implemented assignment 2 & 3 of sql injection lession

2018-11-09 21:15:35 +01:00 · 2018-11-09 21:15:35 +01:00 · 295b5a4772
commit 295b5a4772
parent 2ee3b22207
5 changed files with 307 additions and 29 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java
@ -0,0 +1,88 @@
+
+package org.owasp.webgoat.plugin.introduction;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.io.IOException;
+import java.sql.*;
+
+
+/***************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/SqlInjection/attack2")
+@AssignmentHints(value = {"SqlStringInjectionHint2a1", "SqlStringInjectionHint2a2"})
+public class SqlInjectionLesson2 extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String query) {
+        return injectableQuery(query);
+    }
+
+    protected AttackResult injectableQuery(String _query) {
+        try {
+            Connection connection = DatabaseUtilities.getConnection(getWebSession());
+            String query = _query;
+
+            try {
+                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                        ResultSet.CONCUR_READ_ONLY);
+                ResultSet results = statement.executeQuery(_query);
+                StringBuffer output = new StringBuffer();
+
+                results.first();
+                output.append(results);
+                // user completes lesson if department is "Marketing"
+                if (results.getString("department").equals("Marketing")) {
+                    output.append(SqlInjectionLesson8.generateTable(results, results.getMetaData()));
+                    return trackProgress(success().feedbackArgs(output.toString()).build());
+                } else {
+                    return trackProgress(failed().output(output.toString()).build());
+                }
+
+            } catch (SQLException sqle) {
+
+                return trackProgress(failed().output(sqle.getMessage()).build());
+            }
+        } catch (Exception e) {
+            return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+        }
+    }
+}
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java
@ -0,0 +1,92 @@
+
+package org.owasp.webgoat.plugin.introduction;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.io.IOException;
+import java.sql.*;
+
+
+/***************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/SqlInjection/attack3")
+@AssignmentHints(value = {"SqlStringInjectionHint3a1", "SqlStringInjectionHint3a2"})
+public class SqlInjectionLesson3 extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String query) {
+        return injectableQuery(query);
+    }
+
+    protected AttackResult injectableQuery(String _query) {
+        try {
+            Connection connection = DatabaseUtilities.getConnection(getWebSession());
+            String query = _query;
+
+            try {
+                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                        ResultSet.CONCUR_READ_ONLY);
+                Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                        ResultSet.CONCUR_READ_ONLY);
+                statement.executeUpdate(_query);
+                ResultSet _results = check_statement.executeQuery("SELECT department from employees where last_name='Barnett';");
+
+                StringBuffer output = new StringBuffer();
+
+                _results.first();
+                output.append(_results);
+                // user completes lesson if the department of Tobi Barnett now is 'Sales'
+                if (_results.getString("department").equals("Sales")) {
+                    output.append(SqlInjectionLesson8.generateTable(_results, _results.getMetaData()));
+                    return trackProgress(success().feedbackArgs(output.toString()).build());
+                } else {
+                    return trackProgress(failed().output(output.toString()).build());
+                }
+
+            } catch (SQLException sqle) {
+
+                return trackProgress(failed().output(sqle.getMessage()).build());
+            }
+        } catch (Exception e) {
+            return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
+        }
+    }
+}
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java
@ -0,0 +1,5 @@
+package org.owasp.webgoat.plugin.introduction;
+
+public class SqlInjectionLesson4 {
+
+}
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@ -3,30 +3,116 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>

+<!--Page 1-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_plan.adoc"></div>
 </div>

+<!--Page 2-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content1.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack2"
+              enctype="application/json;charset=UTF-8"
+              autocomplete="off">
+            <table>
+                <tr>
+                    <td><label>SQL query</label></td>
+                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                </tr>
+                <tr>
+                    <td><button type="SUBMIT">Submit</button></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
 </div>

+<!--Page 3-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content2.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack3"
+              enctype="application/json;charset=UTF-8"
+              autocomplete="off">
+            <table>
+                <tr>
+                    <td><label>SQL query</label></td>
+                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                </tr>
+                <tr>
+                    <td><button type="SUBMIT">Submit</button></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
 </div>

+<!--Page 4-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content3.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack"
+              enctype="application/json;charset=UTF-8"
+              autocomplete="off">
+            <table>
+                <tr>
+                    <td><label>SQL query</label></td>
+                    <td><input name="name" value="" type="TEXT" placeholder="SQL query"/></td>
+                </tr>
+                <tr>
+                    <td><button type="SUBMIT">Submit</button></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
 </div>

