First wave is complete; some rendering issues
This commit is contained in:
mayhew64
@ -57,8 +57,9 @@
|
||||
<table>
|
||||
<tr>
|
||||
<td>Account Name:</td>
|
||||
<td><input name="answer" value="" type="TEXT" /></td>
|
||||
<td></td>
|
||||
<td><input name="account" value="" type="TEXT" /></td>
|
||||
<td><input
|
||||
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
@ -87,7 +88,9 @@
|
||||
<table>
|
||||
<tr>
|
||||
<td>Name:</td>
|
||||
<td><input name="answer" value="" type="TEXT" /></td>
|
||||
<td><input name="userid" value="" type="TEXT" /></td>
|
||||
<td><input
|
||||
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
@ -106,6 +109,65 @@
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<div id="lessonContent">
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack6a"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Name:</td>
|
||||
<td><input name="userid_6a" value="" type="TEXT" /></td>
|
||||
<td><input
|
||||
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
</div>
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
|
||||
</div>
|
||||
<div class="attack-container">
|
||||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<div id="lessonContent">
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack6b"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Password:</td>
|
||||
<td><input name="userid_6b" value="" type="TEXT" /></td>
|
||||
<td><input
|
||||
name="Check Dave's Password:" value="Check Password" type="SUBMIT"/></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
</div>
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
|
||||
@ -1,23 +1,26 @@
|
||||
== Example of SQL Injection
|
||||
|
||||
=== Dynamic query in application
|
||||
|
||||
==== Potential String Injection
|
||||
-------------------------------------------------------
|
||||
"select * from users where name = ‘" + userName + "'";
|
||||
-------------------------------------------------------
|
||||
|
||||
==== Potential Numeric Injection
|
||||
-------------------------------------------------------
|
||||
|
||||
"select * from users where employee_id = " + userID;
|
||||
-------------------------------------------------------
|
||||
|
||||
=== Attacker supplies unexpected text
|
||||
* userName = [red]#Smith’ or ‘1’=‘1#
|
||||
* userName =[red]#‘ or 1=1 --#
|
||||
* userName = [red]#Smith' or '1'='1#
|
||||
* userName =[red]#' or 1=1 --#
|
||||
* userID = [red]#1234567 or 1=1#
|
||||
* UserName = [red]#Smith’;drop table users; truncate audit_log;--#
|
||||
|
||||
=== Application executes query
|
||||
* select * from users where name = [red]#‘Smith’ or ‘1’ = ‘1’#
|
||||
** select * from users where name = [red]#‘Smith’ or TRUE#
|
||||
* select * from users where name = [red]#'Smith' or '1' = '1'#
|
||||
** select * from users where name = [red]#'Smith' or TRUE#
|
||||
* select * from users where employee_id = 1234567 or 1=1
|
||||
* *All records are returned from database*
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
== Try It! String SQL Injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code looks like:
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating strings making it susceptible to String SQL injection:
|
||||
|
||||
-------------------------------------------------------
|
||||
"select * from users where name = ‘" + userName + "'";
|
||||
-------------------------------------------------------
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
== Try It! Numeric SQL Injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code looks like:
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:
|
||||
|
||||
-------------------------------------------------------
|
||||
"select * from users where employee_id = " + userID;
|
||||
-------------------------------------------------------
|
||||
|
||||
@ -0,0 +1,14 @@
|
||||
== Try It! Pulling data from other tables
|
||||
|
||||
Lets try to exploit a join to another table. One of the tables in the WebGoat database is:
|
||||
|
||||
-------------------------------------------------------
|
||||
CREATE TABLE user_system_data (userid varchar(5) not null primary key,
|
||||
user_name varchar(12),
|
||||
password varchar(10),
|
||||
cookie varchar(30));
|
||||
-------------------------------------------------------
|
||||
|
||||
Execute a query to union or join these tables. When you have figured it out.... What is Dave's password?
|
||||
|
||||
|
||||
Reference in New Issue
Block a user