From 2fdf8232597fa9477904e7f920cfcf69df48a863 Mon Sep 17 00:00:00 2001 From: "sherif.fathy" Date: Sun, 31 Dec 2006 07:35:58 +0000 Subject: [PATCH] Changed BackDoors lessons to be a little bit clearer, added more hints. git-svn-id: http://webgoat.googlecode.com/svn/trunk@58 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../org/owasp/webgoat/lessons/BackDoors.java | 46 +++++++++++++++---- .../owasp/webgoat/lessons/HttpSplitting.java | 13 ++---- .../WebContent/lesson_plans/BackDoors.html | 1 + 3 files changed, 42 insertions(+), 18 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java index 203d5ec35..c41dfa9f2 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java @@ -3,6 +3,7 @@ package org.owasp.webgoat.lessons; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; +import java.util.ArrayList; import java.util.List; import java.sql.Statement; @@ -15,6 +16,9 @@ import org.apache.ecs.html.Span; import org.apache.ecs.html.Div; import org.apache.ecs.html.Input; import org.apache.ecs.html.BR; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; import org.owasp.webgoat.session.DatabaseUtilities; import org.owasp.webgoat.session.WebSession; @@ -23,7 +27,7 @@ public class BackDoors extends LessonAdapter { private static Connection connection = null; private final static Integer DEFAULT_RANKING = new Integer(80); private final static String USERNAME = "username"; - + private final static String SELECT_ST = "select userid, password, ssn, salary from employee where userid="; protected Element createContent( WebSession s ) { return super.createStagedContent(s); @@ -51,17 +55,36 @@ public class BackDoors extends LessonAdapter { String userInput = s.getParser().getRawParameter(USERNAME, ""); if (!userInput.equals("")) { + userInput = SELECT_ST + userInput; String[] arrSQL = userInput.split(";"); + Connection conn = getConnection(s); + Statement statement = conn.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); if (arrSQL.length == 2) { - Connection conn = getConnection(s); - Statement statement = conn.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); statement.executeUpdate( arrSQL[1] ); - makeSuccess(s); getLessonTracker(s).setStage(2); s.setMessage("You have succeeded in exploiting the vulnerable query and created another SQL statement. Now move to stage 2 to learn how to create a backdoor or a DB worm"); } + + ResultSet rs = statement.executeQuery( arrSQL[0]); + if (rs.next()) + { + Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 1 ); + TR tr = new TR(); + tr.addElement( new TD("User ID")); + tr.addElement( new TD("Password")); + tr.addElement( new TD("SSN")); + tr.addElement( new TD("Salary")); + t.addElement(tr); + tr = new TR(); + tr.addElement( new TD(rs.getString("userid"))); + tr.addElement( new TD(rs.getString("password"))); + tr.addElement( new TD(rs.getString("ssn"))); + tr.addElement( new TD(rs.getString("salary"))); + t.addElement(tr); + ec.addElement(t); + } } } catch(Exception ex) @@ -105,8 +128,8 @@ public class BackDoors extends LessonAdapter { instructions = "Stage " + getStage(s) + ": Use String SQL Injection to execute more than one SQL Statement. "; instructions = instructions + " The first stage of this lesson is to teach you how to use a vulnerable field to create two SQL "; instructions = instructions + " statements. The first is the system's while the second is totally yours."; - instructions = instructions + " Try to enter something in the email field and it will get updated in the rectangle below,"; - instructions = instructions + " to see the actual SQL statement that will be executed. Try to execute an update statement"; + instructions = instructions + " Your account ID is 101. This page allows you to see your password, ssn and salary."; + instructions = instructions + " Try to inject another update to update salary to something higher"; break; case 2: instructions = "Stage " + getStage(s) + ": Use String SQL Injection to inject a backdoor. " ; @@ -137,7 +160,7 @@ public class BackDoors extends LessonAdapter { script.append( "" ); ec.addElement( new StringElement(script.toString())); - ec.addElement( new StringElement( "Username: " ) ) ; + ec.addElement( new StringElement( "User ID: " ) ) ; Input username = new Input( Input.TEXT, "username", "" ); ec.addElement( username ); @@ -147,7 +170,7 @@ public class BackDoors extends LessonAdapter { ec.addElement(new BR()); String formattedInput = "" + userInput + ""; - ec.addElement( new Div("select userid, ssn, salary from employee where login=" + formattedInput )); + ec.addElement( new Div(SELECT_ST + formattedInput )); Input b = new Input(); @@ -176,7 +199,12 @@ public class BackDoors extends LessonAdapter { } protected List getHints() { - return super.getHints(); + List hints = new ArrayList(); + hints.add( "Your user id is 101. Use it to see your information" ); + hints.add( "A semi-colon usually ends a SQL statement and starts a new one." ); + hints.add( "Try this 101; update employee set salary=100000" ); + hints.add( "For stage 2, Try 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON customers FOR EACH ROW BEGIN UPDATE customers SET email='john@hackme.com'WHERE userid = NEW.userid"); + return hints; } protected Category getDefaultCategory() diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java index 39d09df5f..e04eb26e0 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java @@ -79,11 +79,7 @@ public class HttpSplitting extends LessonAdapter { out.print(message); out.flush(); out.close(); - - //we gotta set it manually here so that we don't throw an exception - getLessonTracker(s).setCompleted(true); - - //makeSuccess( s ); + getLessonTracker(s).setStage(2); StringBuffer msg = new StringBuffer(); @@ -128,11 +124,11 @@ public class HttpSplitting extends LessonAdapter { if (getLessonTracker(s).getStage() == 1) { - ec.addElement( new H3( "Stage 1: HTTP Splitting:
" ) ); + ec.addElement( new H3( "Stage 1: HTTP Splitting:

" ) ); } else { - ec.addElement( new H3( "Stage 2: Cache Poisoning:
" ) ); + ec.addElement( new H3( "Stage 2: Cache Poisoning:

" ) ); } ec.addElement( new StringElement( "Search by country : " ) ); @@ -155,7 +151,7 @@ public class HttpSplitting extends LessonAdapter { try { - ec.addElement("Now that you have successfully performed an HTTP Splitting, now try to poison" + + s.setMessage("Now that you have successfully performed an HTTP Splitting, now try to poison" + " the victim's cache using. Type 'restart' in the input field if you wish to " + " to return to the HTTP Splitting lesson.

"); if ( s.getParser().getRawParameter( LANGUAGE, "YOUR_NAME" ).equals("restart")) @@ -182,7 +178,6 @@ public class HttpSplitting extends LessonAdapter { if (sdf.parse(dateStr.trim()).after(cal.getTime())) { makeSuccess(s); - getLessonTracker(s).setStage(2); } } } diff --git a/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html index 1547c9100..aaa8d439a 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html +++ b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html @@ -18,4 +18,5 @@ can create a trigger that would set his email address instead of every new user' * Your goal should be to learn how you can exploit a vulnerable query to create a trigger.
* You will not be able to actually create one in this lesson because the underlying database engine used with WebGoat doesn't support triggers.
+* Your login ID is 101.