commit 5210f57197224176701a53740f97f639ef6768c2 Author: Michael Hohn Date: Mon Jun 29 15:29:45 2020 -0700 Initial sql injection sample in C using sqlite diff --git a/README.org b/README.org new file mode 100644 index 0000000..13b531d --- /dev/null +++ b/README.org @@ -0,0 +1,21 @@ +* SQL injection example +** Setup and sample run + #+BEGIN_SRC sh + ./build.sh + + ./admin create-db + ./admin show-db + + # Regular user + echo "sample user" | ./add-user + ./admin show-db + + # Johnny Droptable + echo "Johnny'); DROP TABLE users; -- " | ./add-user + + ./admin show-db + + #+END_SRC + + + diff --git a/add-user.c b/add-user.c new file mode 100644 index 0000000..019d745 --- /dev/null +++ b/add-user.c @@ -0,0 +1,81 @@ +#include +#include +#include +#include +#include + +void abort_on_error(int rc, sqlite3 *db) { + if( rc ) { + fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db)); + sqlite3_close(db); + fflush(stderr); + abort(); + } +} + +void abort_on_exec_error(int rc, sqlite3 *db, char* zErrMsg) { + if( rc!=SQLITE_OK ){ + fprintf(stderr, "SQL error: %s\n", zErrMsg); + sqlite3_free(zErrMsg); + sqlite3_close(db); + fflush(stderr); + abort(); + } +} + +char* get_user_info() { +#define BUFSIZE 1024 + char* buf = (char*) malloc(BUFSIZE * sizeof(char)); + int count; + // Disable buffering to avoid need for fflush + // after printf(). + setbuf( stdout, NULL ); + printf("*** Welcome to sql injection ***\n"); + printf("Please enter name: "); + count = read(STDIN_FILENO, buf, BUFSIZE); + if (count <= 0) abort(); + /* strip trailing whitespace */ + while (count && isspace(buf[count-1])) { + buf[count-1] = 0; --count; + } + return buf; +} + +int get_new_id() { + int id = getpid(); + return id; +} + +void write_info(int id, char* info) { + sqlite3 *db; + int rc; + int bufsize = 1024; + char *zErrMsg = 0; + char query[bufsize]; + + /* open db */ + rc = sqlite3_open("users.sqlite", &db); + abort_on_error(rc, db); + + /* Format query */ + snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info); + printf("%s\n", query); + fflush(stdout); + + /* Write info */ + rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); + abort_on_exec_error(rc, db, zErrMsg); + + sqlite3_close(db); +} + +int main(int argc, char* argv[]) { + char* info; + int id; + info = get_user_info(); + id = get_new_id(); + write_info(id, info); + /* + * show_info(id); + */ +} diff --git a/add-user.sh b/add-user.sh new file mode 100755 index 0000000..f87fbf8 --- /dev/null +++ b/add-user.sh @@ -0,0 +1,27 @@ +#!/bin/bash +get-user-info () { + echo "*** Welcome to sql injection ***" + read -r -p "Please enter name: " NAME +} + +get-new-id () { + ID=$(/bin/bash -c 'echo $$') +} + +add-user-info () { + echo " + INSERT INTO users VALUES ($ID, '$NAME') + " | sqlite3 users.sqlite +} + +show-user-info () { + echo "We have the following information for you:" + echo " + select * FROM users where user_id=$ID + " | sqlite3 users.sqlite +} + +get-user-info +get-new-id +add-user-info +show-user-info diff --git a/admin b/admin new file mode 100755 index 0000000..b6b5bbe --- /dev/null +++ b/admin @@ -0,0 +1,17 @@ +#!/bin/bash +create-db () { + echo ' + CREATE TABLE users ( + user_id INTEGER not null, + name TEXT NOT NULL + ); + ' | sqlite3 users.sqlite +} + +show-db () { + echo ' + SELECT * FROM users; + ' | sqlite3 users.sqlite +} + +eval $@ diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..42bd89a --- /dev/null +++ b/build.sh @@ -0,0 +1,2 @@ +#!/bin/bash +clang add-user.c -lsqlite3 -o add-user