Fix merge request
This commit is contained in:
Nanne Baars
Nanne Baars
@ -0,0 +1,13 @@
|
||||
CREATE TABLE servers(
|
||||
id varchar(10),
|
||||
hostname varchar(20),
|
||||
ip varchar(20),
|
||||
mac varchar(20),
|
||||
status varchar(20),
|
||||
description varchar(40)
|
||||
);
|
||||
INSERT INTO servers VALUES ('1', 'webgoat-dev', '192.168.4.0', 'AA:BB:11:22:CC:DD', 'online', 'Development server');
|
||||
INSERT INTO servers VALUES ('2', 'webgoat-tst', '192.168.2.1', 'EE:FF:33:44:AB:CD', 'online', 'Test server');
|
||||
INSERT INTO servers VALUES ('3', 'webgoat-acc', '192.168.3.3', 'EF:12:FE:34:AA:CC', 'offline', 'Acceptance server');
|
||||
INSERT INTO servers VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34:AA:CC', 'offline', 'Pre-production server');
|
||||
INSERT INTO servers VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server');
|
||||
@ -0,0 +1,24 @@
|
||||
CREATE TABLE user_data(
|
||||
userid int not null,
|
||||
first_name varchar(20),
|
||||
last_name varchar(20),
|
||||
cc_number varchar(30),
|
||||
cc_type varchar(10),
|
||||
cookie varchar(20),
|
||||
login_count int
|
||||
);
|
||||
INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0);
|
||||
INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0);
|
||||
INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0);
|
||||
INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0);
|
||||
INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0);
|
||||
INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0);
|
||||
INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0);
|
||||
INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0);
|
||||
INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','673834489','MC',' ',0);
|
||||
INSERT INTO user_data VALUES (10323,'Grumpy','youaretheweakestlink','33413003333','AMEX',' ',0);
|
||||
INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0);
|
||||
INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0);
|
||||
INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0);
|
||||
INSERT INTO user_data VALUES (15837,'Chaos','Monkey','32849386533','CM',' ',0);
|
||||
INSERT INTO user_data VALUES (19204,'Mr','Goat','33812953533','VISA',' ',0);
|
||||
@ -0,0 +1,10 @@
|
||||
CREATE TABLE salaries(
|
||||
userid varchar(50),
|
||||
salary int
|
||||
);
|
||||
|
||||
INSERT INTO salaries VALUES ('jsmith', 20000);
|
||||
INSERT INTO salaries VALUES ('lsmith', 45000);
|
||||
INSERT INTO salaries VALUES ('wgoat', 100000);
|
||||
INSERT INTO salaries VALUES ('rjones', 777777);
|
||||
INSERT INTO salaries VALUES ('manderson', 65000);
|
||||
@ -0,0 +1,14 @@
|
||||
CREATE TABLE user_data_tan (
|
||||
userid int not null,
|
||||
first_name varchar(20),
|
||||
last_name varchar(20),
|
||||
cc_number varchar(30),
|
||||
cc_type varchar(10),
|
||||
cookie varchar(20),
|
||||
login_count int,
|
||||
password varchar(20)
|
||||
);
|
||||
|
||||
INSERT INTO user_data_tan VALUES (101,'Joe','Snow','987654321','VISA',' ',0, 'banana');
|
||||
INSERT INTO user_data_tan VALUES (102,'Jane','Plane','74589864','MC',' ',0, 'tarzan');
|
||||
INSERT INTO user_data_tan VALUES (103,'Jack','Sparrow','68659365','MC',' ',0, 'sniffy');
|
||||
@ -0,0 +1,10 @@
|
||||
CREATE TABLE sql_challenge_users(
|
||||
userid varchar(250),
|
||||
email varchar(30),
|
||||
