inject-some-sql

by presidentbeef

presidentbeef / inject-some-sql

Have fun injecting SQL into a Ruby on Rails application!

209 Stars 54 Forks Last release: Not found MIT License 139 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Inject Some SQL

These are sample Rails applications for demonstrating many ways SQL can be injected in Rails.

Setup

Clone the repo:

git clone https://github.com/presidentbeef/inject-some-sql.git

Pick either Rails 5, Rails 4 or Rails 3. They each have their own subdirectory.

cd inject-some-sql/rails5

In the subdirectory, install dependences and set up the database:

bundle install
rake db:setup db:seed

Run

Typical Rails start:

rails s

Open up localhost:3000 in a browser.

Reset Database

It's easy to mess up a database with SQL injection. The server does attempt to reset the database after each query, but that isn't foolproof.

To completely reset:

rake db:drop db:migrate db:seed

Inject SQL!

The site lists a whole bunch of ActiveRecord queries.

Each query has input for a single parameter (although some queries may actually have more than one). A sample injection is provided. Clicking "Run!" will run the query shown.

Adding/Modifying Queries

All queries are generated from

app/models/queries.rb
.

Limitations

  • This is a single player game because the SQL query is stored in a global variable.

License

This code is made available under the MIT license.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.