from flask import Flask, request, render_template_string, redirect, session import psycopg2 app = Flask(__name__) app.secret_key = "s3cret_key" # Database connection conn = psycopg2.connect( dbname="dvtest", user="dvuser", password="dvpass", host="localhost", port="5432" ) # HTML template with search form TEMPLATE = """
| ID | Username | |
|---|---|---|
| {{ row[0] }} | {{ row[1] }} | {{ row[2] }} |
{{ message }}
{% endif %} """ @app.route("/", methods=["GET", "POST"]) def login(): if request.method == "POST": username = request.form.get("username") if username: session["user"] = username return redirect("/search") return render_template_string(TEMPLATE, user=None, message="Username cannot be empty") return render_template_string(TEMPLATE, user=None) @app.route("/logout") def logout(): session.pop("user", None) return redirect("/") @app.route("/search", methods=["GET", "POST"]) def search(): if "user" not in session: return redirect("/") results = [] message = None keyword = "" if request.method == "POST": keyword = request.form.get("keyword", "") try: cur = conn.cursor() # Vulnerable SQL query: allows injection of commands like COPY TO PROGRAM # Example exploit: ' OR 1=1; COPY users TO PROGRAM 'whoami'; -- sql = f"SELECT id, username, email FROM users WHERE username LIKE '%{keyword}%'" cur.execute(sql) results = cur.fetchall() conn.commit() except Exception as e: conn.rollback() message = f"Query failed: {str(e)}" return render_template_string(TEMPLATE, user=session["user"], results=results, message=message, keyword=keyword) if __name__ == "__main__": app.run(host="0.0.0.0", port=28080)