From 29447a11b4e5188b79e9fd5c8793b43528a42431 Mon Sep 17 00:00:00 2001
From: mayhew64 <mayhew64@yahoo.com>
Date: Wed, 16 Nov 2016 13:41:51 -0500
Subject: [PATCH] First wave is complete; some rendering issues

---
 .../org/owasp/webgoat/lessons/Assignment.java |  10 +-
 .../webgoat/session/DatabaseUtilities.java    |   6 +-
 .../org/owasp/webgoat/session/WebSession.java |   4 +-
 .../webgoat/plugin/SqlInjectionLesson5a.java  |  26 +-
 .../webgoat/plugin/SqlInjectionLesson5b.java  | 234 ++++++++++++++++++
 .../webgoat/plugin/SqlInjectionLesson6a.java  | 232 +++++++++++++++++
 .../webgoat/plugin/SqlInjectionLesson6b.java  | 105 ++++++++
 .../SqlInjection/html/SqlInjection.html       |  68 ++++-
 .../lessonPlans/en/SqlInjection_content5.adoc |  11 +-
 .../en/SqlInjection_content5a.adoc            |   3 +-
 .../en/SqlInjection_content5b.adoc            |   3 +-
 .../en/SqlInjection_content6a.adoc            |  14 ++
 12 files changed, 687 insertions(+), 29 deletions(-)
 create mode 100644 webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java
 create mode 100644 webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
 create mode 100644 webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
 create mode 100644 webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6a.adoc

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
index 0ee355f67..0189a7884 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
@@ -44,9 +44,10 @@ public abstract class Assignment extends Endpoint {
     @Autowired
     private UserTracker userTracker;
     @Autowired
-    private WebSession webSession;
+	private WebSession webSession;
 
-    //// TODO: 11/13/2016 events better fit?
+  
+	//// TODO: 11/13/2016 events better fit?
     protected AttackResult trackProgress(AttackResult attackResult) {
         if (attackResult.assignmentSolved()) {
             userTracker.assignmentSolved(webSession.getCurrentLesson(), this);
@@ -55,5 +56,10 @@ public abstract class Assignment extends Endpoint {
         }
         return attackResult;
     }
+    
+    protected WebSession getWebSession() {
+  		return webSession;
+  	}
 
+    
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
index 23c1ba2dd..4692528b4 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
@@ -44,8 +44,6 @@ public class DatabaseUtilities
 
 	private static Map<String, Connection> connections = new HashMap<String, Connection>();
 	private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
-    @Autowired
-    private static WebSession webSession;
 
 	/**
 	 * <p>getConnection.</p>
@@ -54,9 +52,9 @@ public class DatabaseUtilities
 	 * @return a {@link java.sql.Connection} object.
 	 * @throws java.sql.SQLException if any.
 	 */
-	public static Connection getConnection() throws SQLException
+	public static Connection getConnection(WebSession s) throws SQLException
 	{
-		return getConnection(webSession.getUserName(), webSession.getWebgoatContext());
+		return getConnection(s.getUserName(), s.getWebgoatContext());
 	}
 
 	/**
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
index 8a4c657df..858610b4a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
@@ -62,8 +62,8 @@ public class WebSession {
      * @return a {@link java.sql.Connection} object.
      * @throws java.sql.SQLException if any.
      */
-    public static synchronized Connection getConnection() throws SQLException {
-        return DatabaseUtilities.getConnection();
+    public static synchronized Connection getConnection(WebSession s) throws SQLException {
+        return DatabaseUtilities.getConnection(s);
     }
 
     /**
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java
index f47a95276..f4dea9384 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java
@@ -53,9 +53,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 public class SqlInjectionLesson5a extends Assignment {
 
 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String answer, HttpServletRequest request) throws IOException {
-System.out.println("answer:" + answer);
-		return injectableQuery(answer);
+	public @ResponseBody AttackResult completed(@RequestParam String account, HttpServletRequest request) throws IOException {
+		return injectableQuery(account);
 	}
 
     @Override
@@ -64,12 +63,11 @@ System.out.println("answer:" + answer);
     }
 
 
-
     protected AttackResult injectableQuery(String accountName)
     {
         try
         {
-            Connection connection = DatabaseUtilities.getConnection();
+            Connection connection = DatabaseUtilities.getConnection(getWebSession());
             String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
 
             try
@@ -91,7 +89,7 @@ System.out.println("answer:" + answer);
                     {
                     	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
                    } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. "));
+                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
                    }
                     
