Example on SQL-Injection-Interpolation no longer works

[enygma]

This is based on a new installation of the software.

The example query provided in SQL-Injection-Interpolation.md no longer works as the database no longer allows more than one SQL statement to be executed (an error is thrown).

An injection payload that does work, however, is:

http://127.0.0.1:8000/admin/1/analytics/?ip=184.166.51.156&password from app_user--

This injects after that first SELECT and then comments out the remainder of the statement.

[colbyprior]

I ran into this same issue. I replaced the cursor.execute(cmd) with a cursor.executescript(cmd) in the analytics model and this fixed the attack for me. Perhaps I should submit this as a pull request?

DjanGoat/app/models/Analytics/analytics.py

Line 60 in cba0353

cursor.execute(cmd)

[palmergs]

Yes, please submit a pull request and we'll give it a look over asap.

[colbyprior]

It looks like I got mixed up when I was testing this. cursor.executescript runs the SQL however it doesn't actually return the result. Sorry about that, my fault.

There isn't much way around this if you are using sqlite from what I can see. The example link could be changed to something like http://127.0.0.1:8000/admin/1/analytics/?ip=0.0.0.0&password,%20email%20from%20app_user--.

I have tested mysql and sqlite and they both work with this exploit.