Exemple #1
0
 def sqli_in_title_protection(self, app, client):
     with app.app_context():
         db = get_db()
         cursor = db.cursor()
         random_title = str(uuid.uuid4())
         random_content = str(uuid.uuid4())
         cursor.execute(
             "INSERT INTO article (title, content, created_at) VALUES (?, ?, date('now'))",
             (random_title, random_content))
         db.commit()
         payloads = [
             '\' or 1=1 --', '\' and 1=1 --', '" or 1=1 --', '" and 1=1 --',
             '` or 1=1 --', '` and 1=1 --', '\') or 1=1 --', '") or 1=1 --',
             '`) or 1=1 --', '\')) or 1=1 --', '")) or 1=1 --',
             '`)) or 1=1 --', '\'))) or 1=1 --', '"))) or 1=1 --',
             '`))) or 1=1 --'
         ]
         for payload in payloads:
             resp = client.post("/",
                                data={
                                    'title': random_title + payload,
                                    'order': 'ASC'
                                }).data.decode('utf-8')
             if random_content in resp:
                 return False, 'Article search is vulnerable to SQL injection in TITLE parameter'
     return True, 'Article search is not vulnerable to SQL injection in TITLE parameter'
Exemple #2
0
 def sqli_in_order_protection(self, app, client):
     articles = []
     with app.app_context():
         db = get_db()
         cursor = db.cursor()
         random_prefix = str(uuid.uuid4())
         for _ in range(randint(10, 20)):
             random_title = str(uuid.uuid4()) + random_prefix + str(
                 uuid.uuid4())
             random_content = str(uuid.uuid4())
             random_datetime = randint(1546300800, 1551398400)
             articles.append(
                 (random_title, random_content, random_datetime))
             cursor.execute(
                 "INSERT INTO article (title, content, created_at) VALUES (?, ?, datetime(?, 'unixepoch'))",
                 (random_title, random_content, random_datetime))
         db.commit()
         for order_by in [
                 "DESC LIMIT " + str(len(articles) - randint(3, 7)),
                 "ASC LIMIT " + str(len(articles) - randint(3, 7))
         ]:
             resp = client.post("/",
                                data={
                                    'title': random_prefix,
                                    'order': order_by
                                }).data.decode('utf-8')
             for (_, content, _) in articles:
                 if content not in resp:
                     return False, 'Article search is vulnerable to SQL injection in ORDER parameter'
     return True, 'Article search is not vulnerable to SQL injection in ORDER parameter'
Exemple #3
0
def articles_list():
    db = get_db()
    if request.method == "POST":
        search_title = request.form['title']
        order_by = request.form['order']
        articles = db.execute(
            "SELECT * FROM article WHERE title LIKE '%%%s%%' ORDER BY created_at %s"
            % (search_title, order_by))
    else:
        articles = db.execute("SELECT * FROM article ORDER BY created_at DESC")
    return render_template("articles/list.html", articles=articles)
def articles_list():
    db = get_db()
    if request.method == "POST":
        search_title = '%' + request.form['title'] + '%'
        order_by = 'ASC' if request.form['order'] == 'ASC' else 'DESC'
        articles = db.execute(
            "SELECT * FROM article WHERE title LIKE ? ORDER BY created_at %s" %
            order_by, (search_title, )).fetchall()
    else:
        articles = db.execute(
            "SELECT * FROM article ORDER BY created_at DESC").fetchall()
    return render_template("articles/list.html", articles=articles)
 def articles_search_one(self, app, client):
     with app.app_context():
         db = get_db()
         cursor = db.cursor()
         random_title = str(uuid.uuid4())
         random_content = str(uuid.uuid4())
         cursor.execute(
             "INSERT INTO article (title, content, created_at) VALUES (?, ?, date('now'))",
             (random_title, random_content))
         db.commit()
     for order_by in ['DESC', 'ASC']:
         resp = client.post("/",
                            data={
                                'title': random_title,
                                'order': order_by
                            })
         if random_content not in resp.data.decode('utf-8'):
             return False, "Articles search is broken. Article not found"
     return True, "Articles search - OK"
 def articles_order(self, app, client):
     search_articles = []
     not_search_articles = []
     with app.app_context():
         db = get_db()
         cursor = db.cursor()
         random_prefix = str(uuid.uuid4())
         for _ in range(randint(3, 10)):
             random_title = str(uuid.uuid4()) + random_prefix + str(
                 uuid.uuid4())
             random_content = str(uuid.uuid4())
             random_datetime = randint(1546300800, 1551398400)
             search_articles.append(
                 (random_title, random_content, random_datetime))
             cursor.execute(
                 "INSERT INTO article (title, content, created_at) VALUES (?, ?, datetime(?, 'unixepoch'))",
                 (random_title, random_content, random_datetime))
         for _ in range(randint(3, 10)):
             random_title = str(uuid.uuid4()) + str(uuid.uuid4()) + str(
                 uuid.uuid4())
             random_content = str(uuid.uuid4())
             random_datetime = randint(1546300800, 1551398400)
             not_search_articles.append(
                 (random_title, random_content, random_datetime))
             cursor.execute(
                 "INSERT INTO article (title, content, created_at) VALUES (?, ?, datetime(?, 'unixepoch'))",
                 (random_title, random_content, random_datetime))
         db.commit()
         # search ASC order
         search_articles.sort(key=lambda article: article[2])
         resp_content = client.post("/",
                                    data={
                                        'title': random_prefix,
                                        'order': 'ASC'
                                    }).data.decode('utf-8')
         for (_, content, _) in search_articles:
             if content not in resp_content:
                 return False, "Articles search is broken. Articles in wrong order"
             resp_content = resp_content[resp_content.find(content):]
         search_articles.reverse()
         # search DESC order
         resp_content = client.post("/",
                                    data={
                                        'title': random_prefix,
                                        'order': 'DESC'
                                    }).data.decode('utf-8')
         for (_, content, _) in search_articles:
             if content not in resp_content:
                 return False, "Articles search is broken. Articles in wrong order"
             resp_content = resp_content[resp_content.find(content):]
         # not_search_articles not in list
         resp_content = client.post("/",
                                    data={
                                        'title': random_prefix,
                                        'order': 'DESC'
                                    }).data.decode('utf-8')
         for (_, content, _) in not_search_articles:
             if content in resp_content:
                 return False, "Articles search is broken. Additional articles found"
             resp_content = resp_content[resp_content.find(content):]
         return True, "Articles search order - OK"