diff --git a/RandomQuotes/Controllers/SQLIController.cs b/RandomQuotes/Controllers/SQLIController.cs index 343655e..edcee3a 100644 --- a/RandomQuotes/Controllers/SQLIController.cs +++ b/RandomQuotes/Controllers/SQLIController.cs @@ -3,7 +3,9 @@ using System.IO; using System.Text; using Microsoft.AspNetCore.Mvc; -using System.Data.SQLite; +using System.Data.SQLite; +using System.Linq; +using Microsoft.AspNetCore.Http.Extensions; namespace RandomQuotes.Controllers @@ -11,17 +13,30 @@ namespace RandomQuotes.Controllers public class SQLIController : Controller { // testing normal: /sqli?name=Andrew - // testing exploit: /sqli?name=1%27%20or%20%271%27==%271 + // testing exploit: /sqli?name=Octopus%27%20or%20%271%27==%271 [HttpGet("sqli")] public IActionResult Get(string name) { - SQLiteConnection conn = new SQLiteConnection("Data Source=Chinook_Sqlite.sqlite"); - conn.Open(); - - SQLiteCommand cmd = new SQLiteCommand(conn); - cmd.CommandText = "select * from Employee where FirstName == '" + name + "';"; + string clause = ""; + List list = new List(); + if (name.StartsWith("Octopus")) + { + list.Add("FirstName == '" + name + "';"); + } + else + { + list.Add("FirstName == 'Andrew';"); + } + + SQLiteConnection conn2 = new SQLiteConnection("Data Source=Chinook_Sqlite.sqlite"); + conn2.Open(); - SQLiteDataReader reader = cmd.ExecuteReader(); + SQLiteCommand cmd2 = new SQLiteCommand(conn2); + string whereClause = "where " + string.Join(" OR ", list); + + cmd2.CommandText = "select * from Employee " + whereClause; + Console.WriteLine(cmd2.CommandText); + SQLiteDataReader reader = cmd2.ExecuteReader(); List res = new List(); @@ -40,4 +55,4 @@ public IActionResult Get(string name) return Ok(res); } } -} \ No newline at end of file +}