This is an extremely vulnerable application. Please do not deploy in production or host it on the Internet. You are responsible for this application and what you do with it.
This is a simple PHP application with multiple pages to demonstrate and learn SQL Injection.
The PHP code is extremely primitive but clearly demonstrates the vulnerability and can be used to teach the various kinds of SQL injection in a hands on class.
The sqlictf folder can be deployed independently if you simply want to play the challenges.
The application requires PHP and MySQL/MariaDB. The server could be nginx or Apache. Here's a link to set up Apache, MySQL and PHP on Ubuntu 14.04
- Go to
/resetdb.phpto setup the application. - To complete the OS command execution level, set the
uploadsdirectory withchmod 777.
If your MySQL/MariaDB credentials are different than 'root' and 'root' (which ideally should be), then update the following files as well
- db_config.php
- resetdb.php
- sqlictf/db_config.php
- sqlictf/resetdb.php
The different inputs for each of the links can be found in walkthrough.md
To reset the database, navigate to /resetdb.php