                 }
@@ -99,15 +97,16 @@ System.out.println("answer:" + answer);
                 {
                 	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
 
-//                    output.append(getLabelManager().get("NoResultsMatched"));
                 }
             } catch (SQLException sqle)
             {
+            	
             	return trackProgress(AttackResult.failed(sqle.getMessage()));
             }
         } catch (Exception e)
         {
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName()));
+        	e.printStackTrace();
+        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
         }
     }
     
@@ -117,6 +116,7 @@ System.out.println("answer:" + answer);
 		int numColumns = resultsMetaData.getColumnCount();
 		results.beforeFirst();
 		StringBuffer t = new StringBuffer();
+		t.append("<p>");
 	
 		if (results.next())
 		{
@@ -126,7 +126,7 @@ System.out.println("answer:" + answer);
 				t.append(", ");
 			}
 		
-			t.append(System.getProperty("line.separator"));
+			t.append("<br />");
 			results.beforeFirst();
 		
 			while (results.next())
@@ -138,15 +138,17 @@ System.out.println("answer:" + answer);
 					t.append(", ");
 				}
 		
-				t.append(System.getProperty("line.separator"));
+				t.append("<br />");
 			}
 		
-			return (t.toString());
 		}
 		else
 		{
-			return ("Query Successful; however no data was returned from this query.");
+			t.append ("Query Successful; however no data was returned from this query.");
 		}
+		
+		t.append("</p>");
+		return (t.toString());
     }
 //
 //    protected Element parameterizedQuery(WebSession s)
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java
new file mode 100644
index 000000000..74da2f4b5
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java
@@ -0,0 +1,234 @@
+package org.owasp.webgoat.plugin;
+
+
+
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.lessons.model.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://webgoat.github.io
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+public class SqlInjectionLesson5b extends Assignment {
+
+	@RequestMapping(method = RequestMethod.POST)
+	public @ResponseBody AttackResult completed(@RequestParam String userid, HttpServletRequest request) throws IOException {
+		return injectableQuery(userid);
+		
+	}
+
+    @Override
+    public String getPath() {
+        return "/SqlInjection/attack5b";
+    }
+
+
+
+    protected AttackResult injectableQuery(String accountName)
+    {
+        try
+        {
+            Connection connection = DatabaseUtilities.getConnection(getWebSession());
+            String query = "SELECT * FROM user_data WHERE userid = " + accountName;
+
+            try
+            {
+                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                                                                    ResultSet.CONCUR_READ_ONLY);
+                ResultSet results = statement.executeQuery(query);
+
+                if ((results != null) && (results.first() == true))
+                {
+                    ResultSetMetaData resultsMetaData = results.getMetaData();
+                	StringBuffer output = new StringBuffer();
+
+                    output.append(writeTable(results, resultsMetaData));
+                    results.last();
+
+                    // If they get back more than one user they succeeded
+                    if (results.getRow() >= 6)
+                    {
+                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                   } else {
+                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                   }
+                    
+                }
+                else
+                {
+                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+
+//                    output.append(getLabelManager().get("NoResultsMatched"));
+                }
+            } catch (SQLException sqle)
+            {
+            	
+            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            }
+        } catch (Exception e)
+        {
+        	e.printStackTrace();
+        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        }
+    }
+    
+    public String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
+	SQLException 
+    {
+		int numColumns = resultsMetaData.getColumnCount();
+		results.beforeFirst();
+		StringBuffer t = new StringBuffer();
+		t.append("<p>");
+	
+		if (results.next())
+		{
+			for (int i = 1; i < (numColumns + 1); i++)
+			{
+				t.append(resultsMetaData.getColumnName(i));
+				t.append(", ");
+			}
+		
+			t.append("<br />");
+			results.beforeFirst();
+		
+			while (results.next())
+			{
+		
+				for (int i = 1; i < (numColumns + 1); i++)
+				{
+					t.append(results.getString(i));
+					t.append(", ");
+				}
+		
+				t.append("<br />");
+			}
+		
+		}
+		else
+		{
+			t.append ("Query Successful; however no data was returned from this query.");
+		}
+		
+		t.append("</p>");
+		return (t.toString());
+    }
+//
+//    protected Element parameterizedQuery(WebSession s)
+//    {
+//        ElementContainer ec = new ElementContainer();
+//
+//        ec.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
+//        if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
+//        {
+//            getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
+//            return (injectableQuery(s));
+//        }
+//
+//        ec.addElement(new BR());
+//
+//        try
+//        {
+//            Connection connection = DatabaseUtilities.getConnection(s);
+//
+//            ec.addElement(makeAccountLine(s));
+//
+//            String query = "SELECT * FROM user_data WHERE last_name = ?";
+//            ec.addElement(new PRE(query));
+//
+//            try
+//            {
+//                PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+//                                                                            ResultSet.CONCUR_READ_ONLY);
+//                statement.setString(1, accountName);
+//                ResultSet results = statement.executeQuery();
+//
+//                if ((results != null) && (results.first() == true))
+//                {
+//                    ResultSetMetaData resultsMetaData = results.getMetaData();
+//                    ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+//                    results.last();
+//
+//                    // If they get back more than one user they succeeded
+//                    if (results.getRow() >= 6)
+//                    {
+//                        makeSuccess(s);
+//                    }
+//                }
+//                else
+//                {
+//                    ec.addElement(getLabelManager().get("NoResultsMatched"));
+//                }
+//            } catch (SQLException sqle)
+//            {
+//                ec.addElement(new P().addElement(sqle.getMessage()));
+//            }
+//        } catch (Exception e)
+//        {
+//            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
+//            e.printStackTrace();
+//        }
+//
+//        return (ec);
+//    }
+//
+//    protected Element makeAccountLine(WebSession s)
+//    {
+//        ElementContainer ec = new ElementContainer();
+//        ec.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
+//
+//        accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
+//        Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
+//        ec.addElement(input);
+//
+//        Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
+//        ec.addElement(b);
+//
+//        return ec;
+//
+//    }
+
+ 
+
+}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
new file mode 100644
index 000000000..8430b0101
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
@@ -0,0 +1,232 @@
+
+package org.owasp.webgoat.plugin;
+
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.lessons.model.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://webgoat.github.io
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+public class SqlInjectionLesson6a extends Assignment {
+
+	@RequestMapping(method = RequestMethod.POST)
+	public @ResponseBody AttackResult completed(@RequestParam String userid_6a, HttpServletRequest request) throws IOException {
+		return injectableQuery(userid_6a);
+		// The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
+
+	}
+
+    @Override
+    public String getPath() {
+        return "/SqlInjection/attack6a";
+    }
+
+
+    protected AttackResult injectableQuery(String accountName)
+    {
+        try
+        {
+            Connection connection = DatabaseUtilities.getConnection(getWebSession());
+            String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
+
+            try
+            {
+                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                                                                    ResultSet.CONCUR_READ_ONLY);
+                ResultSet results = statement.executeQuery(query);
+
+                if ((results != null) && (results.first() == true))
+                {
+                    ResultSetMetaData resultsMetaData = results.getMetaData();
+                	StringBuffer output = new StringBuffer();
+
+                    output.append(writeTable(results, resultsMetaData));
+                    results.last();
+
+                    // If they get back more than one user they succeeded
+                    if (results.getRow() >= 6)
+                    {
+                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                   } else {
+                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                   }
+                    
+                }
+                else
+                {
+                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+
+                }
+            } catch (SQLException sqle)
+            {
+            	
+            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            }
+        } catch (Exception e)
+        {
+        	e.printStackTrace();
+        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        }
+    }
+    
+    public String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
+	SQLException 
+    {
+		int numColumns = resultsMetaData.getColumnCount();
+		results.beforeFirst();
+		StringBuffer t = new StringBuffer();
+		t.append("<p>");
+	
+		if (results.next())
+		{
+			for (int i = 1; i < (numColumns + 1); i++)
+			{
+				t.append(resultsMetaData.getColumnName(i));
+				t.append(", ");
+			}
+		
+			t.append("<br />");
+			results.beforeFirst();
+		
+			while (results.next())
+			{
+		
+				for (int i = 1; i < (numColumns + 1); i++)
+				{
+					t.append(results.getString(i));
+					t.append(", ");
+				}
+		
+				t.append("<br />");
+			}
+		
+		}
+		else
+		{
+			t.append ("Query Successful; however no data was returned from this query.");
+		}
+		
+		t.append("</p>");
+		return (t.toString());
+    }
+//
+//    protected Element parameterizedQuery(WebSession s)
+//    {
+//        ElementContainer ec = new ElementContainer();
+//
+//        ec.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
+//        if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
+//        {
+//            getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
+//            return (injectableQuery(s));
+//        }
+//
+//        ec.addElement(new BR());
+//
+//        try
+//        {
+//            Connection connection = DatabaseUtilities.getConnection(s);
+//
+//            ec.addElement(makeAccountLine(s));
+//
+//            String query = "SELECT * FROM user_data WHERE last_name = ?";
+//            ec.addElement(new PRE(query));
+//
+//            try
+//            {
+//                PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+//                                                                            ResultSet.CONCUR_READ_ONLY);
+//                statement.setString(1, accountName);
+//                ResultSet results = statement.executeQuery();
+//
+//                if ((results != null) && (results.first() == true))
+//                {
+//                    ResultSetMetaData resultsMetaData = results.getMetaData();
+//                    ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+//                    results.last();
+//
+//                    // If they get back more than one user they succeeded
+//                    if (results.getRow() >= 6)
+//                    {
+//                        makeSuccess(s);
+//                    }
+//                }
+//                else
+//                {
+//                    ec.addElement(getLabelManager().get("NoResultsMatched"));
+//                }
+//            } catch (SQLException sqle)
+//            {
+//                ec.addElement(new P().addElement(sqle.getMessage()));
+//            }
+//        } catch (Exception e)
+//        {
+//            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
+//            e.printStackTrace();
+//        }
+//
+//        return (ec);
+//    }
+//
+//    protected Element makeAccountLine(WebSession s)
+//    {
+//        ElementContainer ec = new ElementContainer();
+//        ec.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
+//
+//        accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
+//        Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
+//        ec.addElement(input);
+//
+//        Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
+//        ec.addElement(b);
+//
+//        return ec;
+//
+//    }
+
+ 
+
+}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
new file mode 100644
index 000000000..2e57cb3d8
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
@@ -0,0 +1,105 @@
+
+package org.owasp.webgoat.plugin;
+
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.lessons.model.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://webgoat.github.io
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+public class SqlInjectionLesson6b extends Assignment {
+
+	@RequestMapping(method = RequestMethod.POST)
+	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
+	    if (!userid_6b.toString().equals(getPassword())) {
+	        return trackProgress(AttackResult.success());
+	    } else {
+	        return trackProgress(AttackResult.failed("You are close, try again"));
+	    }
+
+	}
+
+    @Override
+    public String getPath() {
+        return "/SqlInjection/attack6b";
+    }
+
+
+    protected String getPassword()
+    {
+    	
+    	String password="dave";
+        try
+        {
+            Connection connection = DatabaseUtilities.getConnection(getWebSession());
+            String query = "SELECT password FROM user_system_data WHERE user_name = 'dave'";
+            
+            try
+            {
+                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                                                                    ResultSet.CONCUR_READ_ONLY);
+                ResultSet results = statement.executeQuery(query);
+
+                if ((results != null) && (results.first() == true))
+                {
+                    password = results.getNString("password");
+                }
+            } catch (SQLException sqle)
+            {
+            	sqle.printStackTrace();
+            	// do nothing
+            }
+        } catch (Exception e)
+        {
+        	e.printStackTrace();
+        	// do nothing
+        }
+        System.out.println("Password: " + password);
+        return (password);
+    }
+    
+ 
+}
diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html
index cc1b46cb4..aff5d2a71 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html
@@ -57,8 +57,9 @@
 					<table>
 						<tr>
 							<td>Account Name:</td>
-							<td><input name="answer" value="" type="TEXT" /></td>
-							<td></td>
+							<td><input name="account" value="" type="TEXT" /></td>
+							<td><input
+							name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
 						</tr>
 					</table>
 				</form>
@@ -87,7 +88,9 @@
 					<table>
 						<tr>
 							<td>Name:</td>
-							<td><input name="answer" value="" type="TEXT" /></td>
+							<td><input name="userid" value="" type="TEXT" /></td>
+							<td><input
+							name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
 							<td></td>
 						</tr>
 					</table>
@@ -106,6 +109,65 @@
 		<div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+                <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+                <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+                <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+				<form class="attack-form" accept-charset="UNKNOWN" 
+					method="POST" name="form"
+					action="/WebGoat/SqlInjection/attack6a"
+					enctype="application/json;charset=UTF-8">
+					<table>
+						<tr>
+							<td>Name:</td>
+							<td><input name="userid_6a" value="" type="TEXT" /></td>
+							<td><input
+							name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
+							<td></td>
+						</tr>
+					</table>
+				</form>
+			</div>
+			<!-- do not remove the two following div's, this is where your feedback/output will land -->
+			<div class="attack-feedback"></div>
+			<div class="attack-output"></div>
+			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+		</div>
+		<div class="attack-container">
+			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+			<div id="lessonContent">
+                <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+                <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+                <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+				<form class="attack-form" accept-charset="UNKNOWN" 
+					method="POST" name="form"
+					action="/WebGoat/SqlInjection/attack6b"
+					enctype="application/json;charset=UTF-8">
+					<table>
+						<tr>
+							<td>Password:</td>
+							<td><input name="userid_6b" value="" type="TEXT" /></td>
+							<td><input
+							name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
+							<td></td>
+						</tr>
+					</table>
+				</form>
+			</div>
+			<!-- do not remove the two following div's, this is where your feedback/output will land -->
+			<div class="attack-feedback"></div>
+			<div class="attack-output"></div>
+			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+		</div>
+		
+	</div>
+	<div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5.adoc b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5.adoc
index 217c14c04..49279b6d2 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5.adoc
@@ -1,23 +1,26 @@
 == Example of SQL Injection
 
