Draft_Version for SQL Injection
This commit is contained in:
Tobias Melzer
Nanne Baars
parent
78ff54b910
commit
8667a85865
@ -47,7 +47,7 @@ import java.sql.*;
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/attack6a")
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint5", "SqlStringInjectionHint6", "SqlStringInjectionHint7"})
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint6", "SqlStringInjectionHint7", "SqlStringInjectionHint8"})
|
||||
public class SqlInjectionLesson6a extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@ -73,6 +73,8 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
|
||||
StringBuffer output = new StringBuffer();
|
||||
|
||||
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
|
||||
if(! (query.toLowerCase().contains("union") || query.toLowerCase().contains("join")) )
|
||||
output.append("There is also a way to retrieve the Data by using a UNION or JOIN. Can you figure out, how this is done?");
|
||||
results.last();
|
||||
|
||||
// If they get back more than one user they succeeded
|
||||
|
||||
@ -49,7 +49,7 @@ public class SqlInjection extends NewLesson {
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint2"));
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint3"));
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint4"));
|
||||
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint5"));
|
||||
return hints;
|
||||
}
|
||||
|
||||
|
||||
@ -46,7 +46,7 @@ import java.sql.*;
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/attack5a")
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint1", "SqlStringInjectionHint2", "SqlStringInjectionHint3", "SqlStringInjectionHint4"})
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint5a1", "SqlStringInjectionHint5a2", "SqlStringInjectionHint5a3", "SqlStringInjectionHint5a4", "SqlStringInjectionHint5a5"})
|
||||
public class SqlInjectionLesson5a extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@ -59,7 +59,7 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
|
||||
protected AttackResult injectableQuery(String accountName) {
|
||||
try {
|
||||
Connection connection = DatabaseUtilities.getConnection(getWebSession());
|
||||
String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
|
||||
String query = "SELECT userid, first_name, last_name, CC_Number, CC_Type, Cookie, Login_Count FROM user_data WHERE last_name = '" + accountName + "'";
|
||||
|
||||
try {
|
||||
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
|
||||
@ -47,22 +47,21 @@ import java.sql.*;
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/SqlInjection/attack5b")
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint1", "SqlStringInjectionHint2", "SqlStringInjectionHint3", "SqlStringInjectionHint4"})
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint5b1", "SqlStringInjectionHint5b2", "SqlStringInjectionHint5b3", "SqlStringInjectionHint5b4"})
|
||||
public class SqlInjectionLesson5b extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String userid, HttpServletRequest request) throws IOException {
|
||||
return injectableQuery(userid);
|
||||
|
||||
AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
|
||||
return injectableQuery(login_count, userid);
|
||||
}
|
||||
|
||||
protected AttackResult injectableQuery(String accountName) {
|
||||
protected AttackResult injectableQuery(String login_count, String accountName) {
|
||||
try {
|
||||
Connection connection = DatabaseUtilities.getConnection(getWebSession());
|
||||
String query = "SELECT * FROM user_data WHERE userid = " + accountName;
|
||||
|
||||
String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid = " + accountName;
|
||||
System.err.println("Querry: " + query);
|
||||
try {
|
||||
Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
|
||||
@ -21,7 +21,7 @@ import java.sql.*;
|
||||
* @since 6/13/17.
|
||||
*/
|
||||
@AssignmentPath("SqlInjection/attack12a")
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint8", "SqlStringInjectionHint9", "SqlStringInjectionHint10", "SqlStringInjectionHint11"})
|
||||
@AssignmentHints(value = {"SqlStringInjectionHint9", "SqlStringInjectionHint10", "SqlStringInjectionHint11", "SqlStringInjectionHint12"})
|
||||
@Slf4j
|
||||
public class SqlInjectionLesson12a extends AssignmentEndpoint {
|
||||
|
||||
|
||||
@ -74,12 +74,18 @@
|
||||
action="/WebGoat/SqlInjection/attack5b"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Login_Count:</td>
|
||||
<td><input name="login_count" value="" type="text"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Name:</td>
|
||||
<td><input name="userid" value="" type="TEXT"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td></td>
|
||||
<td><input
|
||||
name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
|
||||
@ -11,17 +11,22 @@ SqlInjectionChallenge2=The vulnerability is on the register form
|
||||
SqlInjectionChallenge3=Use tooling to automate this attack
|
||||
|
||||
NoResultsMatched=No results matched. Try Again.
