dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implemented some feedback

Browse Source
This commit is contained in:
Tobias-Melzer 2019-02-04 22:45:56 +01:00 committed by Nanne Baars
parent 53c16c8b82
commit 256c0d05aa
9 changed files with 73 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat-lessons/chrome-dev-tools/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -7,5 +7,10 @@ network.request=You made a HTTP Request.
network.success=Correct, Well Done.
network.failed=That is not correct, try again.
<<<<<<< HEAD
networkHint1=Clear all Requests from the network button, then make the request. The you should be able to figure out, which request holds the data.
networkHint2=The name of the request is "dummy"
=======
networkHint1=Clear all Requests from the network tab, then make the request. The you should be able to figure out, which request holds the data.
networkHint2=The name of the request is "dummy"
>>>>>>> Implemented some feedback

33
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
View File

@ -6,10 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
import java.sql.*;
@ -47,10 +44,10 @@ import java.sql.*;
*/
@AssignmentPath("/SqlInjection/attack6a")
@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
"SqlStringInjectionHint-advanced-6a-4", "SqlStringInjectionHint-advanced-6a-5"})
"SqlStringInjectionHint-advanced-6a-4"})
public class SqlInjectionLesson6a extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
@PostMapping
public
@ResponseBody
AttackResult completed(@RequestParam String userid_6a) throws IOException {
@ -60,17 +57,15 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
protected AttackResult injectableQuery(String accountName) {
String query = "";
try {
try(Connection connection = DatabaseUtilities.getConnection(getWebSession())) {
boolean usedUnion = true;
Connection connection = DatabaseUtilities.getConnection(getWebSession());
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
//Check if Union is used
if(!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
usedUnion = false;
}
try {
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
try(Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY)) {
ResultSet results = statement.executeQuery(query);
if ((results != null) && (results.first())) {
@ -78,15 +73,17 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
StringBuffer output = new StringBuffer();
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
if(! usedUnion)
output.append("To successfully complete this Assignment you have to use a UNION");
String appendingWhenSucceded;
if(usedUnion)
appendingWhenSucceded = "Well done! Can you also figure out a solution, by appending a new Sql Statement?";
else
appendingWhenSucceded = "Well done! Can you also figure out a solution, by using a UNION?";
results.last();
// If they get back more than one user they succeeded
if (results.getRow() >= 5 && usedUnion) {
return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
} else if((output.toString().contains("dave") && output.toString().contains("passW0rD")) && !usedUnion) {
return trackProgress(failed().output("To successfully complete this Assignment you have to use a UNION" + "<br> Your query was: " + query).build());
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
output.append(appendingWhenSucceded);
return trackProgress(informationMessage().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
} else {
return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
}

29
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
View File

@ -5,10 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import java.io.IOException;
import java.sql.*;
@ -45,9 +42,15 @@ import java.sql.*;
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/assignment5a")
@AssignmentHints(value = {"SqlStringInjectionHint5a1"})
public class SqlInjectionLesson5a extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
private static final String EXPLANATION = "<br> Explanation: This injection works, because <span style=\"font-style: italic\">or '1' = '1'</span> "
+ "always evaluates to true (The string ending literal for '1 is closed by the query itself, so you should not inject it). "
+ "So the injected query basically looks like this: <span style=\"font-style: italic\">SELECT * FROM user_data WHERE first_name = 'John' and last_name = '' or TRUE</span>, "
+ "which will always evaluate to true, no matter what came before it.";
@PostMapping
public
@ResponseBody
AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
@ -58,23 +61,22 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
String query = "";
try {
Connection connection = DatabaseUtilities.getConnection(getWebSession());
System.out.println(accountName);
query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
try {
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
try(Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY)) {
ResultSet results = statement.executeQuery(query);
if ((results != null) && (results.first())) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
output.append(writeTable(results, resultsMetaData));
results.last();
// If they get back more than one user they succeeded
if (results.getRow() >= 6) {
return trackProgress(success().feedback("sql-injection.5a.success").output("Your query was: " + query).feedbackArgs(output.toString()).build());
return trackProgress(success().feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build());
} else {
return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
}
@ -91,11 +93,10 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
}
}
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
SQLException {
public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException {
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
StringBuffer t = new StringBuffer();
StringBuilder t = new StringBuilder();
t.append("<p>");
if (results.next()) {

