diff options
| -rw-r--r-- | sql-injection/index.html | 25 | ||||
| -rw-r--r-- | sql-injection/login.php | 23 | ||||
| -rw-r--r-- | sql-injection/users.db | bin | 0 -> 8192 bytes | |||
| -rw-r--r-- | synopsis.tex | 76 |
4 files changed, 124 insertions, 0 deletions
diff --git a/sql-injection/index.html b/sql-injection/index.html new file mode 100644 index 0000000..d3e760b --- /dev/null +++ b/sql-injection/index.html @@ -0,0 +1,25 @@ +<!DOCTYPE HTML> +<html> + <head> + <title>Login page</title> + <meta charset="utf-8" /> +<style> +body { + text-align: center; +} + +input { + margin-bottom: 5px; +} + +</style> + </head> + <body> + <h1>Login</h1> + <form action="login.php" method="post"> + <input type="text" name="email" placeholder="E-mail"><br> + <input type="password" name="pass" placeholder="Password"><br> + <input type="submit" value="Log in"> + </form> + </body> +</html> diff --git a/sql-injection/login.php b/sql-injection/login.php new file mode 100644 index 0000000..826c38c --- /dev/null +++ b/sql-injection/login.php @@ -0,0 +1,23 @@ +<?php + class MyDB extends SQLite3 { + function __construct() { + $this->open('users.db'); + } + } + + if(isset($_POST['email'], $_POST['pass'])) + { + $email = $_POST['email']; + $pass = $_POST['pass']; + + $db = new MyDB(); + + $sql = 'SELECT * FROM Users WHERE email=\''.$email.'\' AND password=\''.$pass.'\''; + + $ret = $db->query($sql); + while($row = $ret->fetchArray(SQLITE3_ASSOC)) { + echo 'Logged in as '.$row['email'].'<br>'; + } + $db->close(); + } +?> diff --git a/sql-injection/users.db b/sql-injection/users.db Binary files differnew file mode 100644 index 0000000..9ddf64e --- /dev/null +++ b/sql-injection/users.db diff --git a/synopsis.tex b/synopsis.tex index 0f86212..0c8a520 100644 --- a/synopsis.tex +++ b/synopsis.tex @@ -607,4 +607,80 @@ continue studying it in the future. \printbibliography \addcontentsline{toc}{section}{References} +\newpage + +\appendix +\section{SQL injection example} + +\subsection{HTML code} +\begin{minted}{html} +<!DOCTYPE HTML> +<html> + <head> + <title>Login page</title> + <meta charset="utf-8" /> +<style> +body { + text-align: center; +} + +input { + margin-bottom: 5px; +} + +</style> + </head> + <body> + <h1>Login</h1> + <form action="login.php" method="post"> + <input type="text" name="email" placeholder="E-mail"><br> + <input type="password" name="pass" placeholder="Password"><br> + <input type="submit" value="Log in"> + </form> + </body> +</html> +\end{minted} +\newpage + +\subsection{PHP code} +\begin{minted}{php} +<?php + class MyDB extends SQLite3 { + function __construct() { + $this->open('users.db'); + } + } + + if(isset($_POST['email'], $_POST['pass'])) + { + $email = $_POST['email']; + $pass = $_POST['pass']; + + $db = new MyDB(); + + $sql = 'SELECT * FROM Users WHERE email=\''.$email. + '\' AND password=\''.$pass.'\''; + + $ret = $db->query($sql); + while($row = $ret->fetchArray(SQLITE3_ASSOC)) { + echo 'Logged in as '.$row['email'].'<br>'; + } + $db->close(); + } +?> +\end{minted} +\newpage + +\subsection{SQL code} +\begin{minted}{sql} +CREATE TABLE Users ( + email varchar(32), + password varchar(32) +); + +INSERT INTO Users VALUES('test@mail.com','password'); +INSERT INTO Users VALUES('marcin@mail.com','pass'); +\end{minted} +\newpage + \end{document} |