Added more hints
This commit is contained in:
Benedikt - Desktop
committed by
Nanne Baars
Nanne Baars
parent
6fe7582dfb
commit
26e3803de0
@ -0,0 +1,7 @@
|
||||
.attack-feedback {
|
||||
color: green;
|
||||
}
|
||||
|
||||
.attack-feedback table {
|
||||
color: black;
|
||||
}
|
||||
@ -1,6 +1,7 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_introduction_plan.adoc"></div>
|
||||
@ -25,7 +26,7 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_introduction_content5_before.adoc"></div>
|
||||
<div>
|
||||
<label for="username-preview">Username:</label>
|
||||
<label for="preview-input">Username:</label>
|
||||
<input id="preview-input" type="text" name="username" val=""/>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
|
||||
@ -53,4 +53,11 @@ SqlStringInjectionHint9-3=Make use of DML to change your salary.
|
||||
SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct.
|
||||
SqlStringInjectionHint9-5=How about something like '; UPDATE employees....
|
||||
|
||||
sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data.
|
||||
sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data.
|
||||
|
||||
SqlStringInjectionHint10-1=Use the techniques that you have learned before.
|
||||
SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it.
|
||||
SqlStringInjectionHint10-3=Try query chaining to reach the goal.
|
||||
SqlStringInjectionHint10-4=The DDL allows you to delete (DROP) database tables.
|
||||
SqlStringInjectionHint10-5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
|
||||
SqlStringInjectionHint10-6=Remember that you can use the -- metacharacter to comment out the rest of the line.
|
||||
@ -1,7 +1,7 @@
|
||||
== Compromising Integrity with Query Chaining
|
||||
After compromising the confidentiality of data in the previous lesson, this time we are gonna compromise the integrity of data by using a SQL query chaining.
|
||||
|
||||
== What is SQL query chaining?
|
||||
=== What is SQL query chaining?
|
||||
Query chaining is exactly what it sounds like. When query chaining, you try to append one or more queries to the end of the actual query.
|
||||
You can do this by using the *;* metacharacter which marks the end of a query and that way allows to start another one right after it within the same line.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
This lesson describes what is Structured Query Language (SQL) and how it can be manipulated to perform tasks that were not the original intent of the developer.
|
||||
|
||||
== Goals
|
||||
=== Goals
|
||||
|
||||
* The user will have a basic understanding of how SQL works and what it is used for
|
||||
* The user will have a basic understanding of what SQL-Injections are and how they work
|
||||
|
||||
Reference in New Issue
Block a user