This is a bare bones document viewer used to practice SQL injections.
This application features a simple document viewer, that takes a user's 'security code' and returns all documents tagged with that code.
Warning
This application contains intentional SQL injection vulnerabilities.
Note
This will be reused across CTFs on February 18th, 2024 and March 23rd, 2024 (and maybe more).
This website contains a single webpage that takes a secret "security code", and returns all documents with that security code.
It is intended to illustrate a simplistic example of how SQL injections can be used to extract more information from databases. Pedagogically, the "security code" is an example of passwords, usernames, or any other text input that may be intended to constrain a query.
Note
Usage of ./sql-injection-lab:
-ip string
The ip address to listen and serve HTTP on (default "localhost")
-port int
The port to listen and serve HTTP on (default 8080)
-seedPath string
The path to the SQL script with seed data;
The script will be executed on server initalization (default "./example_seed.sql")
For example,
go run main.go -seedPath='/your/path/here'
| Technology | Used for |
|---|---|
| Go | Programming language |
| templ | HTML Templating |
| Chroma | SQL syntax highlighting |
| slog | Structured Logging |
| go-sqlite3 | Database Driver |
| SQLite3 | Minimal Database |
| Tailwind CSS | CSS Framework |
This project intentionally does not include user sessions or account management to limit scope. All URL paths are treated equally. The page is intended to interact well with Burp Suite.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent