SQL Injection - it's broken
This commit is contained in:
mayhew64
@ -0,0 +1,86 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_plan.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_conent1.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_content2.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_content3.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:SqlInjection_content4.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<!--
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_content2.adoc"></div>
|
||||
-->
|
||||
<div class="attack-container">
|
||||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<div id="lessonContent">
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="form"
|
||||
action="/WebGoat/SqlInjection/attack1"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<script>
|
||||
// sample custom javascript in the recommended way ...
|
||||
// a namespace has been assigned for it, but you can roll your own if you prefer
|
||||
webgoat.customjs.assignRandomVal = function () {
|
||||
var x = Math.floor((Math.random() * 100) + 1);
|
||||
document.getElementById("magic_num").value = x;
|
||||
};
|
||||
webgoat.customjs.assignRandomVal();
|
||||
</script>
|
||||
<input type="hidden" name="magic_num" id="magic_num" value="foo" />
|
||||
<table>
|
||||
<tr>
|
||||
<td>Was the HTTP command a POST or a GET:</td>
|
||||
<td><input name="answer" value="" type="TEXT" /></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>What is the magic number:</td>
|
||||
<td><input name="magic_answer" value="" type="TEXT" /><input
|
||||
name="SUBMIT" value="Go!" type="SUBMIT" /></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
</div>
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</html>
|
||||
@ -0,0 +1,17 @@
|
||||
== What is SQL
|
||||
|
||||
SQL is a way to interact with databases.
|
||||
|
||||
= SQL = Structured Query Language
|
||||
* Not “Standard Query Language”
|
||||
* Multiple versions of SQL. Most databases have some custom functions
|
||||
* Most vendors have a proprietary extension
|
||||
|
||||
= Data Manipulation Language (DML)
|
||||
* SELECT, INSERT, UPDATE, DELETE, …
|
||||
|
||||
= Data Definition Language (DDL)
|
||||
* CREATE, ALTER, DROP,TRUNCATE,…
|
||||
|
||||
= Data Control Language (DCL)
|
||||
* GRANT, REVOKE, …
|
||||
@ -0,0 +1,32 @@
|
||||
== Consequences of SQL Injection
|
||||
|
||||
= SQL injection attacks allow attackers to
|
||||
* Spoof identity
|
||||
* Tamper with existing data
|
||||
* Cause repudiation issues such as voiding transactions or changing balances
|
||||
* Allow the complete disclosure of all data on the system
|
||||
* Destroy the data or make it otherwise unavailable
|
||||
* Become administrator of the database server
|
||||
|
||||
= SQL Injection is more common in PHP, Classic ASP, Cold Fusion and older languages
|
||||
* Languages do not provide parameterized query support
|
||||
* Parameterized queries have been added to newer versions
|
||||
* Early adopters of web technology
|
||||
|
||||
== Severity of SQL Injection
|
||||
|
||||
= The severity of SQL Injection attacks is limited by
|
||||
* Attacker’s skill and imagination
|
||||
* Defense in depth countermeasures
|
||||
Input validation
|
||||
Least privilege
|
||||
* Database technology
|
||||
|
||||
= Not all databases support command chaining
|
||||
* Microsoft Access
|
||||
* MySQL Connector/J and C
|
||||
* Oracle
|
||||
|
||||
= Not all databases are equal (SQL Server)
|
||||
* Command shell: master.dbo.xp_cmdshell 'cmd.exe dir c:'
|
||||
* Reqistry commands: xp_regread, xp_regdeletekey, …
|
||||
@ -0,0 +1,17 @@
|
||||
== Example of SQL Injection
|
||||
|
||||
= Dynamic query in application
|
||||
* select * from users where name = ‘” + userName + “’”;
|
||||
* select * from users where employee_id = ” + userID;
|
||||
|
||||
= Attacker supplies unexpected text
|
||||
* userName = [red]Smith’ or ‘1’=‘1[red]
|
||||
* userName =[red]‘ or 1=1 --[red]
|
||||
* userID = [red]1234567 or 1=1[red]
|
||||
* UserName = [red]Smith’;drop table users; truncate audit_log;--[red]
|
||||
|
||||
= Application executes query
|
||||
* select * from users where name = [red]‘Smith’ or ‘1’ = ‘1’[red]
|
||||
** select * from users where name = [red]‘Smith’ or TRUE[red]
|
||||
* select * from users where employee_id = 1234567 or 1=1
|
||||
** *All records are returned from database*
|
||||
@ -0,0 +1,19 @@
|
||||
== Special Characters & Statements
|
||||
|
||||
/* */ are inline comments
|
||||
-- , # are line comments
|
||||
'Select * from users where name = ‘admin’--and pass = ‘pass’'
|
||||
|
||||
; allows query chaining
|
||||
'Select * from users; drop table users;'
|
||||
|
||||
’,+,|| allows string concatenation
|
||||
Char() strings without quotes
|
||||
'Select * from users where name = ‘+char(27) or 1=1'
|
||||
|
||||
|
||||
Unions allows overlapping of database tables
|
||||
'Select id, text from news
|
||||
union all select name, pass from users'
|
||||
|
||||
Joins allows connecting to other tables
|
||||
@ -0,0 +1,16 @@
|
||||
= SQL Injection
|
||||
|
||||
== Concept
|
||||
|
||||
This lesson describes what is Structured Query Language (SQL) and how it can be manipulated to perform tasks that were not the original intent of the developer.
|
||||
|
||||
== Goals
|
||||
|
||||
* The user should have a basic understand how SQL works and what it is used for.