password varchar(30)
|
||||
);
|
||||
|
||||
INSERT INTO sql_challenge_users VALUES ('larry', 'larry@webgoat.org', 'larryknows');
|
||||
INSERT INTO sql_challenge_users VALUES ('tom', 'tom@webgoat.org', 'thisisasecretfortomonly');
|
||||
INSERT INTO sql_challenge_users VALUES ('alice', 'alice@webgoat.org', 'rt*(KJ()LP())$#**');
|
||||
INSERT INTO sql_challenge_users VALUES ('eve', 'eve@webgoat.org', '**********');
|
||||
@ -0,0 +1,12 @@
|
||||
CREATE TABLE user_system_data(
|
||||
userid int not null primary key,
|
||||
user_name varchar(12),
|
||||
password varchar(10),
|
||||
cookie varchar(30)
|
||||
);
|
||||
|
||||
INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', '');
|
||||
INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', '');
|
||||
INSERT INTO user_system_data VALUES (103,'jplane','passwd3', '');
|
||||
INSERT INTO user_system_data VALUES (104,'jeff','jeff', '');
|
||||
INSERT INTO user_system_data VALUES (105,'dave','passW0rD', '');
|
||||
@ -0,0 +1,20 @@
|
||||
CREATE TABLE employees(
|
||||
userid varchar(6) not null primary key,
|
||||
first_name varchar(20),
|
||||
last_name varchar(20),
|
||||
department varchar(20),
|
||||
salary int,
|
||||
auth_tan varchar(6)
|
||||
);
|
||||
|
||||
INSERT INTO employees VALUES ('32147','Paulina', 'Travers', 'Accounting', 46000, 'P45JSI');
|
||||
INSERT INTO employees VALUES ('89762','Tobi', 'Barnett', 'Development', 77000, 'TA9LL1');
|
||||
INSERT INTO employees VALUES ('96134','Bob', 'Franco', 'Marketing', 83700, 'LO9S2V');
|
||||
INSERT INTO employees VALUES ('34477','Abraham ', 'Holman', 'Development', 50000, 'UU2ALK');
|
||||
INSERT INTO employees VALUES ('37648','John', 'Smith', 'Marketing', 64350, '3SL99A');
|
||||
|
||||
CREATE TABLE access_log (
|
||||
id int not null primary key identity,
|
||||
time varchar(50),
|
||||
action varchar(200)
|
||||
);
|
||||
@ -116,7 +116,7 @@
|
||||
<input id="preview-input" type="text" name="username" val=""/>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre>"SELECT * FROM USERS WHERE NAME = '<span id="input-preview" style="font-weight: bold;"></span>'";</pre>
|
||||
<pre>"SELECT * FROM users WHERE name = '<span id="input-preview" style="font-weight: bold;"></span>'";</pre>
|
||||
</div>
|
||||
</div>
|
||||
<script>
|
||||
@ -151,7 +151,7 @@
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
<td>SELECT * FROM USER_DATA WHERE FIRST_NAME = 'John' and LAST_NAME = '</td>
|
||||
<td>SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '</td>
|
||||
<td><select name="account">
|
||||
<option>Smith</option>
|
||||
<option>'Smith</option>
|
||||
|
||||
@ -5,7 +5,7 @@ public static String loadAccount() {
|
||||
// Parser returns only valid string data
|
||||
String accountID = getParser().getStringParameter(ACCT_ID, "");
|
||||
String data = null;
|
||||
String query = "SELECT FIRST_NAME, LAST_NAME, ACCT_ID, BALANCE FROM USER_DATA WHERE ACCT_ID = ?";
|
||||
String query = "SELECT first_name, last_name, acct_id, balance FROM user_data WHERE acct_id = ?";
|
||||
try (Connection connection = null;
|
||||
PreparedStatement statement = connection.prepareStatement(query)) {
|
||||
statement.setString(1, accountID);
|
||||
|
||||
@ -7,7 +7,7 @@ public static bool isUsernameValid(string username) {
|
||||
|
||||
// SqlConnection conn is set and opened elsewhere for brevity.