4
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
View File

@ -151,7 +151,7 @@
enctype="application/json;charset=UTF-8">
<table>
<tr>
<td>SELECT * FROM users WHERE LOGIN_COUNT > 0 and FIRST_NAME = '</td>
<td>SELECT * FROM users_data FIRST_NAME = 'John' and Last_NAME = '</td>
<td><select name="account">
<option>Smith</option>
<option>'Smith</option>
@ -160,7 +160,7 @@
</select></td>
<td>
<select name="operator">
<option>or not</option>
<option>or</option>
<option>and</option>
<option>and not</option>
</select>

5
webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -28,9 +28,10 @@ SqlStringInjectionHint5-a=Look at the example. There is everything you will need
sql-injection.5a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
SqlStringInjectionHint5a1=Remember that for an successful Sql-Injection the query needs to always evaluate to <span style="font-style: italic">true</span>.
sql-injection.5b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The output should tell you if this field is injectable.
SqlStringInjectionHint5b3=The first input field is not susceptible to sql injection.
@ -45,7 +46,7 @@ SqlStringInjectionHint-advanced-6a-1=Remember that when using an UNION each SELE
SqlStringInjectionHint-advanced-6a-2=The data type of a column in the first SELECT statement must have a similar data type to that in the second SELECT statement.
SqlStringInjectionHint-advanced-6a-3=Your new SQL query must end with a comment. eg: --
SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For integers you could substitute a <span style="font-style: italic">1</span>.
SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span>
SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span>
sql-injection.6b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>

30
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc
View File

@ -27,8 +27,30 @@ Example: Select * from users where name = '+char(27) or 1=1
== Special Statements
Unions allows overlapping of database tables
'Select id, text from news
union all select name, pass from users'
=== Union
Joins allows connecting to other tables
The Union operator is used, to combine the results of two or more SELECT Statements.
Rules to keep in mind, when working with a UNION:
- The number of columns selected in each statement must be the same.
- The datatype of the first column in the first SELECT statement, must match the datatype
of the first column in the second (third, fourth, ...) SELECT Statement. The Same applies to all other columns.
[source]
------
SELECT First_Name from user_system_data UNION SELECT login_count FROM user_data;
------
The UNION ALL Syntax also allows duplicate Values.
=== Joins
The Join operator is used to combine rows from two ore more tables, based on a related column
[source]
-----
SELECT * FROM user_data INNER JOIN user_data_tan ON user_data.userid=user_data_tan.userid;
-----
For more detailed information about JOINS visit: https://www.w3schools.com/sql/sql_join.asp

7
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc
View File

@ -24,5 +24,8 @@ CREATE TABLE user_system_data (userid int not null primary key,
cookie varchar(30));
-------------------------------------------------------
*6.a)* Retrieve all data from the table by using a UNION (You have to use a union to complete this assignment.) +
*6.b)* When you have figured it out.... What is Dave's password?
*6.a)* Retrieve all data from the table +
*6.b)* When you have figured it out.... What is Dave's password?
Note: There are multiple ways to solve this Assignment. One is by using a UNION, the other by appending
a new SQl statement. Maybe you can find both of them.

2
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content11.adoc
View File

@ -3,7 +3,7 @@
The query in the code builds a dynamic query as seen in the previous example. The query is build by concatenating strings making it susceptible to String SQL injection:
------------------------------------------------------------
"select * from users where LOGIN_COUNT > 0 and FIRST_NAME = " + userName + "'";
"select * from user_data where FIRST_NAME = 'John' and LAST_NAME = '" + lastName + "'";
------------------------------------------------------------
Using the form below try to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.

2
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content12.adoc
View File

@ -3,7 +3,7 @@
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:
--------------------------------------------------
"select * from users where Login_Count = " + Login_Count + " and USERID = " + UserID;
"select * from user_data where Login_Count = " + Login_Count + " and USERID = " + User_ID;
--------------------------------------------------
Using the two Input Fields below, try to retrieve all the date from the users table.