Skip to content

This is a basic document viewer used to practice SQL injections

License

Notifications You must be signed in to change notification settings

nkcyber/sql-injection-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

sql-injection-lab

This is a bare bones document viewer used to practice SQL injections.

This application features a simple document viewer, that takes a user's 'security code' and returns all documents tagged with that code.

Warning

This application contains intentional SQL injection vulnerabilities.

Note

This will be reused across CTFs on February 18th, 2024 and March 23rd, 2024 (and maybe more).

Screenshot

image

Run locally

  1. Install templ and Go.
  2. templ generate 
    go run main.go 

Project Overview

This website contains a single webpage that takes a secret "security code", and returns all documents with that security code.

It is intended to illustrate a simplistic example of how SQL injections can be used to extract more information from databases. Pedagogically, the "security code" is an example of passwords, usernames, or any other text input that may be intended to constrain a query.

Note

Usage of ./sql-injection-lab:
 -ip string
   	The ip address to listen and serve HTTP on (default "localhost")
 -port int
   	The port to listen and serve HTTP on (default 8080)
 -seedPath string
   	The path to the SQL script with seed data;
   	The script will be executed on server initalization (default "./example_seed.sql")

For example,

go run main.go -seedPath='/your/path/here'

Tech Stack

Technology Used for
Go Programming language
templ HTML Templating
Chroma SQL syntax highlighting
slog Structured Logging
go-sqlite3 Database Driver
SQLite3 Minimal Database
Tailwind CSS CSS Framework

This project intentionally does not include user sessions or account management to limit scope. All URL paths are treated equally. The page is intended to interact well with Burp Suite.