|
||||
try {
|
||||
string selectString = "SELECT * FROM USER_TABLE WHERE USERNAME = @userID";
|
||||
string selectString = "SELECT * FROM user_table WHERE username = @userID";
|
||||
SqlCommand cmd = new SqlCommand( selectString, conn );
|
||||
if ( isUsernameValid( uid ) ) {
|
||||
cmd.Parameters.Add( "@userID", SqlDbType.VarChar, 16 ).Value = uid;
|
||||
|
||||
@ -6,7 +6,7 @@ Answer: No it does not
|
||||
Let us take a look at the following statement:
|
||||
|
||||
----
|
||||
select * from users order by lastname;
|
||||
SELECT * FROM users ORDER BY lastname;
|
||||
----
|
||||
|
||||
If we look at the specification of the SQL grammar the definition is as follows:
|
||||
@ -34,7 +34,7 @@ This means an `orderExpression` can be a `selectExpression` which can be a funct
|
||||
a `case` statement we might be able to ask the database some questions, like:
|
||||
|
||||
----
|
||||
SELECT * FROM USERS ORDER BY (CASE WHEN (TRUE) THEN LASTNAME ELSE FIRSTNAME)
|
||||
SELECT * FROM users ORDER BY (CASE WHEN (TRUE) THEN lastname ELSE firstname)
|
||||
----
|
||||
|
||||
So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
/* */ are inline comments
|
||||
-- , # are line comments
|
||||
|
||||
Example: SELECT * FROM USERS WHERE NAME = 'admin' --AND pass = 'pass'
|
||||
Example: SELECT * FROM users WHERE name = 'admin' --AND pass = 'pass'
|
||||
----
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ Example: SELECT * FROM USERS WHERE NAME = 'admin' --AND pass = 'pass'
|
||||
----
|
||||
; allows query chaining
|
||||
|
||||
Example: SELECT * FROM USERS; DROP TABLE USERS;
|
||||
Example: SELECT * FROM users; DROP TABLE users;
|
||||
----
|
||||
|
||||
[source]
|
||||
@ -21,7 +21,7 @@ Example: SELECT * FROM USERS; DROP TABLE USERS;
|
||||
',+,|| allows string concatenation
|
||||
Char() strings without quotes
|
||||
|
||||
Example: SELECT * FROM USERS WHERE NAME = '+char(27) OR 1=1
|
||||
Example: SELECT * FROM users WHERE name = '+char(27) OR 1=1
|
||||
----
|
||||
|
||||
|
||||
@ -39,7 +39,7 @@ of the first column in the second (third, fourth, ...) SELECT Statement. The Sam
|
||||
|
||||
[source]
|
||||
------
|
||||
SELECT FIRST_NAME FROM USER_SYSTEM_DATA UNION SELECT LOGIN_COUNT FROM USER_DATA;
|
||||
SELECT first_name FROM user_system_data UNION SELECT login_count FROM user_data;
|
||||
------
|
||||
|
||||
The UNION ALL Syntax also allows duplicate Values.
|
||||
@ -50,7 +50,7 @@ The Join operator is used to combine rows from two ore more tables, based on a r
|
||||
|
||||
[source]
|
||||
-----
|
||||
SELECT * FROM USER_DATA INNER JOIN USER_DATA_TAN ON USER_DATA.USERID=USER_DATA_TAN.USERID;
|
||||
SELECT * FROM user_data INNER JOIN user_data_tan ON user_data.userid=user_data_tan.userid;
|
||||
-----
|
||||
|
||||
For more detailed information about JOINS visit: https://www.w3schools.com/sql/sql_join.asp
|
||||
@ -23,14 +23,14 @@ suppose we have the following url: `https://my-shop.com?article=4`
|
||||
On the server side this query will be translated as follows:
|
||||
|
||||
----
|
||||
SELECT * FROM ARTICLES WHERE ARTICLE_ID = 4
|
||||
SELECT * FROM articles WHERE article_id = 4
|
||||
----
|
||||
|
||||
When we want to exploit this we change the url into: `https://shop.example.com?article=4 AND 1=1`
|
||||
This will be translated to:
|
||||
|
||||
----
|
||||
SELECT * FROM ARTICLES WHERE ARTICLE_ID = 4 and 1 = 1
|
||||
SELECT * FROM articles WHERE article_id = 4 and 1 = 1
|
||||
----
|
||||
|
||||
If the browser will return the same page as it used to when using `https://shop.example.com?article=4` you know the
|
||||
|
||||
@ -4,16 +4,16 @@ These are the best defense against SQL injection. They either do not have data
|
||||
|
||||
=== Static Queries
|
||||
-------------------------------------------------------
|
||||
SELECT * FROM PRODUCTS;
|
||||
SELECT * FROM products;
|
||||
-------------------------------------------------------
|
||||
|
||||
-------------------------------------------------------
|
||||
SELECT * FROM USERS WHERE USER = "'" + session.getAttribute("UserID") + "'";
|
||||
SELECT * FROM users WHERE user = "'" + session.getAttribute("UserID") + "'";
|
||||
-------------------------------------------------------
|
