ℹ️ Table of Content
SQL injection
is a type of cybersecurity attack that targets data-driven applications by inserting or "injecting" malicious SQL statements in the input field of a web page. Run this script, and try to execute a SQL Injection attack on a mock database that was designed for this challenge. If successful, you’ll have an opportunity to answer some fun Bonus Challenge Questions.
After succefully dumping the database, try solving the following Bonus Questions:
Decrypt
the administrator’spassword
. Hint:MD(101)
- What 1995
"crime/action/romance
" movie did theseusers
played in? Hint: Solve the first bonus question.
Required | Version |
---|---|
Python | 3.0 + |
sqlite3 | 3.39.2 |
requests | 2.28.1 |
Click to view source code
import sqlite3
import requests
# SQL statements:
CREATE_USERS_TABLE = "CREATE TABLE IF NOT EXISTS usernames (id INTEGER PRIMARY KEY, username TEXT, password TEXT);"
INSERT_USER_DATA = "INSERT INTO usernames (username, password) VALUES (?, ?)"
def get_userdata() -> list:
"""Returns username, and password in tuple from online username.dat file."""
# url to username and password file
URL = "https://pastebin.com/raw/ih7szSSv"
raw = [i.strip() for i in requests.get(URL).text.split('\n')]
output = []
for i in raw:
users = i.split(', ')[0].split(',')[0]
passwords = i.split(', ')[0].split(',')[1]
output.append((users, passwords))
return output
# Create database in memory
conn = sqlite3.connect(":memory:")
# Get usernames and passwords
user_data = get_userdata()
# Create table
conn.execute(CREATE_USERS_TABLE)
# Insert username, passwords into database
conn.executemany(INSERT_USER_DATA, user_data)
while True:
INJECTION = input("Enter your SQL Injection:\n> ")
sql = f"SELECT * FROM usernames WHERE id = 776 {INJECTION}"
try:
results = conn.execute(sql).fetchall()
if results:
print(f"\n\033[92m" + "Good job, you did it!" + "\033[0m")
with conn:
for row in results:
print(row)
conn.close()
break
except sqlite3.OperationalError as e:
print("\n\033[91m" + "Nope, try again!" + "\033[0m")
pass
Create a Virtual Environment using Pipenv
- Download zip file
- Extract zip files
- Change directory into the
sql-injection-attack-challenge\app
directory:
$ cd sql-injection-attack-challenege
- Install from Pipfile:
$ pipenv install
- Run the application from within virtual environment:
$ pipenv run python app/script.py
Once you run the script, you will be prompted to "Enter you SQL Injection"
. Keep trying until you successfully achieve a SQL Injection attack!
For more information read documentation.
For instructions on reporting issues please read our Contributing Guidelines.
Have any Questions or suggestions? Visit Discussions which is a space for our community to have conversations, ask questions and post answers without opening issues. Please read our Code of Conduct which defines the standards for engaging with the community!
If you have any questions or wish to collaborate please contact me please feel free to contact me:
- Seraph : seraph776@gmail.com