Added a new lessons for sql injections on "Compromising confidentiality with String SQL Injection"

2018-11-05 15:47:09 +01:00
parent 083eb1b567
commit 75b1895122
5 changed files with 195 additions and 14 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
@ -982,6 +982,48 @@ public class CreateDB {
        }
    }

+    /**
+     * Creates the table used in SQL-Injections (introduction)
+     */
+    private void createEmployeesTable(Connection connection) throws SQLException {
+        Statement statement = connection.createStatement();
+
+        // Drop employees table
+        try {
+            String dropTable = "DROP TABLE employees";
+            statement.executeUpdate(dropTable);
+        } catch (SQLException e) {
+            System.out.println("Info - Could not drop employees table");
+        }
+
+        // Create the new table
+        try {
+            String createTableStatement = "CREATE TABLE employees ("
+                    + "userid varchar(6) not null primary key,"
+                    + "first_name varchar(20),"
+                    + "last_name varchar(20),"
+                    + "department varchar(20),"
+                    + "salary varchar(10),"
+                    + "auth_tan varchar(6)"
+                    + ")";
+            statement.executeUpdate(createTableStatement);
+        } catch (SQLException e) {
+            System.out.println("Error creating employees table " + e.getLocalizedMessage());
+        }
+
+        // Populate
+        String insertData1 = "INSERT INTO employees VALUES ('32147','Paulina',  'Travers', 'Accounting',  '$46.000', 'P45JSI')";
+        String insertData2 = "INSERT INTO employees VALUES ('89762','Tobi',     'Barnett', 'Development', '$77.000', 'TA9LL1')";
+        String insertData3 = "INSERT INTO employees VALUES ('96134','Bob',      'Franco',  'Marketing',   '$83.700', 'LO9S2V')";
+        String insertData4 = "INSERT INTO employees VALUES ('34477','Abraham ', 'Holman',  'Development', '$50.000', 'UU2ALK')";
+        String insertData5 = "INSERT INTO employees VALUES ('37648','John',     'Smith',   'Marketing',   '$64.350', '3SL99A')";
+        statement.executeUpdate(insertData1);
+        statement.executeUpdate(insertData2);
+        statement.executeUpdate(insertData3);
+        statement.executeUpdate(insertData4);
+        statement.executeUpdate(insertData5);
+    }
+
    /**
     * Description of the Method
     *
@ -1009,6 +1051,7 @@ public class CreateDB {
        createMFEImagesTable(connection);
        createModifyWithSQLLessonTable(connection);
        createJWTKeys(connection);
+        createEmployeesTable(connection);
        System.out.println("Success: creating tables.");
    }
 }