||||
|
||||
=== Parameterized Queries
|
||||
-------------------------------------------------------
|
||||
String query = "SELECT * FROM USERS WHERE LAST_NAME = ?";
|
||||
String query = "SELECT * FROM users WHERE last_name = ?";
|
||||
PreparedStatement statement = connection.prepareStatement(query);
|
||||
statement.setString(1, accountName);
|
||||
ResultSet results = statement.executeQuery();
|
||||
|
||||
@ -4,9 +4,9 @@
|
||||
-------------------------------------------------------
|
||||
CREATE PROCEDURE ListCustomers(@Country nvarchar(30))
|
||||
AS
|
||||
SELECT CITY, COUNT(*)
|
||||
FROM CUSTOMERS
|
||||
WHERE COUNTRY LIKE @Country GROUP BY CITY
|
||||
SELECT city, COUNT(*)
|
||||
FROM customers
|
||||
WHERE country LIKE @Country GROUP BY city
|
||||
|
||||
|
||||
EXEC ListCustomers ‘USA’
|
||||
@ -17,7 +17,7 @@ EXEC ListCustomers ‘USA’
|
||||
CREATE PROEDURE getUser(@lastName nvarchar(25))
|
||||
AS
|
||||
declare @sql nvarchar(255)
|
||||
set @sql = 'SELECT * FROM USERS WHERE
|
||||
LASTNAME = + @LastName + '
|
||||
set @sql = 'SELECT * FROM users WHERE
|
||||
lastname = + @LastName + '
|
||||
exec sp_executesql @sql
|
||||
-------------------------------------------------------
|
||||
|
||||
@ -12,8 +12,8 @@ RecordSet rs = null;
|
||||
try {
|
||||
pUserName = request.getParameter("UserName");
|
||||
if ( isUsernameValid (pUsername) ) {
|
||||
ps = conn.prepareStatement("SELECT * FROM USER_TABLE
|
||||
WHERE USERNAME = ? ");
|
||||
ps = conn.prepareStatement("SELECT * FROM user_table
|
||||
WHERE username = ? ");
|
||||
ps.setString(1, pUsername);
|
||||
rs = ps.execute();
|
||||
if ( rs.next() ) {
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query is build by concatenating strings making it susceptible to String SQL injection:
|
||||
|
||||
------------------------------------------------------------
|
||||
"SELECT * FROM USER_DATA WHERE FIRST_NAME = 'John' AND LAST_NAME = '" + lastName + "'";
|
||||
"SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '" + lastName + "'";
|
||||
------------------------------------------------------------
|
||||
|
||||
Using the form below try to retrieve all the users from the users table. You should not need to know any specific user name to get the complete list.
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:
|
||||
|
||||
--------------------------------------------------
|
||||
"SELECT * FROM USER_DATA WHERE LOGIN_COUNT = " + Login_Count + " AND USERID = " + User_ID;
|
||||
"SELECT * FROM user_data WHERE login_count = " + Login_Count + " AND userid = " + User_ID;
|
||||
--------------------------------------------------
|
||||
|
||||
Using the two Input Fields below, try to retrieve all the data from the users table.
|
||||
|
||||
@ -12,9 +12,9 @@ If an attacker uses SQL injection of the DML type to manipulate your database, h
|
||||
* DELETE - Delete all records from a database table
|
||||
* Example:
|
||||
** Retrieve data:
|
||||
** SELECT PHONE +
|
||||
FROM EMPLOYEES +
|
||||
WHERE USERID = 96134;
|
||||
** SELECT phone +
|
||||
FROM employees +
|
||||
WHERE userid = 96134;
|
||||
** This statement delivers the phone number of the employee with the userid 96134.
|
||||
|
||||
=== It is your turn!
|
||||
|
||||
@ -3,8 +3,8 @@
|
||||
==== Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user:
|
||||
|
||||
* `+Smith’ OR '1' = '1+` +
|
||||
results in `+SELECT * FROM USERS WHERE NAME = 'Smith' OR TRUE;+` and that way will return all entries from the users table
|
||||
results in `+SELECT * FROM users WHERE name = 'Smith' OR TRUE;+` and that way will return all entries from the users table
|
||||
* `+Smith’ OR 1 = 1; --+` +
|
||||
results in `+SELECT * FROM USERS WHERE NAME = 'Smith' OR TRUE;--';+` and that way will return all entries from the users table
|
||||
* `+Smith’; DROP TABLE USERS; TRUNCATE AUDIT_LOG; --+` +
|
||||
results in `+SELECT * FROM users WHERE name = 'Smith' OR TRUE;--';+` and that way will return all entries from the users table
|
||||
* `+Smith’; DROP TABLE users; TRUNCATE audit_log; --+` +
|
||||
chains multiple SQL-Commands and deletes the USERS table as well as entries from the audit_log
|
||||
|
||||
Reference in New Issue
Block a user