From 78ff54b910f06e45e8b401c5afb13df2191459c1 Mon Sep 17 00:00:00 2001
From: Bene-Notebook <benedikt.stuhrmann@gmail.com>
Date: Mon, 29 Oct 2018 17:54:59 +0100
Subject: [PATCH] Modified and improved explanations for SQL Injections
(basics)
---
.../src/main/resources/html/SqlInjection.html | 19 ++++++-
.../lessonPlans/en/SqlInjection_content1.adoc | 56 +++++++++++++++++--
.../lessonPlans/en/SqlInjection_content2.adoc | 12 +---
.../lessonPlans/en/SqlInjection_content3.adoc | 16 ++++--
.../lessonPlans/en/SqlInjection_content4.adoc | 5 ++
.../lessonPlans/en/SqlInjection_content5.adoc | 27 ---------
.../en/SqlInjection_content5_after.adoc | 11 ++++
.../en/SqlInjection_content5_before.adoc | 23 ++++++++
8 files changed, 121 insertions(+), 48 deletions(-)
delete mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc
create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc
create mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
index bdbe8095e..5c39ffae9 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@@ -23,7 +23,24 @@
</div>
<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:SqlInjection_content5.adoc"></div>
+ <div class="adoc-content" th:replace="doc:SqlInjection_content5_before.adoc"></div>
+ <div>
+ <label for="username-preview">Username:</label>
+ <input id="preview-input" type="text" name="username" val=""/>
+ <div class="listingblock">
+ <div class="content">
+ <pre>"SELECT * FROM users WHERE name = '<span id="input-preview" style="font-weight: bold;"></span>'";</pre>
+ </div>
+ </div>
+ <script>
+ $(document).ready( () => {
+ $("#preview-input").on("keyup", (e) => {
+ $("#input-preview").text(e.target.value);
+ });
+ });
+ </script>
+ </div>
+ <div class="adoc-content" th:replace="doc:SqlInjection_content5_after.adoc"></div>
</div>
<div class="lesson-page-wrapper">
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc
index 10473457d..76be22e6e 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content1.adoc
@@ -1,17 +1,63 @@
== What is SQL
-SQL is a way to interact with databases and is interpreted by the database.
+SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
-=== SQL - Structured Query Language
-* Not “Standard Query Language”
-* Multiple versions of SQL. Most databases have some custom functions
-* Most vendors have a proprietary extension
+A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information.
+
+Example SQL table with employees:
+
+Employees Table
+|===
+|IdNum |LName |FName |JobCode |Salary |Phone |
+
+|1876 |CHIN |JACK |TA1 |42400 |212/558-5634 |
+
+|1114 |GREENWALD |JANICE |ME3 |38000 |212/558-1092 |
+
+|1556 |PENNINGTION|MICHAEL |ME1 |29860 |718/383-5681 |
+
+|1354 |PARKER |MARY |FA3 |65800 |914/455-2337 |
+
+|1130 |WOOD |DEBORAH |PT2 |36514 |212/587-0013 |
+|===
+
+Each employee has an index (IdNum), lastname, firstname, job title (JobCode), salary and a phone number. All his data from this table is represented in a single row.
+
+By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data.
+
+There are three types of SQL commands in the SQL database language:
=== Data Manipulation Language (DML)
+* DML commands are used for storing, retrieving, modifying, and deleting data.
* SELECT, INSERT, UPDATE, DELETE, …
+* Example:
+** Retrieve data:
+** SELECT Phone +
+ FROM Employees +
+ WHERE IdNum = 1354;
+** This statement delivers the phone number of the employee with the number 1354.
=== Data Definition Language (DDL)
+* DDL commands are used for creating, modifying, and dropping the structure of database objects.
* CREATE, ALTER, DROP,TRUNCATE,…
+* Example:
+** CREATE TABLE Customers( +
+ IdNum INT NOT NULL, +
+ LName VARCHAR (20) NOT NULL, +
+ FName VARCHAR (20) NOT NULL, +
+ JobCode VARCHAR (3) NOT NULL, +
+ Salary DECIMAL (18, 2), +
+ Phone VARCHAR (20), +
+ PRIMARY KEY (IdNum) +
+);
+** This statement creates the employees example table given above.
=== Data Control Language (DCL)
+* DCL commands are used for providing security to database objects.
* GRANT, REVOKE, …
+* Example:
+** GRANT CREATE TABLE +
+ TO operator;
+** This statement gives all users of the operator-role the privilege to create new tables in the database.
+
+If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc
index c73e6ac60..d9456f9e3 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content2.adoc
@@ -1,13 +1,7 @@
== What is SQL Injection?
