Skip to content

This application is a demonstration prototype just to show how to perform SQLi attack.

License

Notifications You must be signed in to change notification settings

octo-technology/sqli-express-sqlite

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SQL injection with Express and sqlite

This application is a demonstration prototype just to show how to perform SQLi attack.

Install

  • Install nodejs

  • Install dependencies

$ npm install
  • Start application
$ npm start

Tutorial

Always True SQLi

Open http://localhost:3000/ and log in with:

  • username: ' or '1'='1
  • password: ' or '1'='1
SELECT name FROM user where username = '' or '1'='1' and password = '' or '1'='1'

You are now log in as "User", but you can do better!

SQLi with comment

Open http://localhost:3000/ and log in with:

  • username: admin'--
  • password: a
SELECT name FROM user where username = 'admin' --' and password = 'a'

You are now log in as "Admin"

Fix it

use prepared statement

About

This application is a demonstration prototype just to show how to perform SQLi attack.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 64.3%
  • CSS 21.4%
  • Pug 10.8%
  • Dockerfile 3.5%