel comics.

5.4   The code looks messy!

Well, so does your mom!

Jokes apart. As I said, this is still a work in progress.

6   Contributing

[Back to top]


6.1   Issues

[Back to top]

This project is still work in progress so feel free to make PR or give suggestions by creating an issue

6.2   Contributers

[Back to top]

Built with and after a lot of marshmellows by

7   Legal Stuff

[Back to top]

Built and maintained by Tasdik Rahman released under the MIT License. See the bundled LICENSE file for more details.


A dead simple demonstration of SQL injection in an SQLite database







No releases published


No packages published