Implemented some feedback

2019-02-04 22:45:56 +01:00
parent 53c16c8b82
commit 256c0d05aa
9 changed files with 73 additions and 44 deletions
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@ -151,7 +151,7 @@
              enctype="application/json;charset=UTF-8">
            <table>
                <tr>
-                    <td>SELECT * FROM users WHERE LOGIN_COUNT > 0 and FIRST_NAME = '</td>
+                    <td>SELECT * FROM users_data FIRST_NAME = 'John' and Last_NAME = '</td>
                    <td><select name="account">
                        <option>Smith</option>
                        <option>'Smith</option>
@ -160,7 +160,7 @@
                    </select></td>
                    <td>
                        <select name="operator">
-                            <option>or not</option>
+                            <option>or</option>
                            <option>and</option>
                            <option>and not</option>
                        </select>
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -28,9 +28,10 @@ SqlStringInjectionHint5-a=Look at the example. There is everything you will need

 sql-injection.5a.success=<span class='feedback-positive'>You have succeeded: {0}</span>
 sql-injection.5a.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
+SqlStringInjectionHint5a1=Remember that for an successful Sql-Injection the query needs to always evaluate to <span style="font-style: italic">true</span>.
+
 sql-injection.5b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
 sql-injection.5b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
-
 SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
 SqlStringInjectionHint5b2=Insert: <span style="font-style: italic">0 or 1 = 1</span> into the first input field. The output should tell you if this field is injectable.
 SqlStringInjectionHint5b3=The first input field is not susceptible to sql injection.
@ -45,7 +46,7 @@ SqlStringInjectionHint-advanced-6a-1=Remember that when using an UNION each SELE
 SqlStringInjectionHint-advanced-6a-2=The data type of a column in the first SELECT statement must have a similar data type to that in the second SELECT statement.
 SqlStringInjectionHint-advanced-6a-3=Your new SQL query must end with a comment. eg: --
 SqlStringInjectionHint-advanced-6a-4=If a column needs a String you could substitute something like <span style="font-style: italic">'a String'</span> for it. For integers you could substitute a <span style="font-style: italic">1</span>.
-SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span> 
+SqlStringInjectionHint-advanced-6a-5=Try something like: <span style="font-style: italic">Smith' UNION SELECT userid,user_name, password, 'a', 'b', 'c', 1 from user_system_data --</span>

 sql-injection.6b.success=<span class='feedback-positive'>You have succeeded: {0}</span>
 sql-injection.6b.no.results=<span class='feedback-negative'>No results matched. Try Again.</span>
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc
@ -27,8 +27,30 @@ Example: Select * from users where name = '+char(27) or 1=1

 ==  Special Statements

-Unions	allows overlapping of database tables
-'Select id, text from news 
-union all select name, pass from users'
+=== Union

-Joins allows connecting to other tables
+The Union operator is used, to combine the results of two or more SELECT Statements.
+
+Rules to keep in mind, when working with a UNION:
+
+- The number of columns selected in each statement must be the same.
+- The datatype of the first column in the first SELECT statement, must match the datatype
+of the first column in the second (third, fourth, ...) SELECT Statement. The Same applies to all other columns.
+
+[source]
+------
+SELECT First_Name from user_system_data UNION SELECT login_count FROM user_data;
+------
+
+The UNION ALL Syntax also allows duplicate Values.
+
+=== Joins
+
+The Join operator is used to combine rows from two ore more tables, based on a related column
+
+[source]
+-----
+SELECT * FROM user_data INNER JOIN user_data_tan ON user_data.userid=user_data_tan.userid;
+-----
+
+For more detailed information about JOINS visit: https://www.w3schools.com/sql/sql_join.asp
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc
@ -24,5 +24,8 @@ CREATE TABLE user_system_data (userid int not null primary key,
 			                   cookie varchar(30));
 -------------------------------------------------------

-*6.a)* Retrieve all data from the table by using a UNION (You have to use a union to complete this assignment.)  +
-*6.b)* When you have figured it out.... What is Dave's password?
+*6.a)* Retrieve all data from the table +
+*6.b)* When you have figured it out.... What is Dave's password?
+
+Note: There are multiple ways to solve this Assignment. One is by using a UNION, the other by appending
+a new SQl statement. Maybe you can find both of them.
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content11.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content11.adoc
@ -3,7 +3,7 @@
 The query in the code builds a dynamic query as seen in the previous example.  The query is build by concatenating strings making it susceptible to String SQL injection:

 ------------------------------------------------------------
-"select * from users where LOGIN_COUNT > 0 and FIRST_NAME = ‘" + userName + "'";
+"select * from user_data where FIRST_NAME = 'John' and LAST_NAME = '" + lastName + "'";
 ------------------------------------------------------------

 Using the form below try to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content12.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content12.adoc
@ -3,7 +3,7 @@
 The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:

 --------------------------------------------------
-"select * from users where Login_Count = " + Login_Count + " and USERID = "  + UserID;
+"select * from user_data where Login_Count = " + Login_Count + " and USERID = "  + User_ID;
 --------------------------------------------------

 Using the two Input Fields below, try to retrieve all the date from the users table.