+<!--Page 5-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content4.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack"
+              enctype="application/json;charset=UTF-8"
+              autocomplete="off">
+            <table>
+                <tr>
+                    <td><label>SQL query</label></td>
+                    <td><input name="name" value="" type="TEXT" placeholder="SQL query"/></td>
+                </tr>
+                <tr>
+                    <td><button type="SUBMIT">Submit</button></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
 </div>

+<!--Page 6-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content5_before.adoc"></div>
    <div>
-        <label for="preview-input">Username:</label>
+        <label for="username-preview">Username:</label>
        <input id="preview-input" type="text" name="username" val=""/>
        <div class="listingblock">
            <div class="content">
@ -44,14 +130,17 @@
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content5_after.adoc"></div>
 </div>

+<!--Page 7-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content6.adoc"></div>
 </div>

+<!--Page 8-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content7.adoc"></div>
 </div>

+<!--Page 9-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content11.adoc"></div>
    <div class="attack-container">
@ -153,6 +242,7 @@
    </div>
 </div>

+<!--Page 10-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content9.adoc"></div>
    <div class="attack-container">
@ -181,6 +271,7 @@
    </div>
 </div>

+<!--Page 11-->
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content10.adoc"></div>

--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -12,6 +12,7 @@ SqlInjectionChallenge3=Use tooling to automate this attack
 sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>

 NoResultsMatched=No results matched. Try Again.
+
 SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first.
 SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password.
 SqlInjectionChallengeHint3=Change the password through an Update Statement.
@ -24,6 +25,15 @@ SqlStringInjectionHint6a1=Try Appending stuff like ",1" to your query, to figure
 SqlStringInjectionHint6a2=When using a UNION the number of columns, from both tables should match.
 SqlStringInjectionHint6a3=The UNION should contain 7  columns.
 SqlStringInjectionHint6a4=Try using these columns in your union: userid, user_name, password, cookie, cookie, cookie, userid.
+
+SqlStringInjectionHint2a1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name).
+SqlStringInjectionHint2a2=SELECT column FROM tablename WHERE condition;
+SqlStringInjectionHint3a1=Try the UPDATE statement
+SqlStringInjectionHint3a2=UPDATE tablename SET columnname=value WHERE condition;
+SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
+SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ...
+SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
+
 SqlStringInjectionHint9=Try sorting and look at the request
 SqlStringInjectionHint10=Intercept the request and try to specify a different order by
 SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement.
@ -46,34 +56,26 @@ sql-injection.6a.no.results=No results matched. Try Again.
 sql-injection.6b.success=You have succeeded: {0}
 sql-injection.6b.no.results=No results matched. Try Again.

+sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0}
+sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect?
+sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0}
+sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data.

-sql-injection.8.success=<span class='feedback-positive'>You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done!</span>
-sql-injection.8.no.results=<span class='feedback-negative'>No employee found with matching lastname. Or maybe your authentication TAN is incorrect?</span>
-sql-injection.8.one=<span class='feedback-negative'>That's only one account. You want them all! Try again.</span>
+SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
+SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
+SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to true.
+SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
+SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.

-SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
-SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
-SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true.
-SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
-SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
+SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one.
+SqlStringInjectionHint9-2=Use the ; metacharacter to do so.
+SqlStringInjectionHint9-3=Make use of DML to change your salary.
+SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct.
+SqlStringInjectionHint9-5=How about something like '; UPDATE employees....

-
-sql-injection.9.success=<span class='feedback-positive'>Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!</span>
-sql-injection.9.one=<span class='feedback-negative'>Still not earning enough! Better try again and change that.</span>
-
-SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one.
-SqlStringInjectionHint.9.2=Use the ; metacharacter to do so.
-SqlStringInjectionHint.9.3=Make use of DML to change your salary.
-SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct.
-SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
-
-
-sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
-sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
-
-SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
-SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
-SqlStringInjectionHint.10.3=Try query chaining to reach the goal.
-SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables.
-SqlStringInjectionHint.10.5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
-SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line.
+SqlStringInjectionHint10-1=Use the techniques that you have learned before.
+SqlStringInjectionHint10-2=The application takes your input and filters for entries that are LIKE it.
+SqlStringInjectionHint10-3=Try query chaining to reach the goal.
+SqlStringInjectionHint10-4=The DDL allows you to delete (DROP) database tables.
+SqlStringInjectionHint10-5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
+SqlStringInjectionHint10-6=Remember that you can use the -- metacharacter to comment out the rest of the line.