Initial sql injection sample in C using sqlite

2025-12-15 17:53:04 +01:00 · 2020-06-29 15:29:45 -07:00
commit 5210f57197
5 changed files with 148 additions and 0 deletions
--- a/README.org
+++ b/README.org
@@ -0,0 +1,21 @@
+* SQL injection example
+** Setup and sample run
+  #+BEGIN_SRC sh
+    ./build.sh
+
+    ./admin create-db
+    ./admin show-db
+
+    # Regular user
+    echo "sample user" | ./add-user
+    ./admin show-db
+
+    # Johnny Droptable
+    echo "Johnny'); DROP TABLE users; -- " | ./add-user
+
+    ./admin show-db
+
+  #+END_SRC
+
+
+
--- a/add-user.c
+++ b/add-user.c
@@ -0,0 +1,81 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <sqlite3.h>
+
+void abort_on_error(int rc, sqlite3 *db) {
+    if( rc ) {
+        fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
+        sqlite3_close(db);
+        fflush(stderr);
+        abort();
+    }
+}
+
+void abort_on_exec_error(int rc, sqlite3 *db, char* zErrMsg) {
+    if( rc!=SQLITE_OK ){
+        fprintf(stderr, "SQL error: %s\n", zErrMsg);
+        sqlite3_free(zErrMsg);
+        sqlite3_close(db);
+        fflush(stderr);
+        abort();
+    }
+}
+    
+char* get_user_info() {
+#define BUFSIZE 1024
+    char* buf = (char*) malloc(BUFSIZE * sizeof(char));
+    int count;
+    // Disable buffering to avoid need for fflush
+    // after printf().
+    setbuf( stdout, NULL );
+    printf("*** Welcome to sql injection ***\n");
+    printf("Please enter name: ");
+    count = read(STDIN_FILENO, buf, BUFSIZE);
+    if (count <= 0) abort();
+    /* strip trailing whitespace */
+    while (count && isspace(buf[count-1])) {
+        buf[count-1] = 0; --count;
+    }
+    return buf;
+}
+
+int get_new_id() {
+    int id = getpid();
+    return id;
+}
+
+void write_info(int id, char* info) {
+    sqlite3 *db;
+    int rc;
+    int bufsize = 1024;
+    char *zErrMsg = 0;
+    char query[bufsize];
+    
+    /* open db */
+    rc = sqlite3_open("users.sqlite", &db);
+    abort_on_error(rc, db);
+
+    /* Format query */
+    snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
+    printf("%s\n", query);
+    fflush(stdout);
+
+    /* Write info */
+    rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
+    abort_on_exec_error(rc, db, zErrMsg);
+
+    sqlite3_close(db);
+}
+
+int main(int argc, char* argv[]) {
+    char* info;
+    int id;
+    info = get_user_info();
+    id = get_new_id();
+    write_info(id, info);
+    /*
+     * show_info(id);
+     */
+}
--- a/add-user.sh
+++ b/add-user.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+get-user-info () {
+    echo "*** Welcome to sql injection ***"
+    read -r -p "Please enter name: " NAME
+}
+
+get-new-id () {
+    ID=$(/bin/bash -c 'echo $$')
+}
+
+add-user-info () {
+    echo "
+    INSERT INTO users VALUES ($ID, '$NAME')
+    " | sqlite3 users.sqlite 
+}
+
+show-user-info () {
+    echo "We have the following information for you:"
+    echo "
+    select * FROM users where user_id=$ID
+    " | sqlite3 users.sqlite 
+}
+
+get-user-info
+get-new-id
+add-user-info
+show-user-info
--- a/17
+++ b/17
@@ -0,0 +1,17 @@
+#!/bin/bash
+create-db () {
+    echo '
+    CREATE TABLE users (
+        user_id INTEGER not null,
+        name TEXT NOT NULL
+    );
+    '  | sqlite3 users.sqlite 
+}        
+
+show-db () {
+    echo '
+    SELECT * FROM users;
+    ' | sqlite3 users.sqlite 
+}
+
+eval $@
--- a/build.sh
+++ b/build.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+clang add-user.c -lsqlite3 -o add-user