Added an assignment for compromising integrity by query chaining to the sql injections (introduction)
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							75b1895122
						
					
				
				
					commit
					4e6c721545
				
			| @ -0,0 +1,30 @@ | ||||
|  | ||||
| package org.owasp.webgoat.plugin.introduction; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| @AssignmentPath("/SqlInjection/attack10") | ||||
| public class SqlInjectionLesson10 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { | ||||
|         return injectableQueryConfidentiality(name, auth_tan); | ||||
|     } | ||||
|  | ||||
|     protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { | ||||
|         return trackProgress(failed().build()); | ||||
|     } | ||||
|  | ||||
| } | ||||
| @ -0,0 +1,73 @@ | ||||
|  | ||||
| package org.owasp.webgoat.plugin.introduction; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.DatabaseUtilities; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import java.sql.*; | ||||
|  | ||||
| @AssignmentPath("/SqlInjection/attack9") | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint9-1", "SqlStringInjectionHint9-2", "SqlStringInjectionHint9-3", "SqlStringInjectionHint9-4", "SqlStringInjectionHint9-5"}) | ||||
| public class SqlInjectionLesson9 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public | ||||
|     @ResponseBody | ||||
|     AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) { | ||||
|         return injectableQueryIntegrity(name, auth_tan); | ||||
|     } | ||||
|  | ||||
|     protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { | ||||
|         StringBuffer output = new StringBuffer(); | ||||
|         try { | ||||
|             Connection connection = DatabaseUtilities.getConnection(getWebSession()); | ||||
|  | ||||
|             try { | ||||
|                 String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; | ||||
|                 Statement statement = connection.createStatement(); | ||||
|                 ResultSet results = statement.executeQuery(query); | ||||
|  | ||||
|                 results.first(); | ||||
|  | ||||
|                 ResultSetMetaData resultsMetaData = results.getMetaData(); | ||||
|                 output.append(SqlInjectionLesson8.generateTable(results, resultsMetaData)); | ||||
|             } catch (SQLException e) { | ||||
|                 System.err.println(e.getMessage()); | ||||
|                 return trackProgress(failed().output(e.getMessage()).build()); | ||||
|             } | ||||
|  | ||||
|             try { | ||||
|                 String query = "SELECT * FROM employees ORDER BY salary desc"; | ||||
|                 Statement statement = connection.createStatement(); | ||||
|                 ResultSet results = statement.executeQuery(query); | ||||
|  | ||||
|                 results.first(); | ||||
|                 System.out.println(results.getString(2)); | ||||
|                 System.out.println(results.getString(3)); | ||||
|  | ||||
|                 // user completes lesson if John Smith is the first in the list | ||||
|                 if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) { | ||||
|                     return trackProgress(success().feedback("sql-injection.9.success").feedbackArgs(output.toString()).build()); | ||||
|                 } else { | ||||
|                     return trackProgress(failed().output(output.toString()).build()); | ||||
|                 } | ||||
|  | ||||
|             } catch (SQLException e) { | ||||
|                 System.err.println(e.getMessage()); | ||||
|                 return trackProgress(failed().output(e.getMessage()).build()); | ||||
|             } | ||||
|  | ||||
|         } catch (Exception e) { | ||||
|             System.err.println(e.getMessage()); | ||||
|             return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); | ||||
|         } | ||||
|     } | ||||
|  | ||||
| } | ||||
| @ -62,12 +62,12 @@ | ||||
|               autocomplete="off"> | ||||
|             <table> | ||||
|                 <tr> | ||||
|                     <td><label for="name">Employee Name:</label></td> | ||||
|                     <td><input id="name" name="name" value="" type="TEXT" placeholder="Lastname"/></td> | ||||
|                     <td><label>Employee Name:</label></td> | ||||
|                     <td><input name="name" value="" type="TEXT" placeholder="Lastname"/></td> | ||||
|                 </tr> | ||||
|                 <tr> | ||||
|                     <td><label for="auth_tan">Authentication TAN:</label></td> | ||||
|                     <td><input id="auth_tan" name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td> | ||||
|                     <td><label>Authentication TAN:</label></td> | ||||
|                     <td><input name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td> | ||||
|                 </tr> | ||||
|                 <tr> | ||||
|                     <td><button type="SUBMIT">Get department</button></td> | ||||
| @ -85,21 +85,19 @@ | ||||
|         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|         <form class="attack-form" accept-charset="UNKNOWN" | ||||
|               method="POST" name="form" | ||||
|               action="/WebGoat/SqlInjection/attack5b" | ||||
|               action="/WebGoat/SqlInjection/attack9" | ||||
|               enctype="application/json;charset=UTF-8"> | ||||
