dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

implemented assignment 4, some other changes

Browse Source
This commit is contained in:
philippesteinbach 2018-11-10 21:03:28 +01:00 committed by Nanne Baars
parent 7733ea0c85
commit 6b669df025
5 changed files with 98 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java
View File

@ -68,8 +68,8 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
StringBuffer output = new StringBuffer(); StringBuffer output = new StringBuffer();
results.first(); results.first();
output.append(results);
// user completes lesson if department is "Marketing" // user completes lesson if department is "Marketing"
// what if other employee with same dept is result?
if (results.getString("department").equals("Marketing")) { if (results.getString("department").equals("Marketing")) {
output.append(SqlInjectionLesson8.generateTable(results)); output.append(SqlInjectionLesson8.generateTable(results));
return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build()); return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build());

6
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson3.java
View File

@ -67,12 +67,8 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint {
Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY); ResultSet.CONCUR_READ_ONLY);
statement.executeUpdate(_query); statement.executeUpdate(_query);
ResultSet _results = check_statement.executeQuery("SELECT department from employees where last_name='Barnett';"); ResultSet _results = check_statement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
StringBuffer output = new StringBuffer(); StringBuffer output = new StringBuffer();
_results.first();
output.append(_results);
// user completes lesson if the department of Tobi Barnett now is 'Sales' // user completes lesson if the department of Tobi Barnett now is 'Sales'
if (_results.getString("department").equals("Sales")) { if (_results.getString("department").equals("Sales")) {
output.append(SqlInjectionLesson8.generateTable(_results)); output.append(SqlInjectionLesson8.generateTable(_results));

86
webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java
View File

@ -1,5 +1,89 @@
package org.owasp.webgoat.plugin.introduction; package org.owasp.webgoat.plugin.introduction;
public class SqlInjectionLesson4 { import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException;
import java.sql.*;
/***************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/SqlInjection/attack4")
@AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2"})
public class SqlInjectionLesson4 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String query) {
return injectableQuery(query);
}
protected AttackResult injectableQuery(String _query) {
try {
Connection connection = DatabaseUtilities.getConnection(getWebSession());
String query = _query;
try {
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
Statement check_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
statement.executeUpdate(_query);
ResultSet _results = check_statement.executeQuery("SELECT phone from employees;");
ResultSetMetaData _resultMetaData = _results.getMetaData();
StringBuffer output = new StringBuffer();
// user completes lesson if column phone exists
if (_results.first()) {
output.append(SqlInjectionLesson8.generateTable(_results));
return trackProgress(success().feedbackArgs(output.toString()).build());
} else {
return trackProgress(failed().output(output.toString()).build());
}
} catch (SQLException sqle) {
return trackProgress(failed().output(sqle.getMessage()).build());
}
} catch (Exception e) {
return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
}
}
} }

8
webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
View File

@ -65,13 +65,13 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form" method="POST" name="form"
action="/WebGoat/SqlInjection/attack" action="/WebGoat/SqlInjection/attack4"
enctype="application/json;charset=UTF-8" enctype="application/json;charset=UTF-8"
autocomplete="off"> autocomplete="off">
<table> <table>
<tr> <tr>
<td><label>SQL query</label></td> <td><label>SQL query</label></td>
<td><input name="name" value="" type="TEXT" placeholder="SQL query"/></td> <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr> </tr>
<tr> <tr>
<td><button type="SUBMIT">Submit</button></td> <td><button type="SUBMIT">Submit</button></td>
@ -90,13 +90,13 @@
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" <form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form" method="POST" name="form"
action="/WebGoat/SqlInjection/attack" action="/WebGoat/SqlInjection/attack5"
enctype="application/json;charset=UTF-8" enctype="application/json;charset=UTF-8"
autocomplete="off"> autocomplete="off">
<table> <table>
<tr> <tr>
<td><label>SQL query</label></td> <td><label>SQL query</label></td>
<td><input name="name" value="" type="TEXT" placeholder="SQL query"/></td> <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
</tr> </tr>
<tr> <tr>
<td><button type="SUBMIT">Submit</button></td> <td><button type="SUBMIT">Submit</button></td>

15
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc
View File

@ -11,15 +11,14 @@ If an attacker uses a SQL injection of the DDL type to manipulate your database,
* DROP - delete objects from the database * DROP - delete objects from the database
* Example: * Example:
** CREATE TABLE Employees( + ** CREATE TABLE Employees( +
&nbsp;&nbsp;&nbsp;&nbsp;IdNum INT NOT NULL, + &nbsp;&nbsp;&nbsp;&nbsp;userid varchar(6) not null primary key, +
&nbsp;&nbsp;&nbsp;&nbsp;LName VARCHAR (20) NOT NULL, + &nbsp;&nbsp;&nbsp;&nbsp;first_name varchar(20), +
&nbsp;&nbsp;&nbsp;&nbsp;FName VARCHAR (20) NOT NULL, + &nbsp;&nbsp;&nbsp;&nbsp;last_name varchar(20), +
&nbsp;&nbsp;&nbsp;&nbsp;JobCode VARCHAR (3) NOT NULL, + &nbsp;&nbsp;&nbsp;&nbsp;department varchar(20), +
&nbsp;&nbsp;&nbsp;&nbsp;Salary DECIMAL (18, 2), + &nbsp;&nbsp;&nbsp;&nbsp;salary varchar(10), +
&nbsp;&nbsp;&nbsp;&nbsp;Phone VARCHAR (20), + &nbsp;&nbsp;&nbsp;&nbsp;auth_tan varchar(6) +
&nbsp;&nbsp;&nbsp;&nbsp;PRIMARY KEY (IdNum) +
); );
** This statement creates the employees example table given on page 2. ** This statement creates the employees example table given on page 2.
Now try to modify the schneme by removing the column "Phone" from the table "Employees": Now try to modify the scheme by adding the column "phone" to the table "employees":