Giters

presidentbeef / inject-some-sql

Have fun injecting SQL into a Ruby on Rails application!

Home Page:https://rails-sqli.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

securityrubysql-injectionrailssqliruby-on-rails

Inject Some SQL

These are sample Rails applications for demonstrating many ways SQL can be injected in Rails.

Setup

Clone the repo:

git clone https://github.com/presidentbeef/inject-some-sql.git

Pick either Rails 5, Rails 4 or Rails 3. They each have their own subdirectory.

cd inject-some-sql/rails5

In the subdirectory, install dependences and set up the database:

bundle install
rake db:setup db:seed

Run

Typical Rails start:

rails s

Open up localhost:3000 in a browser.

Reset Database

It's easy to mess up a database with SQL injection. The server does attempt to reset the database after each query, but that isn't foolproof.

To completely reset:

rake db:drop db:migrate db:seed

Inject SQL!

The site lists a whole bunch of ActiveRecord queries.

Each query has input for a single parameter (although some queries may actually have more than one). A sample injection is provided. Clicking "Run!" will run the query shown.

Adding/Modifying Queries

All queries are generated from app/models/queries.rb.

Limitations

  • This is a single player game because the SQL query is stored in a global variable.

License

This code is made available under the MIT license.

About

Have fun injecting SQL into a Ruby on Rails application!

https://rails-sqli.org

securityrubysql-injectionrailssqliruby-on-rails

License:MIT License

Languages

Language:Ruby 67.9%Language:HTML 23.7%Language:Shell 3.0%Language:Less 2.5%Language:JavaScript 1.4%Language:CSS 1.4%Language:CoffeeScript 0.2%