SQLi testbed

dlofnep · 23-05-2011 11:04pm #1

Hey guys,

I've coded a testbed for SQL Injection, specifically orientated to tackling filter evasion. The web-app has 4 varying levels of filters - so the user can start at level 1, and work their way up.

I'm looking for a few people to beta test it, and give me feedback before I release it. So if anyone wants a copy - let me know, and I'll zip it up and send it on. You'll require Apache/PHP/MySQL to run it - if you're on windows, just download XAMPP, or LAMPP for Linux.

It doesn't come with an install script yet - so I'll attach a SQL file, which you can just run in phpmyadmin to generate the tables and site-content.

Post here if you want to give it a trial.

23-05-2011 11:21pm

I will give it a try.

Sounds fun.

dlofnep · 23-05-2011 11:55pm

Sent it on there in a PM.

Redshift · 24-05-2011 12:10am

I'd also have a go at this

dlofnep · 24-05-2011 12:30am

Sent.

LoLth · 24-05-2011 11:04am

would this be suitable for a user learning SQLi ? I'm pretty much a newbie at SQLi (I have no idea how much I know... a lot of theory and no practise) so if you'd like a beginners opinion feel free to send it my way (but I wont be able to do anything for the next week or so).

Sigtran · 24-05-2011 11:28am

send it on to me as well please.

dlofnep · 24-05-2011 11:46am

Sent on.

LoLth - It's primarily for practising filter evasion, which is a huge part of SQL Injection. Level 1 of the game has no filtering, so you can learn and practice the fundementals of SQLi with that, and then move onto filter evasion. (Vast range of topics on it online).

There is no real object of the game, other than read data from the DB that one should not have access to. I'll let you guys figure out what that is.

dlofnep · 25-05-2011 9:02pm

Anybody else have a try of this yet?

25-05-2011 9:28pm

I've tested it and it's really good for anyone who wants to learn sqli filter evasion.

The injection point and column count stays the same making a good reference point, then more diffucult filters get added on each level.

Sqli tools like Havij won't pass most filters, So if your using tools you should learn this. Otherwise your missing loads of injections.

Redshift · 25-05-2011 11:17pm

It works good for me, i've yet to go through all the levels though but it's great for testing stuff and to practice on.

I have fun yesteday pulling data from another database on the same server which highlights the problem of having the same user for multiple databases or granting unnessesary or global permissions it was an unexpected and interesting lesson for me.

jakedixon2004 · 30-05-2011 4:48pm

I would really like to test this out. Sent me a PM if you get a chance dude.

h57xiucj2z946q · 30-05-2011 4:58pm

I would like to take a look at this.

Thanks.

dlofnep · 30-05-2011 5:56pm

Here ye go guys: http://www.sendspace.com/file/irmid3

It's not a finished product yet, so keep that in mind. I included the SQL file, so if you just paste it into phpmyadmin, it will create the data for you. Any questions, just drop me a message.

SQLi testbed

Comments