Spaces:

lifedebugger
/

sql-injection-1

Sleeping

App Files Files Community

lifedebugger commited on Jan 23

Commit

7dccad9

verified ·

1 Parent(s): d7d2003

Create main.go

Browse files

Files changed (1) hide show

main.go +128 -0

main.go ADDED Viewed

	@@ -0,0 +1,128 @@

+package main
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	_ "github.com/lib/pq"
+)
+// User represents the database structure we are querying
+type User struct {
+	ID       int
+	Username string
+	Flag     string
+}
+// connectDB handles the connection to Supabase/Postgres
+func connectDB() (*sql.DB, error) {
+	connStr := os.Getenv("DATABASE_URL")
+	if connStr == "" {
+		return nil, fmt.Errorf("DATABASE_URL environment variable is not set")
+	}
+	return sql.Open("postgres", connStr)
+}
+func main() {
+	// 1. Serve static HTML for the login page
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		html := `
+		<!DOCTYPE html>
+		<html>
+		<head>
+			<title>CTF Login Challenge</title>
+			<link href="https://cdn.jsdelivr.net/npm/tailwindcss@2.2.19/dist/tailwind.min.css" rel="stylesheet">
+		</head>
+		<body class="bg-gray-900 text-white flex items-center justify-center h-screen">
+			<div class="bg-gray-800 p-8 rounded shadow-lg w-96">
+				<h1 class="text-2xl mb-4 text-center font-bold text-red-500">RESTRICTED AREA</h1>
+				<p class="text-gray-400 mb-6 text-center text-sm">Enter admin credentials to retrieve the flag.</p>
+				<form action="/login" method="POST" class="space-y-4">
+					<div>
+						<label class="block text-sm font-medium">Username</label>
+						<input type="text" name="username" class="w-full p-2 bg-gray-700 rounded border border-gray-600 focus:border-red-500 outline-none" placeholder="admin">
+					</div>
+					<div>
+						<label class="block text-sm font-medium">Password</label>
+						<input type="password" name="password" class="w-full p-2 bg-gray-700 rounded border border-gray-600 focus:border-red-500 outline-none" placeholder="••••••">
+					</div>
+					<button type="submit" class="w-full bg-red-600 hover:bg-red-700 text-white font-bold py-2 px-4 rounded transition">ACCESS SYSTEM</button>
+				</form>
+				<div class="mt-4 text-xs text-gray-600 text-center">System Version: 1.0.0-VULN</div>
+			</div>
+		</body>
+		</html>
+		`
+		w.Header().Set("Content-Type", "text/html")
+		w.Write([]byte(html))
+	})
+	// 2. The Vulnerable Login Endpoint
+	http.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		username := r.FormValue("username")
+		password := r.FormValue("password")
+		db, err := connectDB()
+		if err != nil {
+			http.Error(w, "Database connection failed", http.StatusInternalServerError)
+			log.Println("DB Error:", err)
+			return
+		}
+		defer db.Close()
+		// --- THE VULNERABILITY IS HERE ---
+		// We are directly formatting the string with user input.
+		// A user can input "' OR '1'='1" to bypass the check.
+		query := fmt.Sprintf("SELECT id, username, flag FROM users WHERE username = '%s' AND password = '%s'", username, password)
+		// Log the query to the console (useful for debugging the CTF/seeing the injection)
+		log.Printf("Executing Query: %s\n", query)
+		var user User
+		// We use QueryRow because we expect one result for a login, but the injection might return the first row (admin)
+		err = db.QueryRow(query).Scan(&user.ID, &user.Username, &user.Flag)
+		if err != nil {
+			if err == sql.ErrNoRows {
+				w.WriteHeader(http.StatusUnauthorized)
+				w.Write([]byte(`
+					<div style="color: red; text-align: center; margin-top: 50px; font-family: monospace;">
+						<h1>ACCESS DENIED</h1>
+						<p>Invalid credentials.</p>
+						<a href="/" style="color: white;">Try Again</a>
+					</div>
+				`))
+			} else {
+				http.Error(w, "Query error: "+err.Error(), http.StatusInternalServerError)
+			}
+			return
+		}
+		// If successful (or injected successfully)
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, `
+			<div style="color: #4ade80; text-align: center; margin-top: 50px; font-family: monospace; background: #111; padding: 20px;">
+				<h1>ACCESS GRANTED</h1>
+				<p>Welcome, %s</p>
+				<p style="font-size: 24px; border: 1px dashed #4ade80; display: inline-block; padding: 10px;">FLAG: %s</p>
+			</div>
+		`, user.Username, user.Flag)
+	})
+	// Hugging Face Spaces usually serves on port 7860
+	port := os.Getenv("PORT")
+	if port == "" {
+		port = "7860"
+	}
+	log.Printf("CTF Challenge listening on port %s", port)
+	log.Fatal(http.ListenAndServe(":"+port, nil))
+}