|             <table> | ||||
|                 <tr> | ||||
|                     <td>Login_Count:</td> | ||||
|                     <td><input name="login_count" value="" type="text"/></td> | ||||
|                     <td><label>Employee Name:</label></td> | ||||
|                     <td><input name="name" value="" type="TEXT" placeholder="Lastname"/></td> | ||||
|                 </tr> | ||||
|                 <tr> | ||||
|                     <td>Name:</td> | ||||
|                     <td><input name="userid" value="" type="TEXT"/></td> | ||||
|                     <td><label>Authentication TAN:</label></td> | ||||
|                     <td><input name="auth_tan" value="" type="TEXT" placeholder="TAN"/></td> | ||||
|                 </tr> | ||||
|                 <tr> | ||||
|                     <td></td> | ||||
|                     <td><input | ||||
|                             name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td> | ||||
|                     <td><button type="SUBMIT">Get department</button></td> | ||||
|                 </tr> | ||||
|             </table> | ||||
|         </form> | ||||
|  | ||||
| @ -11,15 +11,6 @@ SqlInjectionChallenge2=The vulnerability is on the register form | ||||
| SqlInjectionChallenge3=Use tooling to automate this attack | ||||
|  | ||||
| NoResultsMatched=No results matched. Try Again. | ||||
| SqlStringInjectionHint5a1=The application is taking your input and inserting it at the end of a pre-formed SQL command. | ||||
| SqlStringInjectionHint5a2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName" | ||||
| SqlStringInjectionHint5a3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true | ||||
| SqlStringInjectionHint5a4=Make sure all quotes (" ' ") are opened and closed properly. | ||||
| SqlStringInjectionHint5a5=Try appending the Statement with something like: OR 1 = 1. | ||||
| SqlStringInjectionHint5b1=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE Login_Count = "Login_Count" and User_Id = "Name" | ||||
| SqlStringInjectionHint5b2=Note that you don't need to insert any quotations. | ||||
| SqlStringInjectionHint5b3=Remember how you solved the previous assignment. | ||||
| SqlStringInjectionHint5b4=It does not matter where you insert a statement that always resolves to true. | ||||
| SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query. | ||||
| SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ... | ||||
| SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- " | ||||
| @ -45,7 +36,7 @@ sql-injection.6a.no.results=No results matched. Try Again. | ||||
| sql-injection.6b.success=You have succeeded: {0} | ||||
| sql-injection.6b.no.results=No results matched. Try Again. | ||||
|  | ||||
| sql-injection.8.success=You have succeed: {0} | ||||
| sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0} | ||||
| sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect? | ||||
|  | ||||
| SqlStringInjectionHint8-1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. | ||||
| @ -53,3 +44,11 @@ SqlStringInjectionHint8-2=Compound SQL statements can be made by expanding the W | ||||
| SqlStringInjectionHint8-3=Try appending a SQL statement that always resolves to true. | ||||
| SqlStringInjectionHint8-4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. | ||||
| SqlStringInjectionHint8-5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1. | ||||
|  | ||||
| sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary. {0} | ||||
|  | ||||
| SqlStringInjectionHint9-1=Try to find a way, to chain another query to the end of the existing one. | ||||
| SqlStringInjectionHint9-2=Use the ; metacharacter to do so. | ||||
| SqlStringInjectionHint9-3=Make use of DML to change your salary. | ||||
| SqlStringInjectionHint9-4=Make sure that the resulting query is syntactically correct. | ||||
| SqlStringInjectionHint9-5=How about something like '; UPDATE employees.... | ||||
|  | ||||
| @ -1,11 +1,11 @@ | ||||
| Integrity | ||||
| == Compromising Integrity with Query Chaining | ||||
| After compromising the confidentiality of data in the previous lesson, this time we are gonna compromise the integrity of data by using a SQL query chaining. | ||||
|  | ||||
| == Try It!   Numeric SQL Injection | ||||
| == What is SQL query chaining? | ||||
| Query chaining is exactly what it sounds like. When query chaining, you try to append one or more queries to the end of the actual query. | ||||
| You can do this by using the *;* metacharacter which marks the end of a query and that way allows to start another one right after it within the same line. | ||||
|  | ||||
| The query in the code builds a dynamic query as seen in the previous example.  The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:  | ||||
|  | ||||
| -------------------------------------------------- | ||||
| "select * from users where Login_Count = " + Login_Count + " and USERID = "  + userID; | ||||
| -------------------------------------------------- | ||||
|  | ||||
| Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name or Login_Count to get the complete list. | ||||
| === It's your turn! | ||||
| You just found out that Tobi and Bob both seem to earn more money than you! | ||||
| Of course you cannot leave it at that. + | ||||
| Better go and change your salary so you're at the earner. | ||||
|  | ||||
		Reference in New Issue
	
	Block a user