Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/presidentbeef/inject-some-sql

Have fun injecting SQL into a Ruby on Rails application!
https://github.com/presidentbeef/inject-some-sql

rails ruby ruby-on-rails security sql-injection sqli

Last synced: about 3 hours ago
JSON representation

Have fun injecting SQL into a Ruby on Rails application!

Awesome Lists containing this project

README 

        
## Inject Some SQL



These are sample Rails applications for demonstrating many ways SQL can be injected in Rails.



### Setup



Clone the repo:



```

git clone https://github.com/presidentbeef/inject-some-sql.git

```



Pick either Rails 5, Rails 4 or Rails 3. They each have their own subdirectory.



```

cd inject-some-sql/rails5

```



In the subdirectory, install dependences and set up the database:



```

bundle install

rake db:setup db:seed

```



### Run



Typical Rails start: 



```

rails s

```



Open up [localhost:3000](http://localhost:3000) in a browser. 



### Reset Database



It's easy to mess up a database with SQL injection. The server does attempt to

reset the database after each query, but that isn't foolproof.



To completely reset:



```

rake db:drop db:migrate db:seed

```



### Inject SQL!



The site lists a whole bunch of ActiveRecord queries.



Each query has input for a single parameter (although some queries may actually

have more than one). A sample injection is provided. Clicking "Run!" will run

the query shown.



## Adding/Modifying Queries



All queries are generated from `app/models/queries.rb`.



## Limitations



* This is a single player game because the SQL query is stored in a global variable.



## License



This code is made available under the MIT license.