diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java index 790f1298f..c5921ce11 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java @@ -68,8 +68,8 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint { StringBuffer output = new StringBuffer(); results.first(); - output.append(results); // user completes lesson if department is "Marketing" + // what if other employee with same dept is result? if (results.getString("department").equals("Marketing")) { output.append(SqlInjectionLesson8.generateTable(results)); return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build()); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java index 283ad1060..b34bca509 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java @@ -67,12 +67,8 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint { Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); statement.executeUpdate(_query); - ResultSet _results = check_statement.executeQuery("SELECT department from employees where last_name='Barnett';"); - + ResultSet _results = check_statement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); StringBuffer output = new StringBuffer(); - - _results.first(); - output.append(_results); // user completes lesson if the department of Tobi Barnett now is 'Sales' if (_results.getString("department").equals("Sales")) { output.append(SqlInjectionLesson8.generateTable(_results)); diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java index 10d5c5b9f..4d54a0630 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java @@ -1,5 +1,89 @@ + package org.owasp.webgoat.plugin.introduction; -public class SqlInjectionLesson4 { +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.session.DatabaseUtilities; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import java.io.IOException; +import java.sql.*; + + +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @created October 28, 2003 + */ +@AssignmentPath("/SqlInjection/attack4") +@AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2"}) +public class SqlInjectionLesson4 extends AssignmentEndpoint { + + @RequestMapping(method = RequestMethod.POST) + public + @ResponseBody + AttackResult completed(@RequestParam String query) { + return injectableQuery(query); + } + + protected AttackResult injectableQuery(String _query) { + try { + Connection connection = DatabaseUtilities.getConnection(getWebSession()); + String query = _query; + + try { + Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_READ_ONLY); + statement.executeUpdate(_query); + ResultSet _results = check_statement.executeQuery("SELECT phone from employees;"); + ResultSetMetaData _resultMetaData = _results.getMetaData(); + StringBuffer output = new StringBuffer(); + // user completes lesson if column phone exists + if (_results.first()) { + output.append(SqlInjectionLesson8.generateTable(_results)); + return trackProgress(success().feedbackArgs(output.toString()).build()); + } else { + return trackProgress(failed().output(output.toString()).build()); + } + + } catch (SQLException sqle) { + + return trackProgress(failed().output(sqle.getMessage()).build()); + } + } catch (Exception e) { + return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build()); + } + } } diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html index af26a4876..e1a2f8a9d 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html @@ -65,13 +65,13 @@
- + @@ -90,13 +90,13 @@
- + diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc index 08dd4cc37..797aa76b9 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc @@ -11,15 +11,14 @@ If an attacker uses a SQL injection of the DDL type to manipulate your database, * DROP - delete objects from the database * Example: ** CREATE TABLE Employees( + -     IdNum INT NOT NULL, + -     LName VARCHAR (20) NOT NULL, + -     FName VARCHAR (20) NOT NULL, + -     JobCode VARCHAR (3) NOT NULL, + -     Salary DECIMAL (18, 2), + -     Phone VARCHAR (20), + -     PRIMARY KEY (IdNum) + +     userid varchar(6) not null primary key, + +     first_name varchar(20), + +     last_name varchar(20), + +     department varchar(20), + +     salary varchar(10), + +     auth_tan varchar(6) + ); ** This statement creates the employees example table given on page 2. -Now try to modify the schneme by removing the column "Phone" from the table "Employees": +Now try to modify the scheme by adding the column "phone" to the table "employees":