|
||||
* The user will understand the best practices for defending against SQL injection attacks
|
||||
* The user will demonstrate knowledge on:
|
||||
** String SQL Injection
|
||||
** Numeric SQL Injection
|
||||
** Blind SQL Injection
|
||||
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
= HTTP Basics
|
||||
|
||||
== Solution
|
||||
|
||||
Solution goes here
|
||||
@ -0,0 +1,14 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this block for each 'page' of content -->
|
||||
<!-- include content here ... will be first page/tab multiple -->
|
||||
<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
|
||||
</div>
|
||||
|
||||
|
||||
</html>
|
||||
@ -0,0 +1,8 @@
|
||||
#StringSqlInjection.java
|
||||
StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query.
|
||||
EnterLastName=Enter your last name:
|
||||
NoResultsMatched=No results matched. Try Again.
|
||||
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
|
||||
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
|
||||
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
|
||||
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
|
||||
@ -0,0 +1,8 @@
|
||||
#StringSqlInjection.java
|
||||
StringSqlInjectionSecondStage=Da sie nun erfolgreich eine SQL Injection durchgef\u00fchrt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. Starten Sie Diese Lektion neu, wenn Sie zur verwundbaren SQL Anfrage gelangen m\u00f6chten.
|
||||
EnterLastName=Geben Sie Ihren Nachnamen ein:
|
||||
NoResultsMatched=Keine Resultate gefunden, versuchen Sie es erneut
|
||||
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
|
||||
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
|
||||
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
|
||||
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
|
||||
@ -0,0 +1,8 @@
|
||||
#StringSqlInjection.java
|
||||
StringSqlInjectionSecondStage=Maintenant que vous avez r\u00e9alis\u00e9 une injection SQL avec succ\u00e8s, essayer le m\u00eame type d'attaque sur une requ\u00eate param\u00e9tr\u00e9e. Red\u00e9marrez la le\u00e7on si vous souhaitez revenir \u00e0 la requ\u00eate injectable.
|
||||
EnterLastName=Entrez votre nom :
|
||||
NoResultsMatched=Aucun r\u00e9sultat correspondant. Essayez encore.
|
||||
SqlStringInjectionHint1=L'application r\u00e9cup\u00e8re votre saisie et l'ins\u00e8re \u00e0 la fin d'une commande SQL pr\u00e9-form\u00e9e.
|
||||
SqlStringInjectionHint2=Voici le code de la requ\u00eate assembl\u00e9e et ex\u00e9cut\u00e9e par WebGoat :<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
|
||||
SqlStringInjectionHint3=Les commandes SQL compos\u00e9es peuvent \u00eatre assembl\u00e9es en associant de multiples conditions au moyen de mots-cl\u00e9 tels que AND et OR. Essayez d'assembler une condition qui sera toujours r\u00e9solue \u00e0 vrai.
|
||||
SqlStringInjectionHint4=Essayez de saisir [ smith' OR '1' = '1 ].
|
||||
@ -0,0 +1,8 @@
|
||||
#StringSqlInjection.java
|
||||
StringSqlInjectionSecondStage=\u0422\u0435\u043f\u0435\u0440\u044c, \u043a\u043e\u0433\u0434\u0430 \u0432\u0430\u043c \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u0443\u0434\u0430\u0447\u043d\u043e \u043f\u0440\u043e\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c SQL-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e, \u043f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c \u044d\u0442\u043e \u0441 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u043c. \u041d\u0430\u0447\u043d\u0438\u0442\u0435 \u0443\u0440\u043e\u043a \u0437\u0430\u043d\u043e\u0432\u043e \u0435\u0441\u043b\u0438 \u0432\u044b \u0445\u043e\u0442\u0438\u0442\u0435 \u0432\u043d\u043e\u0432\u044c \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0435 \u043f\u043e\u043b\u0435.
|
||||
EnterLastName=\u0412\u0432\u0435\u0434\u0438\u0442\u0435 \u0432\u0430\u0448\u0443 \u0444\u0430\u043c\u0438\u043b\u0438\u044e:
|
||||
NoResultsMatched=\u041d\u0435\u0442 \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0439. \u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0441\u043d\u043e\u0432\u0430.
|
||||
SqlStringInjectionHint1=\u041f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0431\u0435\u0440\u0451\u0442 \u0442\u043e \u0447\u0442\u043e \u0432\u044b \u0432\u0432\u043e\u0434\u0438\u0442\u0435 \u0438 \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0432 \u043a\u043e\u043d\u0435\u0446 \u0437\u0430\u0440\u0430\u043d\u0435\u0435 \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e SQL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430.
|
||||
SqlStringInjectionHint2=\u0412\u043e\u0442 \u043a\u043e\u0434 \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f WebGoat`\u043e\u043c:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
|
||||
SqlStringInjectionHint3=\u0426\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c SQL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043c\u043e\u0436\u043d\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u043f\u0440\u043e\u0432\u0435\u0434\u044f \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u043e\u043a \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0442\u0430\u043a\u0438\u0445 \u043a\u043b\u044e\u0447\u0435\u0432\u044b\u0445 \u0441\u043b\u043e\u0432 \u043a\u0430\u043a AND \u0438 OR. \u041f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0441\u043e\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0442\u0430\u043a\u043e\u0435 SQL-\u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u0435, \u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u0432\u0441\u0435\u0433\u0434\u0430 \u0431\u0443\u0434\u0435\u0442 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0442\u044c \u0438\u0441\u0442\u0438\u043d\u0443.
|
||||
SqlStringInjectionHint4=\u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0432\u0432\u0435\u0441\u0442\u0438 [ smith' OR '1' = '1 ].
|
||||
Reference in New Issue
Block a user