Fixed Double Hints in SqlInjection Advanced Challenge
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							5fa11a1b4b
						
					
				
				
					commit
					43504b9a7b
				
			| @ -3,7 +3,6 @@ package org.owasp.webgoat.plugin.advanced; | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.apache.commons.lang3.RandomStringUtils; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| @ -11,14 +10,11 @@ import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.util.StringUtils; | ||||
| import org.springframework.web.bind.annotation.PutMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/8/17. | ||||
| @ -26,12 +22,11 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
| @AssignmentPath("SqlInjection/challenge") | ||||
| @AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"}) | ||||
| @Slf4j | ||||
| @AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"}) | ||||
| public class SqlInjectionChallenge extends AssignmentEndpoint { | ||||
|  | ||||
|     private static final String PASSWORD_TOM = "thisisasecretfortomonly"; | ||||
|     //Make it more random at runtime (good luck guessing) | ||||
|     private static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16); | ||||
|     static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16); | ||||
|  | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
| @ -49,22 +44,26 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { | ||||
|             Connection connection = DatabaseUtilities.getConnection(webSession); | ||||
|             checkDatabase(connection); | ||||
|  | ||||
|             String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'"; | ||||
|             Statement statement = connection.createStatement(); | ||||
|             ResultSet resultSet = statement.executeQuery(checkUserQuery); | ||||
|             try { | ||||
|                 String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'"; | ||||
|                 Statement statement = connection.createStatement(); | ||||
|                 ResultSet resultSet = statement.executeQuery(checkUserQuery); | ||||
|  | ||||
|             if (resultSet.next()) { | ||||
|                 attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); | ||||
|             } else { | ||||
|                 PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)"); | ||||
|                 preparedStatement.setString(1, username_reg); | ||||
|                 preparedStatement.setString(2, email_reg); | ||||
|                 preparedStatement.setString(3, password_reg); | ||||
|                 preparedStatement.execute(); | ||||
|                 attackResult = success().feedback("user.created").feedbackArgs(username_reg).build(); | ||||
|                 if (resultSet.next()) { | ||||
|                     attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); | ||||
|                 } else { | ||||
|                     PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)"); | ||||
|                     preparedStatement.setString(1, username_reg); | ||||
|                     preparedStatement.setString(2, email_reg); | ||||
|                     preparedStatement.setString(3, password_reg); | ||||
|                     preparedStatement.execute(); | ||||
|                     attackResult = success().feedback("user.created").feedbackArgs(username_reg).build(); | ||||
|                 } | ||||
|             } catch(SQLException e) { | ||||
|                 attackResult = failed().output("Something went wrong").build(); | ||||
|             } | ||||
|         } | ||||
|         return attackResult; | ||||
|             } | ||||
|             return attackResult; | ||||
|     } | ||||
|  | ||||
|     private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) { | ||||
| @ -77,34 +76,17 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { | ||||
|         return null; | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = POST) | ||||
|     @ResponseBody | ||||
|     public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { | ||||
|         Connection connection = DatabaseUtilities.getConnection(webSession); | ||||
|         checkDatabase(connection); | ||||
|  | ||||
|         PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?"); | ||||
|         statement.setString(1, username_login); | ||||
|         statement.setString(2, password_login); | ||||
|         ResultSet resultSet = statement.executeQuery(); | ||||
|  | ||||
|         if (resultSet.next() && "tom".equals(username_login)) { | ||||
|             return success().build(); | ||||
|         } else { | ||||
|             return failed().feedback("NoResultsMatched").build(); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     private void checkDatabase(Connection connection) throws SQLException { | ||||
|     static void checkDatabase(Connection connection) throws SQLException { | ||||
|         try { | ||||
|             Statement statement = connection.createStatement(); | ||||
|             System.out.println(USERS_TABLE_NAME); | ||||
|             statement.execute("select 1 from " + USERS_TABLE_NAME); | ||||
|         } catch (SQLException e) { | ||||
|             createChallengeTable(connection); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     private void createChallengeTable(Connection connection) { | ||||
|     static void createChallengeTable(Connection connection) { | ||||
|         Statement statement = null; | ||||
|         try { | ||||
|             statement = connection.createStatement(); | ||||
| @ -134,6 +116,5 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { | ||||
|             log.error("Unable create table", e); | ||||
|         } | ||||
|     } | ||||
|  | ||||
| } | ||||
|  | ||||
|  | ||||
| @ -0,0 +1,48 @@ | ||||
| package org.owasp.webgoat.plugin.advanced; | ||||
|  | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.apache.commons.lang3.RandomStringUtils; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| import static org.springframework.web.bind.annotation.RequestMethod.POST; | ||||
|  | ||||
| @AssignmentPath("SqlInjection/challenge_Login") | ||||
| @Slf4j | ||||
| @AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"}) | ||||
| public class SqlInjectionChallengeLogin extends AssignmentEndpoint { | ||||
|  | ||||
|   @Autowired | ||||
|   private WebSession webSession; | ||||
|  | ||||
|  | ||||
|   @RequestMapping(method = POST) | ||||
|   @ResponseBody | ||||
|   public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { | ||||
|     System.out.println("right Method"); | ||||
|     Connection connection = DatabaseUtilities.getConnection(webSession); | ||||
|     SqlInjectionChallenge.checkDatabase(connection); | ||||
|  | ||||
|     PreparedStatement statement = connection.prepareStatement("select password from " + SqlInjectionChallenge.USERS_TABLE_NAME + " where userid = ? and password = ?"); | ||||
|     statement.setString(1, username_login); | ||||
|     statement.setString(2, password_login); | ||||
|     ResultSet resultSet = statement.executeQuery(); | ||||
|  | ||||
|     if (resultSet.next()) { | ||||
|         return ("tom".equals(username_login)) ? success().build() | ||||
|                 : success().feedback("ResultsButNotTom").build(); | ||||
|     } else { | ||||
|       return failed().feedback("NoResultsMatched").build(); | ||||
|     } | ||||
|   } | ||||
| } | ||||
| @ -83,7 +83,7 @@ | ||||
|                                 <div class="col-lg-12"> | ||||
|                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN" | ||||
|                                           method="POST" name="form" | ||||
|                                           action="SqlInjection/challenge" | ||||
|                                           action="SqlInjection/challenge_Login" | ||||
|                                           enctype="application/json;charset=UTF-8" role="form"> | ||||
|                                         <div class="form-group"> | ||||
|                                             <input type="text" name="username_login" id="username4" tabindex="1" | ||||
| @ -162,7 +162,7 @@ | ||||
| </div> | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
|     <span id="quiz_id" data-quiz_id="sql_injection"></span> | ||||
|     <span id="quiz_id" data-quiz_id="sql_incjection"></span> | ||||
|     <script th:src="@{/js/quiz.js}" language="JavaScript"></script> | ||||
|     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/> | ||||
|     <div class="adoc-content" th:replace="doc:SqlInjection_quiz.adoc"></div> | ||||
|  | ||||
| @ -8,6 +8,7 @@ SqlInjectionChallenge2=The vulnerability is on the register form | ||||
| SqlInjectionChallenge3=Use tooling to automate this attack | ||||
| sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span> | ||||
| NoResultsMatched=<span class='feedback-negative'>No results matched. Try Again.</span> | ||||
| ResultsButNotTom=<span class='feedback-negative'>Try To login as Tom!</span> | ||||
|  | ||||
| sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</span> | ||||
| sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span> | ||||
|  | ||||
		Reference in New Issue
	
	Block a user