diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html index bdbe8095e..5c39ffae9 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html +++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html @@ -23,7 +23,24 @@
-
+
+
+ + +
+
+ 
"SELECT * FROM users WHERE name = ''";
+
+
+ +
+
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc index 10473457d..76be22e6e 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc @@ -1,17 +1,63 @@ == What is SQL -SQL is a way to interact with databases and is interpreted by the database. +SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them. -=== SQL - Structured Query Language -* Not “Standard Query Language” -* Multiple versions of SQL. Most databases have some custom functions -* Most vendors have a proprietary extension +A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information. + +Example SQL table with employees: + +Employees Table +|=== +|IdNum |LName |FName |JobCode |Salary |Phone | + +|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 | + +|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 | + +|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 | + +|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 | + +|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 | +|=== + +Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row. + +By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data. + +There are three types of SQL commands in the SQL database language: === Data Manipulation Language (DML) +* DML commands are used for storing, retrieving, modifying, and deleting data. * SELECT, INSERT, UPDATE, DELETE, … +* Example: +** Retrieve data: +** SELECT Phone + + FROM Employees + + WHERE IdNum = 1354; +** This statement delivers the phone number of the employee with the number 1354. === Data Definition Language (DDL) +* DDL commands are used for creating, modifying, and dropping the structure of database objects. * CREATE, ALTER, DROP,TRUNCATE,… +* Example: +** CREATE TABLE Customers( + +     IdNum INT NOT NULL, + +     LName VARCHAR (20) NOT NULL, + +     FName VARCHAR (20) NOT NULL, + +     JobCode VARCHAR (3) NOT NULL, + +     Salary DECIMAL (18, 2), + +     Phone VARCHAR (20), + +     PRIMARY KEY (IdNum) + +); +** This statement creates the employees example table given above. === Data Control Language (DCL) +* DCL commands are used for providing security to database objects. * GRANT, REVOKE, … +* Example: +** GRANT CREATE TABLE + + TO operator; +** This statement gives all users of the operator-role the privilege to create new tables in the database. + +If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training. diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc index c73e6ac60..d9456f9e3 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc @@ -1,13 +1,7 @@ == What is SQL Injection? -==== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application +SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security. -=== A successful SQL injection exploit can: -* Read and modify sensitive data from the database -* Execute administration operations on the database -** Shutdown auditing or the DBMS -** Truncate tables and logs -** Add users -* Recover the content of a given file present on the DBMS file system -* Issue commands to the operating system +SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. + +Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them) diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc index d4a6692f2..348aae4eb 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc @@ -1,14 +1,18 @@ == Consequences of SQL Injection +=== A successful SQL injection exploit can: +* Read and modify sensitive data from the database +* Execute administration operations on the database +** Shutdown auditing or the DBMS +** Truncate tables and logs +** Add users +* Recover the content of a given file present on the DBMS file system +* Issue commands to the operating system + === SQL injection attacks allow attackers to * Spoof identity * Tamper with existing data * Cause repudiation issues such as voiding transactions or changing balances * Allow the complete disclosure of all data on the system * Destroy the data or make it otherwise unavailable -* Become administrator of the database server - -=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages -* Languages that do not provide parameterized query support -* Parameterized queries have been added to newer versions -* Early adopters of web technology (i.e. Old Code) \ No newline at end of file +* Become administrator of the database server \ No newline at end of file diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc index c34229c95..3e1b224fe 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc @@ -12,6 +12,11 @@ * MySQL Connector/J and C * Oracle +=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages +* Languages that do not provide parameterized query support +* Parameterized queries have been added to newer versions +* Early adopters of web technology (i.e. Old Code) + === Not all databases are equal (SQL Server) * Command shell: `master.dbo.xp_cmdshell 'cmd.exe dir c:'` * Reqistry commands: `xp_regread`, `xp_regdeletekey`, … diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc deleted file mode 100644 index 9d47b8e84..000000000 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc +++ /dev/null @@ -1,27 +0,0 @@ -== Example of SQL Injection - -=== Dynamic query in application - -==== Potential String Injection -------------------------------------------------------- -"select * from users where name = '" + userName + "'"; -------------------------------------------------------- - -==== Potential Numeric Injection -------------------------------------------------------- - -"select * from users where employee_id = " + userID; -------------------------------------------------------- - -=== Attacker supplies unexpected text -* userName = [red]*Smith' or '1'='1* -* userName =[red]*' or 1=1 --* -* userID = [red]*1234567 or 1=1* -* UserName = [red]*Smith’;drop table users; truncate audit_log;--* - -=== Application executes query -* select * from users where name = [red]*'Smith' or '1' = '1'* -** select * from users where name = [red]*'Smith' or TRUE* -* select * from users where employee_id = 1234567 or 1=1 - -*All records are returned from database* diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc new file mode 100644 index 000000000..ad87df0ac --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc @@ -0,0 +1,11 @@ +{nbsp} + +{nbsp} + + +==== Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user: + +* `+Smith’ OR ‘1’ = ‘1+` + +results in `+"SELECT * FROM users WHERE name = 'Smith' OR TRUE;+` and that way will return all entries from the users table +* `+Smith’ OR 1 = 1; --+` + +results in `+"SELECT * FROM users WHERE name = 'Smith' OR TRUE;--';+` and that way will return all entries from the users table +* `+Smith’; DROP TABLE USERS; truncate audit_log; --+` + +chains multiple SQL-Commands and deletes the USERS table as well as entries from the audit_log diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc new file mode 100644 index 000000000..942e166f2 --- /dev/null +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc @@ -0,0 +1,23 @@ +== Example of SQL Injection + +Think of a web application, that allows to display user information, by typing a username into an input field. + +The input will then be sent to the server and gets inserted into a SQL-query which then is processed by an SQL-Interpreter. + +The SQL-query to retrieve the user information from the database looks like that: + +------------------------------------------------------- +"SELECT * FROM users WHERE name = '" + userName + "'"; +------------------------------------------------------- + +The variable *userName* holds the input from the client and “injects” it into the query. + +If the Input would be Smith the query then looks like that + +------------------------------------------------------- +"SELECT * FROM users WHERE name = 'Smith'"; +------------------------------------------------------- +and would retrieve all data for the user with the name Smith. + +But if an attacker supplies an unexpected input which could be part of a SQL-query, the query itself can be modified and that way be used to perform other (malicious) actions on the database. +{nbsp} + +{nbsp} + + +Here is an input field. Try typing some SQL in here to better understand how the query changes. \ No newline at end of file