Added my improved assignments
This commit is contained in:
Tobias Melzer
committed by
Nanne Baars
Nanne Baars
parent
551f87dbd9
commit
718b113f86
@ -52,6 +52,79 @@
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_introduction_content7.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_introduction_content11.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack5a"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
<td>SELECT * FROM users WHERE LOGIN_COUNT > 0 and FIRST_NAME = '</td>
|
||||
<td><select name="account">
|
||||
<option>Smith</option>
|
||||
<option>'Smith</option>
|
||||
<option>'</option>
|
||||
<option>'Smith'</option>
|
||||
</select></td>
|
||||
<td>
|
||||
<select name="operator">
|
||||
<option>or not</option>
|
||||
<option>and</option>
|
||||
<option>and not</option>
|
||||
</select>
|
||||
</td>
|
||||
<td>
|
||||
<select name="injection">
|
||||
<option>1 = 1</option>
|
||||
<option>1 = 2</option>
|
||||
<option>1' = '2</option>
|
||||
<option>'1' = '1</option>
|
||||
<option>'1' = '2</option>
|
||||
<option>Last_Name = 'Smith</option>
|
||||
</select>
|
||||
</td>
|
||||
<td><input
|
||||
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_introduction_content12.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack5b"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Login_Count:</td>
|
||||
<td><input name="login_count" value="" type="text"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>User_Id:</td>
|
||||
<td><input name="userid" value="" type="TEXT"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td></td>
|
||||
<td><input
|
||||
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_introduction_content8.adoc"></div>
|
||||
<div class="attack-container">
|
||||
|
||||
@ -12,9 +12,18 @@ SqlInjectionChallenge3=Use tooling to automate this attack
|
||||
sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
|
||||
|
||||
NoResultsMatched=No results matched. Try Again.
|
||||
SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
|
||||
SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ...
|
||||
SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
|
||||
SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first.
|
||||
SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password.
|
||||
SqlInjectionChallengeHint3=Change the password through an Update Statement.
|
||||
SqlInjectionChallengeHint4=The Vulnerable Field is the Username Field of the Register form.
|
||||
SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
|
||||
SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. Th Output should tell you if this field is injectable.
|
||||
SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
|
||||
SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.
|
||||
SqlStringInjectionHint6a1=Try Appending stuff like ",1" to your query, to figure out how many columns there are.
|
||||
SqlStringInjectionHint6a2=When using a UNION the number of columns, from both tables should match.
|
||||
SqlStringInjectionHint6a3=The UNION should contain 7 columns.
|
||||
SqlStringInjectionHint6a4=Try using these columns in your union: userid, user_name, password, cookie, cookie, cookie, userid.
|
||||
SqlStringInjectionHint9=Try sorting and look at the request
|
||||
SqlStringInjectionHint10=Intercept the request and try to specify a different order by
|
||||
SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement.
|
||||
|
||||
@ -1,6 +1,8 @@
|
||||
== Try It! Pulling data from other tables
|
||||
|
||||
Lets try to exploit the fact that you can append your own SQL Statement. One of the tables in the WebGoat database is:
|
||||
Lets try to exploit the fact that you can use a union to get the contents of another table.
|
||||
|
||||
One of the tables in the WebGoat database is:
|
||||
|
||||
-------------------------------------------------------
|
||||
CREATE TABLE user_system_data (userid int not null primary key,
|
||||
@ -9,7 +11,5 @@ CREATE TABLE user_system_data (userid int not null primary key,
|
||||
cookie varchar(30));
|
||||
-------------------------------------------------------
|
||||
|
||||
*6.a)* Inject your own Query into the SQL Statement to retrieve all Data from the Table. +
|
||||
*6.b)* When you have figured it out.... What is Dave's password?
|
||||
|
||||
|
||||
*6.a)* Retrieve all data from the table by using a UNION (You have to use a union to complete this assignment.) +
|
||||
*6.b)* When you have figured it out.... What is Dave's password?
|
||||
@ -0,0 +1,9 @@
|
||||
== Try It! String SQL Injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating strings making it susceptible to String SQL injection:
|
||||
|
||||
------------------------------------------------------------
|
||||
"select * from users where LOGIN_COUNT > 0 and FIRST_NAME = ‘" + userName + "'";
|
||||
------------------------------------------------------------
|
||||
|
||||
Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name to get the complete list.
|
||||
@ -0,0 +1,11 @@
|
||||
== Try It! Numeric SQL Injection
|
||||
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:
|
||||
|
||||
--------------------------------------------------
|
||||
"select * from users where Login_Count = " + Login_Count + " and USERID = " + UserID;
|
||||
--------------------------------------------------
|
||||
|
||||
Using the two Input Fields below, try to retrieve all the date from the users table.
|
||||
|
||||
Warning: Only one of these fields is susceptible to SQL Injection. You need to find out which, to successfully retrieve all the data.
|
||||
@ -2,4 +2,6 @@ In this assignment try to perform an SQL injection through the ORDER BY field.
|
||||
Try to find the ip address of the `webgoat-prd` server, guessing the complete
|
||||
ip address might take too long so we give you the last part: `xxx.130.219.202`
|
||||
|
||||
Tip: To complete this assignment a tool such as OWASP ZAP is required.
|
||||
|
||||
Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection.
|
||||
Reference in New Issue
Block a user