-==== A SQL injection attack consists of insertion or "injection" of an malicious data via the SQL query input from the client to the application
+SQL Injections are the most common web hacking techniques. *A SQL injection attack consists of insertion or "injection" of malicious code via the SQL query input from the client to the application.* If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
-=== A successful SQL injection exploit can:
-* Read and modify sensitive data from the database
-* Execute administration operations on the database
-** Shutdown auditing or the DBMS
-** Truncate tables and logs
-** Add users
-* Recover the content of a given file present on the DBMS file system
-* Issue commands to the operating system
+SQL Injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL-Interpreter of the application itself. If the input from the client does not get checked for containing SQL Commands, hackers can easily manipulate the underlying SQL-Statement to their advantages. +
+Per example if the input is not filtered for SQL metacharacters like *--* (comments out the rest of the line) or *;* (ends a SQL-query and that way can be used to chain them)
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc
index d4a6692f2..348aae4eb 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content3.adoc
@@ -1,14 +1,18 @@
== Consequences of SQL Injection
+=== A successful SQL injection exploit can:
+* Read and modify sensitive data from the database
+* Execute administration operations on the database
+** Shutdown auditing or the DBMS
+** Truncate tables and logs
+** Add users
+* Recover the content of a given file present on the DBMS file system
+* Issue commands to the operating system
+
=== SQL injection attacks allow attackers to
* Spoof identity
* Tamper with existing data
* Cause repudiation issues such as voiding transactions or changing balances
* Allow the complete disclosure of all data on the system
* Destroy the data or make it otherwise unavailable
-* Become administrator of the database server
-
-=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages
-* Languages that do not provide parameterized query support
-* Parameterized queries have been added to newer versions
-* Early adopters of web technology (i.e. Old Code)
\ No newline at end of file
+* Become administrator of the database server
\ No newline at end of file
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc
index c34229c95..3e1b224fe 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content4.adoc
@@ -12,6 +12,11 @@
* MySQL Connector/J and C
* Oracle
+=== SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages
+* Languages that do not provide parameterized query support
+* Parameterized queries have been added to newer versions
+* Early adopters of web technology (i.e. Old Code)
+
=== Not all databases are equal (SQL Server)
* Command shell: `master.dbo.xp_cmdshell 'cmd.exe dir c:'`
* Reqistry commands: `xp_regread`, `xp_regdeletekey`, …
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc
deleted file mode 100644
index 9d47b8e84..000000000
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5.adoc
+++ /dev/null
@@ -1,27 +0,0 @@
-== Example of SQL Injection
-
-=== Dynamic query in application
-
-==== Potential String Injection
--------------------------------------------------------
-"select * from users where name = '" + userName + "'";
--------------------------------------------------------
-
-==== Potential Numeric Injection
--------------------------------------------------------
-
-"select * from users where employee_id = " + userID;
--------------------------------------------------------
-
-=== Attacker supplies unexpected text
-* userName = [red]*Smith' or '1'='1*
-* userName =[red]*' or 1=1 --*
-* userID = [red]*1234567 or 1=1*
-* UserName = [red]*Smith’;drop table users; truncate audit_log;--*
-
-=== Application executes query
-* select * from users where name = [red]*'Smith' or '1' = '1'*
-** select * from users where name = [red]*'Smith' or TRUE*
-* select * from users where employee_id = 1234567 or 1=1
-
-*All records are returned from database*
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc
new file mode 100644
index 000000000..ad87df0ac
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_after.adoc
@@ -0,0 +1,11 @@
+{nbsp} +
+{nbsp} +
+
+==== Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user:
+
+* `+Smith’ OR ‘1’ = ‘1+` +
+results in `+"SELECT * FROM users WHERE name = 'Smith' OR TRUE;+` and that way will return all entries from the users table
+* `+Smith’ OR 1 = 1; --+` +
+results in `+"SELECT * FROM users WHERE name = 'Smith' OR TRUE;--';+` and that way will return all entries from the users table
+* `+Smith’; DROP TABLE USERS; truncate audit_log; --+` +
+chains multiple SQL-Commands and deletes the USERS table as well as entries from the audit_log
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc
new file mode 100644
index 000000000..942e166f2
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content5_before.adoc
@@ -0,0 +1,23 @@
+== Example of SQL Injection
+
+Think of a web application, that allows to display user information, by typing a username into an input field.
+
+The input will then be sent to the server and gets inserted into a SQL-query which then is processed by an SQL-Interpreter.
+
+The SQL-query to retrieve the user information from the database looks like that: +
+-------------------------------------------------------
+"SELECT * FROM users WHERE name = '" + userName + "'";
+-------------------------------------------------------
+
+The variable *userName* holds the input from the client and “injects” it into the query. +
+If the Input would be Smith the query then looks like that +
+-------------------------------------------------------
+"SELECT * FROM users WHERE name = 'Smith'";
+-------------------------------------------------------
+and would retrieve all data for the user with the name Smith.
+
+But if an attacker supplies an unexpected input which could be part of a SQL-query, the query itself can be modified and that way be used to perform other (malicious) actions on the database.
+{nbsp} +
+{nbsp} +
+
+Here is an input field. Try typing some SQL in here to better understand how the query changes.
\ No newline at end of file