 === Dynamic query in application
+
+==== Potential String Injection
 -------------------------------------------------------
 "select * from users where name = ‘" + userName + "'";
 -------------------------------------------------------
 
+==== Potential Numeric Injection
 -------------------------------------------------------
 
 "select * from users where employee_id = "  + userID;
 -------------------------------------------------------
 
 === Attacker supplies unexpected text
-* userName = [red]#Smith’ or ‘1’=‘1#
-* userName =[red]#‘ or 1=1 --#
+* userName = [red]#Smith' or '1'='1#
+* userName =[red]#' or 1=1 --#
 * userID = [red]#1234567 or 1=1#
 * UserName = [red]#Smith’;drop table users; truncate audit_log;--#
 
 === Application executes query
-* select * from users where name = [red]#‘Smith’ or ‘1’ = ‘1’#
-** select * from users where name = [red]#‘Smith’ or TRUE#
+* select * from users where name = [red]#'Smith' or '1' = '1'#
+** select * from users where name = [red]#'Smith' or TRUE#
 * select * from users where employee_id = 1234567 or 1=1
 * *All records are returned from database*
diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5a.adoc b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5a.adoc
index f47627c38..1784a0b15 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5a.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5a.adoc
@@ -1,6 +1,7 @@
 == Try It!   String SQL Injection
 
-The query in the code builds a dynamic query as seen in the previous example.  The query in the code looks like: 
+The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating strings making it susceptible to String SQL injection: 
+
 -------------------------------------------------------
 "select * from users where name = ‘" + userName + "'";
 -------------------------------------------------------
diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5b.adoc b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5b.adoc
index c2cdd900c..48ba3bee0 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5b.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content5b.adoc
@@ -1,6 +1,7 @@
 == Try It!   Numeric SQL Injection
 
-The query in the code builds a dynamic query as seen in the previous example.  The query in the code looks like: 
+The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection: 
+
 -------------------------------------------------------
 "select * from users where employee_id = "  + userID;
 -------------------------------------------------------
diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6a.adoc b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6a.adoc
new file mode 100644
index 000000000..8819dc211
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content6a.adoc
@@ -0,0 +1,14 @@
+== Try It! Pulling data from other tables
+
+Lets try to exploit a join to another table.  One of the tables in the WebGoat database is:
+
+-------------------------------------------------------
+CREATE TABLE user_system_data (userid varchar(5) not null primary key,
+			                   user_name varchar(12),
+			                   password varchar(10),
+			                   cookie varchar(30));
+-------------------------------------------------------
+
+Execute a query to union or join these tables.  When you have figured it out.... What is Dave's password?
+
+