-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsql.py
More file actions
137 lines (125 loc) · 4.4 KB
/
sql.py
File metadata and controls
137 lines (125 loc) · 4.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
from flask import Flask, request, redirect, render_template_string, session, url_for
import sqlite3
import hashlib
import os
app = Flask(__name__)
app.secret_key = "vulnerable_demo_key" # Needed for session management
DB = 'vuln.db'
def hash_md5(password):
return hashlib.md5(password.encode()).hexdigest()
# Fake user data
FAKE_USERS = [
("admin", "admin@example.com", "1234567890", hash_md5("admin123")),
("john_doe", "john@example.com", "9876543210", hash_md5("password123")),
("alice", "alice@demo.com", "8887776666", hash_md5("qwerty")),
("bob_smith", "bob@gmail.com", "7778889999", hash_md5("letmein")),
("charlie", "charlie@somewhere.com", "9990001111", hash_md5("123456")),
]
def init_db():
if os.path.exists(DB):
return
conn = sqlite3.connect(DB)
c = conn.cursor()
c.execute('''
CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT NOT NULL,
email TEXT NOT NULL,
mobile TEXT NOT NULL,
password TEXT NOT NULL
)
''')
c.executemany("INSERT INTO users (username, email, mobile, password) VALUES (?, ?, ?, ?)", FAKE_USERS)
conn.commit()
conn.close()
init_db()
@app.route('/', methods=['GET', 'POST'])
def login():
msg = ''
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
hashed = hash_md5(password)
# ❌ Still vulnerable to SQLi
query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{hashed}'"
conn = sqlite3.connect(DB)
cursor = conn.cursor()
try:
print(f"[DEBUG] SQL: {query}")
cursor.execute(query)
result = cursor.fetchone()
except Exception as e:
print(f"[ERROR] {e}")
result = None
conn.close()
if result:
session['user'] = username
return redirect(url_for('dashboard'))
else:
msg = "<div class='alert alert-danger'>❌ Login failed</div>"
return render_template_string('''
<!doctype html>
<html lang="en">
<head>
<title>SQLi Demo Login</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css" rel="stylesheet">
<style>
body {
background-color: #f0f2f5;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
}
.login-box {
background-color: white;
padding: 2rem;
border-radius: 1rem;
box-shadow: 0 0 20px rgba(0,0,0,0.1);
width: 100%;
max-width: 400px;
}
</style>
</head>
<body>
<div class="login-box">
<h2 class="mb-4 text-center">🔐 SQL Injection Demo</h2>
<form method="POST">
<div class="mb-3">
<label class="form-label">Username</label>
<input name="username" class="form-control" placeholder="Enter username" required>
</div>
<div class="mb-3">
<label class="form-label">Password</label>
<input name="password" type="password" class="form-control" placeholder="Enter password" required>
</div>
<button type="submit" class="btn btn-primary w-100">Login</button>
</form>
<div class="mt-3">
{{ msg|safe }}
</div>
</div>
</body>
</html>
''', msg=msg)
@app.route('/dashboard')
def dashboard():
user = session.get('user')
if not user:
return redirect('/')
return f'''
<!doctype html>
<html lang="en">
<head>
<title>Dashboard</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css" rel="stylesheet">
</head>
<body class="p-5">
<h1>✅ Welcome, {user}!</h1>
<p>This is a fake dashboard. Feel free to simulate an attack here 😈</p>
<a class="btn btn-secondary" href="/">Logout</a>
</body>
</html>
'''
if __name__ == '__main__':
app.run(host="0.0.0.0", port=5000, debug=True)