Fixed Double Hints in SqlInjection Advanced Challenge
This commit is contained in:
Tobias_Melzer
Nanne Baars
parent
5fa11a1b4b
commit
43504b9a7b
@ -3,7 +3,6 @@ package org.owasp.webgoat.plugin.advanced;
|
|||||||
import lombok.extern.slf4j.Slf4j;
|
import lombok.extern.slf4j.Slf4j;
|
||||||
import org.apache.commons.lang3.RandomStringUtils;
|
import org.apache.commons.lang3.RandomStringUtils;
|
||||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
|
||||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||||
import org.owasp.webgoat.assignments.AttackResult;
|
import org.owasp.webgoat.assignments.AttackResult;
|
||||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||||
@ -11,14 +10,11 @@ import org.owasp.webgoat.session.WebSession;
|
|||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
import org.springframework.web.bind.annotation.PutMapping;
|
import org.springframework.web.bind.annotation.PutMapping;
|
||||||
import org.springframework.web.bind.annotation.RequestMapping;
|
|
||||||
import org.springframework.web.bind.annotation.RequestParam;
|
import org.springframework.web.bind.annotation.RequestParam;
|
||||||
import org.springframework.web.bind.annotation.ResponseBody;
|
import org.springframework.web.bind.annotation.ResponseBody;
|
||||||
|
|
||||||
import java.sql.*;
|
import java.sql.*;
|
||||||
|
|
||||||
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author nbaars
|
* @author nbaars
|
||||||
* @since 4/8/17.
|
* @since 4/8/17.
|
||||||
@ -26,12 +22,11 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
|||||||
@AssignmentPath("SqlInjection/challenge")
|
@AssignmentPath("SqlInjection/challenge")
|
||||||
@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
|
@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
|
||||||
@Slf4j
|
@Slf4j
|
||||||
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
|
|
||||||
public class SqlInjectionChallenge extends AssignmentEndpoint {
|
public class SqlInjectionChallenge extends AssignmentEndpoint {
|
||||||
|
|
||||||
private static final String PASSWORD_TOM = "thisisasecretfortomonly";
|
private static final String PASSWORD_TOM = "thisisasecretfortomonly";
|
||||||
//Make it more random at runtime (good luck guessing)
|
//Make it more random at runtime (good luck guessing)
|
||||||
private static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16);
|
static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16);
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private WebSession webSession;
|
private WebSession webSession;
|
||||||
@ -49,6 +44,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
|||||||
Connection connection = DatabaseUtilities.getConnection(webSession);
|
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||||
checkDatabase(connection);
|
checkDatabase(connection);
|
||||||
|
|
||||||
|
try {
|
||||||
String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";
|
String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";
|
||||||
Statement statement = connection.createStatement();
|
Statement statement = connection.createStatement();
|
||||||
ResultSet resultSet = statement.executeQuery(checkUserQuery);
|
ResultSet resultSet = statement.executeQuery(checkUserQuery);
|
||||||
@ -63,6 +59,9 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
|||||||
preparedStatement.execute();
|
preparedStatement.execute();
|
||||||
attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
|
attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
|
||||||
}
|
}
|
||||||
|
} catch(SQLException e) {
|
||||||
|
attackResult = failed().output("Something went wrong").build();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return attackResult;
|
return attackResult;
|
||||||
}
|
}
|
||||||
@ -77,34 +76,17 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
|||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@RequestMapping(method = POST)
|
static void checkDatabase(Connection connection) throws SQLException {
|
||||||
@ResponseBody
|
|
||||||
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
|
||||||
Connection connection = DatabaseUtilities.getConnection(webSession);
|
|
||||||
checkDatabase(connection);
|
|
||||||
|
|
||||||
PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
|
|
||||||
statement.setString(1, username_login);
|
|
||||||
statement.setString(2, password_login);
|
|
||||||
ResultSet resultSet = statement.executeQuery();
|
|
||||||
|
|
||||||
if (resultSet.next() && "tom".equals(username_login)) {
|
|
||||||
return success().build();
|
|
||||||
} else {
|
|
||||||
return failed().feedback("NoResultsMatched").build();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private void checkDatabase(Connection connection) throws SQLException {
|
|
||||||
try {
|
try {
|
||||||
Statement statement = connection.createStatement();
|
Statement statement = connection.createStatement();
|
||||||
|
System.out.println(USERS_TABLE_NAME);
|
||||||
statement.execute("select 1 from " + USERS_TABLE_NAME);
|
