Skip to main content

GRADE XII - HACKATHON ACTIVITY

 # ---

# File: main.py

# The functions defined in this file have

# two major vulnerabilites. It is you job

# to find them and fix them.

# Document the vulnerability and research

# about it.

# Hint: Check the `execute` method calls.

#

#

# Run `pip install "fastapi[standard]"` (or `pip3`)

# ---


from fastapi import FastAPI

import sqlite3



# FastAPI is used to create the API

# for the application. It is not a

# part of the vulnerability.

#

# Read More: https://fastapi.tiangolo.com/

app = FastAPI()


db = sqlite3.connect("main.sqlite")

cursor = db.cursor()

cursor.execute("CREATE TABLE IF NOT EXISTS users (username TEXT, password TEXT)")

cursor.execute("CREATE TABLE IF NOT EXISTS items (user_name TEXT)")

db.commit()

db.close()


"""

One of the vulnerabilities is present

in this function.

"""



@app.get("/auth/email")

async def login(username: str, password: str):

    db = sqlite3.connect("main.sqlite")

    cursor = db.cursor()

    cursor.execute(

        "SELECT * FROM users WHERE username = '%s' AND password = '%s'"

        % (username, password)

    )

    result = cursor.fetchone()

    if result:

        return {"message": "Login successful"}

    else:

        return {"message": "Invalid username or password"}



"""

The other instance of that vulnerability

is present in this function.

"""



@app.get("/items")

async def get_items(user_name, token):

    db = sqlite3.connect("main.sqlite")

    cursor = db.cursor()

    cursor.execute("SELECT * FROM items WHERE user_name = '%s'" % (user_name))

    result = cursor.fetchall()

    if result:

        return {"message": "Success"}

    else:

        return {"message": "No items found"}



"""

This is a helper function. This is

not a part of the vulnerability.

"""



@app.get("/register")

async def register(username, password):

    db = sqlite3.connect("main.sqlite")

    cursor = db.cursor()

    cursor.execute(

        "SELECT * FROM users WHERE username = '%s' AND password = '%s'"

        % (username, password)

    )

    result = cursor.fetchone()

    if result:

        return {"message": "User already exists"}

    else:

        cursor.execute(

            "INSERT INTO users (username, password) VALUES ('%s', '%s')"

            % (username, password)

        )

        db.commit()

        return {"message": "User created successfully"}


LINK:

Comments

Post a Comment

Popular posts from this blog

PYTHON - MYSQL CONNECTIVITY CODE

  #INSERTION OF DATA import mysql.connector mydb = mysql.connector.connect( host="localhost", user="root", passwd="root", database="school" ) print("Successfully Connected") #print(mydb) mycursor=mydb.cursor()   v1=int(input("enter ID:")) v2=input("enter name:") v3=input("enter Gender:") v4=int(input("enter age:")) sql='insert into TEACH values("%d","%s","%s","%s")'%(v1,v2,v3,v4) print(sql) mycursor.execute(sql) mydb.commit() print("record added") #MYSQL Connection code – Deletion on database SOURCE CODE: s=int(input("enter id of TEACHER to be deleted:")) r=(s,) v="delete from TEACH where id=%s" mycursor.execute(v,r) mydb.commit() print("record deleted") MYSQL Connection code – Updation on database SOURCE CODE: import mysql.connector mydb = mysql.connector.c...
Post a Comment
Read more

REVISION IF CONSTRUCT | CLASS TEST

                                                                                     CLASS TEST 1. Write a Python program that asks the user for their age, gender, and current fitness level (beginner, intermediate, or advanced). Based on this information, suggest a suitable fitness plan using if-else statements. Requirements: Inputs : Age (integer) Gender (male/female) Fitness level (beginner/intermediate/advanced) Outputs : Recommend a fitness plan that includes: Suggested workout duration. Type of exercises (e.g., cardio, strength, flexibility). Rest days. Logic : Use if-else to determine the plan based on conditions such as: Age group (e.g., <18, 18–40, >40). Fitness leve...
Post a Comment
Read more