Fixed some errors.
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							26e3803de0
						
					
				
				
					commit
					14f4b42ba5
				
			| @ -72,7 +72,6 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { | |||||||
|                 return true; |                 return true; | ||||||
|             } |             } | ||||||
|         } |         } | ||||||
|  |  | ||||||
|         return false; |         return false; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  | |||||||
| @ -78,7 +78,6 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { | |||||||
|             while (results.next()) { |             while (results.next()) { | ||||||
|                 t.append("<tr>"); |                 t.append("<tr>"); | ||||||
|                 for (int i = 1; i < (numColumns + 1); i++) { |                 for (int i = 1; i < (numColumns + 1); i++) { | ||||||
|                     System.out.println(results.getString(i)); |  | ||||||
|                     t.append("<td>" + results.getString(i) + "</td>"); |                     t.append("<td>" + results.getString(i) + "</td>"); | ||||||
|                 } |                 } | ||||||
|                 t.append("</tr>"); |                 t.append("</tr>"); | ||||||
|  | |||||||
| @ -35,10 +35,9 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { | |||||||
|                 SqlInjectionLesson8.log(connection, query); |                 SqlInjectionLesson8.log(connection, query); | ||||||
|                 ResultSet results = statement.executeQuery(query); |                 ResultSet results = statement.executeQuery(query); | ||||||
|  |  | ||||||
|                 results.first(); |                 if (results != null && results.first()) { | ||||||
|  |                     output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData())); | ||||||
|                 ResultSetMetaData resultsMetaData = results.getMetaData(); |                 } | ||||||
|                 output.append(SqlInjectionLesson8.generateTable(results, resultsMetaData)); |  | ||||||
|             } catch (SQLException e) { |             } catch (SQLException e) { | ||||||
|                 System.err.println(e.getMessage()); |                 System.err.println(e.getMessage()); | ||||||
|                 return checkSalaryRanking(connection, output); |                 return checkSalaryRanking(connection, output); | ||||||
| @ -59,11 +58,10 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { | |||||||
|             ResultSet results = statement.executeQuery(query); |             ResultSet results = statement.executeQuery(query); | ||||||
|  |  | ||||||
|             results.first(); |             results.first(); | ||||||
|  |  | ||||||
|             // user completes lesson if John Smith is the first in the list |             // user completes lesson if John Smith is the first in the list | ||||||
|             if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { |             if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { | ||||||
|                 output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData())); |                 output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData())); | ||||||
|                 return trackProgress(success().feedback("sql-injection.9.success").feedbackArgs(output.toString()).build()); |                 return trackProgress(success().feedback("sql-injection.8.success").feedbackArgs(output.toString()).build()); | ||||||
|             } else { |             } else { | ||||||
|                 return trackProgress(failed().output(output.toString()).build()); |                 return trackProgress(failed().output(output.toString()).build()); | ||||||
|             } |             } | ||||||
|  | |||||||
| @ -38,6 +38,8 @@ sql-injection.6b.no.results=No results matched. Try Again. | |||||||
|  |  | ||||||
| sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0} | sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0} | ||||||
| sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect? | sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect? | ||||||
|  | sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0} | ||||||
|  | sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. | ||||||
|  |  | ||||||
| SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. | SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. | ||||||
| SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. | SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. | ||||||
| @ -45,16 +47,12 @@ SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to | |||||||
| SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. | SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. | ||||||
| SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. | SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. | ||||||
|  |  | ||||||
| sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary. {0} |  | ||||||
|  |  | ||||||
| SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one. | SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one. | ||||||
| SqlStringInjectionHint9-2=Use the ; metacharacter to do so. | SqlStringInjectionHint9-2=Use the ; metacharacter to do so. | ||||||
| SqlStringInjectionHint9-3=Make use of DML to change your salary. | SqlStringInjectionHint9-3=Make use of DML to change your salary. | ||||||
| SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct. | SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct. | ||||||
| SqlStringInjectionHint9-5=How about something like '; UPDATE employees.... | SqlStringInjectionHint9-5=How about something like '; UPDATE employees.... | ||||||
|  |  | ||||||
| sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data. |  | ||||||
|  |  | ||||||
| SqlStringInjectionHint10-1=Use the techniques that you have learned before. | SqlStringInjectionHint10-1=Use the techniques that you have learned before. | ||||||
| SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it. | SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it. | ||||||
| SqlStringInjectionHint10-3=Try query chaining to reach the goal. | SqlStringInjectionHint10-3=Try query chaining to reach the goal. | ||||||
|  | |||||||
| @ -4,5 +4,5 @@ After successfully compromising confidentiality and integrity in the previous le | |||||||
| === It's your turn! | === It's your turn! | ||||||
| Now you're the top earner in your company. | Now you're the top earner in your company. | ||||||
| But do you see that? | But do you see that? | ||||||
| There seems to be a table, where all your actions have been logged to! + | There seems to be a access_log table, where all your actions have been logged to! + | ||||||
| Better go and delete it quickly before anyone notices. | Better go and delete it quickly before anyone notices. | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user