statement.execute("select 1 from " + USERS_TABLE_NAME);
|
||||||
} catch (SQLException e) {
|
} catch (SQLException e) {
|
||||||
createChallengeTable(connection);
|
createChallengeTable(connection);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void createChallengeTable(Connection connection) {
|
static void createChallengeTable(Connection connection) {
|
||||||
Statement statement = null;
|
Statement statement = null;
|
||||||
try {
|
try {
|
||||||
statement = connection.createStatement();
|
statement = connection.createStatement();
|
||||||
@ -134,6 +116,5 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
|
|||||||
log.error("Unable create table", e);
|
log.error("Unable create table", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -0,0 +1,48 @@
|
|||||||
|
package org.owasp.webgoat.plugin.advanced;
|
||||||
|
|
||||||
|
import lombok.extern.slf4j.Slf4j;
|
||||||
|
import org.apache.commons.lang3.RandomStringUtils;
|
||||||
|
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||||
|
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||||
|
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||||
|
import org.owasp.webgoat.assignments.AttackResult;
|
||||||
|
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||||
|
import org.owasp.webgoat.session.WebSession;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RequestParam;
|
||||||
|
import org.springframework.web.bind.annotation.ResponseBody;
|
||||||
|
|
||||||
|
import java.sql.*;
|
||||||
|
|
||||||
|
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||||
|
|
||||||
|
@AssignmentPath("SqlInjection/challenge_Login")
|
||||||
|
@Slf4j
|
||||||
|
@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
|
||||||
|
public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private WebSession webSession;
|
||||||
|
|
||||||
|
|
||||||
|
@RequestMapping(method = POST)
|
||||||
|
@ResponseBody
|
||||||
|
public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
|
||||||
|
System.out.println("right Method");
|
||||||
|
Connection connection = DatabaseUtilities.getConnection(webSession);
|
||||||
|
SqlInjectionChallenge.checkDatabase(connection);
|
||||||
|
|
||||||
|
PreparedStatement statement = connection.prepareStatement("select password from " + SqlInjectionChallenge.USERS_TABLE_NAME + " where userid = ? and password = ?");
|
||||||
|
statement.setString(1, username_login);
|
||||||
|
statement.setString(2, password_login);
|
||||||
|
ResultSet resultSet = statement.executeQuery();
|
||||||
|
|
||||||
|
if (resultSet.next()) {
|
||||||
|
return ("tom".equals(username_login)) ? success().build()
|
||||||
|
: success().feedback("ResultsButNotTom").build();
|
||||||
|
} else {
|
||||||
|
return failed().feedback("NoResultsMatched").build();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -83,7 +83,7 @@
|
|||||||
<div class="col-lg-12">
|
<div class="col-lg-12">
|
||||||
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
|
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
|
||||||
method="POST" name="form"
|
method="POST" name="form"
|
||||||
action="SqlInjection/challenge"
|
action="SqlInjection/challenge_Login"
|
||||||
enctype="application/json;charset=UTF-8" role="form">
|
enctype="application/json;charset=UTF-8" role="form">
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="text" name="username_login" id="username4" tabindex="1"
|
<input type="text" name="username_login" id="username4" tabindex="1"
|
||||||
@ -162,7 +162,7 @@
|
|||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="lesson-page-wrapper">
|
<div class="lesson-page-wrapper">
|
||||||
<span id="quiz_id" data-quiz_id="sql_injection"></span>
|
<span id="quiz_id" data-quiz_id="sql_incjection"></span>
|
||||||
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
|
<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
|
||||||
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
|
<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
|
||||||
<div class="adoc-content" th:replace="doc:SqlInjection_quiz.adoc"></div>
|
<div class="adoc-content" th:replace="doc:SqlInjection_quiz.adoc"></div>
|
||||||
|
|||||||
@ -8,6 +8,7 @@ SqlInjectionChallenge2=The vulnerability is on the register form
|
|||||||
SqlInjectionChallenge3=Use tooling to automate this attack
|
SqlInjectionChallenge3=Use tooling to automate this attack
|
||||||
sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
|
sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
|
||||||
NoResultsMatched=<span class='feedback-negative'>No results matched. Try Again.</span>
|
NoResultsMatched=<span class='feedback-negative'>No results matched. Try Again.</span>
|
||||||
|
ResultsButNotTom=<span class='feedback-negative'>Try To login as Tom!</span>
|
||||||
|
|
||||||
sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</span>
|
sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</span>
|
||||||
sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>
|
sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user