from flask import Flask, request, render_template_string, redirect, session import psycopg2 app = Flask(__name__) app.secret_key = "s3cret_key" # Database connection conn = psycopg2.connect( dbname="dvtest", user="dvuser", password="dvpass", host="localhost", port="5432" ) # HTML template with search form TEMPLATE = """ Admin Panel

Welcome{% if user %}, {{ user }}{% endif %}

{% if not user %}
Username:
{% else %}

User Search | Logout

Search User:
{% endif %} {% if results %}

Search Results

{% for row in results %} {% endfor %}
IDUsernameEmail
{{ row[0] }}{{ row[1] }}{{ row[2] }}
{% endif %} {% if message %}

{{ message }}

{% endif %} """ @app.route("/", methods=["GET", "POST"]) def login(): if request.method == "POST": username = request.form.get("username") if username: session["user"] = username return redirect("/search") return render_template_string(TEMPLATE, user=None, message="Username cannot be empty") return render_template_string(TEMPLATE, user=None) @app.route("/logout") def logout(): session.pop("user", None) return redirect("/") @app.route("/search", methods=["GET", "POST"]) def search(): if "user" not in session: return redirect("/") results = [] message = None keyword = "" if request.method == "POST": keyword = request.form.get("keyword", "") try: cur = conn.cursor() # Vulnerable SQL query: allows injection of commands like COPY TO PROGRAM # Example exploit: ' OR 1=1; COPY users TO PROGRAM 'whoami'; -- sql = f"SELECT id, username, email FROM users WHERE username LIKE '%{keyword}%'" cur.execute(sql) results = cur.fetchall() conn.commit() except Exception as e: conn.rollback() message = f"Query failed: {str(e)}" return render_template_string(TEMPLATE, user=session["user"], results=results, message=message, keyword=keyword) if __name__ == "__main__": app.run(host="0.0.0.0", port=28080)