dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Nbaars/1886 (#1932)

Browse Source 
* improved code readbility

* chore: format code

---------

Co-authored-by: guilherme peixoto <peixoto-guilherme7@hotmail.com>
This commit is contained in:
Nanne Baars 2024-10-26 22:18:28 +02:00 committed by GitHub
parent 7e294fbdb5
commit 3f049ba53a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 59 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
View File

@ -22,7 +22,11 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced; package org.owasp.webgoat.lessons.sqlinjection.advanced;
import java.sql.*; import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.sql.SQLException;
import java.sql.Statement;
import org.owasp.webgoat.container.LessonDataSource; import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
@ -62,55 +66,66 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
public AttackResult injectableQuery(String accountName) { public AttackResult injectableQuery(String accountName) {
String query = ""; String query = "";
try (Connection connection = dataSource.getConnection()) { try (Connection connection = dataSource.getConnection()) {
boolean usedUnion = true; boolean usedUnion = this.unionQueryChecker(accountName);
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'"; query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
// Check if Union is used
if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
usedUnion = false;
}
try (Statement statement =
connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) {
ResultSet results = statement.executeQuery(query);
if ((results != null) && results.first()) { return executeSqlInjection(connection, query, usedUnion);
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
String appendingWhenSucceded;
if (usedUnion)
appendingWhenSucceded =
"Well done! Can you also figure out a solution, by appending a new SQL Statement?";
else
appendingWhenSucceded =
"Well done! Can you also figure out a solution, by using a UNION?";
results.last();
if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
output.append(appendingWhenSucceded);
return success(this)
.feedback("sql-injection.advanced.6a.success")
.feedbackArgs(output.toString())
.output(" Your query was: " + query)
.build();
} else {
return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build();
}
} else {
return failed(this)
.feedback("sql-injection.advanced.6a.no.results")
.output(YOUR_QUERY_WAS + query)
.build();
}
} catch (SQLException sqle) {
return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
}
} catch (Exception e) { } catch (Exception e) {
return failed(this) return failed(this)
.output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query) .output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query)
.build(); .build();
} }
} }
private boolean unionQueryChecker(String accountName) {
return accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)");
}
private AttackResult executeSqlInjection(Connection connection, String query, boolean usedUnion) {
try (Statement statement =
connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) {
ResultSet results = statement.executeQuery(query);
if (!((results != null) && results.first())) {
return failed(this)
.feedback("sql-injection.advanced.6a.no.results")
.output(YOUR_QUERY_WAS + query)
.build();
}
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
String appendingWhenSucceded = this.appendSuccededMessage(usedUnion);
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
results.last();
return verifySqlInjection(output, appendingWhenSucceded, query);
} catch (SQLException sqle) {
return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
}
}
private String appendSuccededMessage(boolean isUsedUnion) {
String appendingWhenSucceded = "Well done! Can you also figure out a solution, by ";
appendingWhenSucceded += isUsedUnion ? "appending a new SQL Statement?" : "using a UNION?";
return appendingWhenSucceded;
}
private AttackResult verifySqlInjection(
StringBuilder output, String appendingWhenSucceded, String query) {
if (!(output.toString().contains("dave") && output.toString().contains("passW0rD"))) {
return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build();
}
output.append(appendingWhenSucceded);
return success(this)
.feedback("sql-injection.advanced.6a.success")
.feedbackArgs(output.toString())
.output(" Your query was: " + query)
.build();
}
} }