Want to run this container locally?

docker run -d --name sql-web -p 5000:5000 joshbeck2024/sql-injection-chal-package-search:latest

You are provided the source code for this application:

• It has a flaw, which is an interesting edge case
• JSON.dumps() + sqlite? —You might have a bad time!

clauses.append(f"LOWER(distro) = {json.dumps(distro)}")
clauses.append(f"LOWER(package) = {json.dumps(package)}")

• json.dumps(distro) returns a JSON string literal (with JSON escaping rules).
• It then pastes that directly into SQL via an f-string.
• JSON escaping is not SQL escaping, so quotes/backslashes/etc. are not handled according to SQLite’s rules.

json.dumps() escapes quotes the JSON way (using backslashes), e.g.:

• user input: x" OR 1=1 --
• json.dumps(...) → "x\\" OR 1=1 --"

Your SQL becomes:

...WHERELOWER(distro)= "x\\"OR1=1--"

In SQL/SQLite, \\" is not a reliable “escaped quote” inside a "..."

• In SQL, the normal way to embed a " inside "...” is "" (double the quote), not \\".
• So the parser can treat that " as ending the quoted value, and then OR 1=1 -- becomes real SQL.

Summary:

• JSON Escaping and SQLITE don’t mix!