SQLI3

[scorpiontornado]

Blacklist

Steal the login template/backend from SQLI1, just replace keywords with the empty string before sending the query. Also should replace in the query viewer.

• Python .replace()
• JavaScript replaceAll() for the query viewer - should do the same as python
• Could do regex matching or loop over each keyword and replace one by one. Might have subtly different behaviour with multiple matches, e.g. WHunionERE, but perhaps regex is more standardised? replace/replaceAll would be easier though

& write hints.

[scorpiontornado]

Will steal from SQLI2 instead, as a blacklist would be quite lacklustre for a login system - are you just gonna replace all ORs? What if their name was Eleanor? Doing it with the student data table, UNION, WHERE etc gives a lot more freedom to play with this.

[scorpiontornado]

From quoccabank sqli3:

@app.route('/', methods=['GET'])
def root():
    query = request.args.get('q')
    if query is not None:
        # super powerful WAF
        for bad in ['union', 'select', 'from', 'where', 'UNION', 'SELECT', 'FROM', 'WHERE']:
            query = query.replace(bad, '')

        return render_template('home.html', query=query, results=get_results(query))

    return render_template('home.html')

def execute(query, parameters=None):
    # yappa yappa

def get_results(q=None):
    if q:
        results = execute(f"SELECT * FROM search_engine WHERE title LIKE '%{q}%' OR description LIKE '%{q}%' OR link LIKE '%{q}%'")
    else:
        results = execute("SELECT * FROM search_engine")

    return results.fetchall() if (results) else []