|
||||
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
|
||||
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
|
||||
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
|
||||
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
|
||||
SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query.
|
||||
SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match.
|
||||
SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
|
||||
SqlStringInjectionHint8=Try sorting and look at the request
|
||||
SqlStringInjectionHint9=Intercept the request and try to specify a different order by
|
||||
SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
||||
SqlStringInjectionHint5a1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
|
||||
SqlStringInjectionHint5a2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
|
||||
SqlStringInjectionHint5a3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
|
||||
SqlStringInjectionHint5a4=Make sure all quotes (" ' ") are opened and closed properly.
|
||||
SqlStringInjectionHint5a5=Try appending the Statement with something like: OR 1 = 1.
|
||||
SqlStringInjectionHint5b1=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE Login_Count = "Login_Count" and User_Id = "Name"
|
||||
SqlStringInjectionHint5b2=Note that you don't need to insert any quotations.
|
||||
SqlStringInjectionHint5b3=Remember how you solved the previous assignment.
|
||||
SqlStringInjectionHint5b4=It does not matter where you insert a statement that always resolves to true.
|
||||
SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
|
||||
SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ...
|
||||
SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
|
||||
SqlStringInjectionHint9=Try sorting and look at the request
|
||||
SqlStringInjectionHint10=Intercept the request and try to specify a different order by
|
||||
SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
||||
SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
||||
|
||||
sql-injection.5a.success=You have succeeded: {0}
|
||||
sql-injection.5a.no.results=No results matched. Try Again.
|
||||
|
||||
@ -3,8 +3,8 @@
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating strings making it susceptible to String SQL injection:
|
||||
|
||||
------------------------------------------------------------
|
||||
"select * from users where LAST_NAME = ‘" + userName + "'";
|
||||
"select USERID, FIRST_NAME, LAST_NAME, CC_NUMBER, CC_TYPE, COOKIE, LOGIN_COUNT from users where LOGIN_COUNT > 0 and FIRST_NAME = ‘" + userName + "'";
|
||||
------------------------------------------------------------
|
||||
|
||||
Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name to get the complete list, however you can use 'Smith' to see the data for one user.
|
||||
Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name to get the complete list.
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to Numeric SQL injection:
|
||||
|
||||
--------------------------------------------------
|
||||
"select * from users where USERID = " + userID;
|
||||
"select * from users where Login_Count = " + Login_Count + " and USERID = " + userID;
|
||||
--------------------------------------------------
|
||||
|
||||
Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name to get the complete list, however you can use '101' to see the data for one user.
|
||||
Using the form below try to retrieve all the users from the users table. You shouldn't need to know any specific user name or Login_Count to get the complete list.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
== Try It! Pulling data from other tables
|
||||
|
||||
Lets try to exploit a join to another table. One of the tables in the WebGoat database is:
|
||||
Lets try to exploit the fact that you can append your own SQL Statement. One of the tables in the WebGoat database is:
|
||||
|
||||
-------------------------------------------------------
|
||||
CREATE TABLE user_system_data (userid int not null primary key,
|
||||
@ -9,7 +9,7 @@ CREATE TABLE user_system_data (userid int not null primary key,
|
||||
cookie varchar(30));
|
||||
-------------------------------------------------------
|
||||
|
||||
*6.a)* Execute a query to union or join these tables. +
|
||||
*6.a)* Inject your own Query into the SQL Statement to retrieve all Data from the Table. +
|
||||
*6.b)* When you have figured it out.... What is Dave's password?
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user