Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/va1da5/sqli-sandbox

SQL injection sandbox
https://github.com/va1da5/sqli-sandbox

flask mariadb postgres sqli sqlinjection

Last synced: 6 days ago
JSON representation

SQL injection sandbox

Host: GitHub
URL: https://github.com/va1da5/sqli-sandbox
Owner: va1da5
Created: 2021-01-22T20:51:46.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2021-02-16T13:27:42.000Z (almost 4 years ago)
Last Synced: 2024-11-07T12:28:50.959Z (about 2 months ago)
Topics: flask, mariadb, postgres, sqli, sqlinjection
Language: Python
Homepage:
Size: 20.5 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# SQL Injection Sandbox

The project contains a minimal [FastAPI](https://fastapi.tiangolo.com/) based web server with database backend. The server **intentionally** include SQL injection vulnerabilities. _docker-compose.yml_ includes _MariaDB_ and _Postgres_ databases that can be used with the web server.

The idea behind the server is to have a quick sandbox for testing manual SQLi payloads when usage of _sqlmap_ is not an option (_like during OSWE/OSCP exams_).

## Getting Started

- Download missing container images.

```bash
docker-compose pull
```

- Set database to be used in [docker-compose.yml](docker-compose.yml) container orchestration file. Comment/uncomment database URL variable in web server environment variables section.

- Build web server container image.

```bash
docker-compose build
```

- Launch containers. The server will start with inbuilt _Debug_ functionality turned on. Local source code is going to be mapped to the running container. This means that any changes made locally will get included into the running server.

```bash
docker-compose up -d
```

- Review [app/api/endpoints/user.py](app/api/endpoints/user.py) for available routes and functionality. The API comes with [OpenAPI (Swagger)](https://swagger.io/specification/) definition available under [http://127.0.0.1:8000/docs](http://127.0.0.1:8000/docs).

## References

- [From SQL Injection to Shell: PostgreSQL edition](https://pentesterlab.com/exercises/from_sqli_to_shell_pg_edition/course)
- [PayloadsAllTheThings/SQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)