README
¶
sql-injection-lab
This is a bare bones document viewer used to practice SQL injections.
This application features a simple document viewer, that takes a user's 'security code' and returns all documents tagged with that code.
[!WARNING]
This application contains intentional SQL injection vulnerabilities.
[!NOTE]
This will be reused across CTFs on February 18th, 2024 and March 23rd, 2024 (and maybe more).
Screenshot
Run locally
Project Overview
This website contains a single webpage that takes a secret "security code", and returns all documents with that security code.
It is intended to illustrate a simplistic example of how SQL injections can be used to extract more information from databases. Pedagogically, the "security code" is an example of passwords, usernames, or any other text input that may be intended to constrain a query.
[!NOTE]
Usage of ./sql-injection-lab: -ip string The ip address to listen and serve HTTP on (default "localhost") -port int The port to listen and serve HTTP on (default 8080) -seedPath string The path to the SQL script with seed data; The script will be executed on server initalization (default "./example_seed.sql")For example,
go run main.go -seedPath='/your/path/here'
Tech Stack
| Technology | Used for |
|---|---|
| Go | Programming language |
| templ | HTML Templating |
| Chroma | SQL syntax highlighting |
| slog | Structured Logging |
| go-sqlite3 | Database Driver |
| SQLite3 | Minimal Database |
| Tailwind CSS | CSS Framework |
This project intentionally does not include user sessions or account management to limit scope. All URL paths are treated equally. The page is intended to interact well with Burp Suite.
Documentation
¶
There is no documentation for this package.
Source Files
Directories