-
Notifications
You must be signed in to change notification settings - Fork 1
SQL Injection
Jennings Zhang edited this page Feb 22, 2018
·
3 revisions
https://twlinux.github.io/2018-02-03-intro-to-sql/
SQLi vulnerabilities are most prevalent with HTML forms.
Consider this line from login.html
:
<input id="password" type="password" class="validate" name="pass" required autocomplete="current-password" pattern="[^'\x22]+">
From your browser, you can use inspect element to modify the live HTML.
The pattern attribute specifies a regular expression to validate input. Delete this, and you'll be able to type and submit quotation marks! And why not change "type" to "text"? This will deactivate censorship so you can see what you're typing.
Possible SQL injections are described in server.js. See README.md#vulnerabilities
Trick the boolean logic to force unexpected results.
Use creative exploits of the API usage to dump sensitive information.