|
|
|
|
@ -1,7 +1,4 @@
|
|
|
|
|
#StringSqlInjection.java
|
|
|
|
|
StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query.
|
|
|
|
|
EnterLastName=Enter your last name:
|
|
|
|
|
|
|
|
|
|
sql.injection.title=SQL Injection (introduction)
|
|
|
|
|
sql.mitigation.title=SQL Injection (mitigation)
|
|
|
|
|
sql.advanced.title=SQL Injection (advanced)
|
|
|
|
|
@ -11,47 +8,21 @@ SqlInjectionChallenge2=The vulnerability is on the register form
|
|
|
|
|
SqlInjectionChallenge3=Use tooling to automate this attack
|
|
|
|
|
sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
|
|
|
|
|
|
|
|
|
|
sql-injection.2.success=You have succeded!
|
|
|
|
|
sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above
|
|
|
|
|
|
|
|
|
|
sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
|
|
|
|
|
|
|
|
|
|
NoResultsMatched=No results matched. Try Again.
|
|
|
|
|
|
|
|
|
|
SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first.
|
|
|
|
|
SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password.
|
|
|
|
|
SqlInjectionChallengeHint3=Change the password through an Update Statement.
|
|
|
|
|
SqlInjectionChallengeHint4=The Vulnerable Field is the Username Field of the Register form.
|
|
|
|
|
SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
|
|
|
|
|
SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. Th Output should tell you if this field is injectable.
|
|
|
|
|
SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
|
|
|
|
|
SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.
|
|
|
|
|
SqlStringInjectionHint6a1=Try Appending stuff like ",1" to your query, to figure out how many columns there are.
|
|
|
|
|
SqlStringInjectionHint6a2=When using a UNION the number of columns, from both tables should match.
|
|
|
|
|
SqlStringInjectionHint6a3=The UNION should contain 7 columns.
|
|
|
|
|
SqlStringInjectionHint6a4=Try using these columns in your union: userid, user_name, password, cookie, cookie, cookie, userid.
|
|
|
|
|
sql-injection.2.success=You have succeeded!
|
|
|
|
|
sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above
|
|
|
|
|
SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name).
|
|
|
|
|
SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition;
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint2a1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name).
|
|
|
|
|
SqlStringInjectionHint2a2=SELECT column FROM tablename WHERE condition;
|
|
|
|
|
SqlStringInjectionHint3a1=Try the UPDATE statement
|
|
|
|
|
SqlStringInjectionHint3a2=UPDATE tablename SET columnname=value WHERE condition;
|
|
|
|
|
SqlStringInjectionHint4a1=ALTER TABLE alters the structure of an existing database
|
|
|
|
|
SqlStringInjectionHint4a2=Don't forget the data type of the new column (e.g. varchar(size) or int(size))
|
|
|
|
|
SqlStringInjectionHint4a3=ALTER TABLE tablename ADD columnname data type(size);
|
|
|
|
|
SqlStringInjectionHint5a1=Look at the example. There's everything you'll need.
|
|
|
|
|
SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
|
|
|
|
|
SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ...
|
|
|
|
|
SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
|
|
|
|
|
SqlStringInjectionHint3-1=Try the UPDATE statement
|
|
|
|
|
SqlStringInjectionHint3-2=UPDATE tablename SET columnname=value WHERE condition;
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint9=Try sorting and look at the request
|
|
|
|
|
SqlStringInjectionHint10=Intercept the request and try to specify a different order by
|
|
|
|
|
SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement.
|
|
|
|
|
SqlStringInjectionHint10a2=For every datatype there is a method to insert values into a wildcard symbol in a statement.
|
|
|
|
|
SqlStringInjectionHint10b1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection!
|
|
|
|
|
SqlStringInjectionHint10b2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections!
|
|
|
|
|
SqlStringInjectionHint10b3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype!
|
|
|
|
|
SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
|
|
|
|
SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
|
|
|
|
SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing database
|
|
|
|
|
SqlStringInjectionHint4-2=Don't forget the data type of the new column (e.g. varchar(size) or int(size))
|
|
|
|
|
SqlStringInjectionHint4-3=ALTER TABLE tablename ADD columnname data type(size);
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint5-1=Look at the example. There's everything you'll need.
|
|
|
|
|
|
|
|
|
|
sql-injection.5a.success=You have succeeded: {0}
|
|
|
|
|
sql-injection.5a.no.results=No results matched. Try Again.
|
|
|
|
|
@ -59,32 +30,59 @@ sql-injection.5a.no.results=No results matched. Try Again.
|
|
|
|
|
sql-injection.5b.success=You have succeeded: {0}
|
|
|
|
|
sql-injection.5b.no.results=No results matched. Try Again.
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint5b1=Try to check which of the input fields is susceptible to an injection attack.
|
|
|
|
|
SqlStringInjectionHint5b2=Insert 0 or 1 = 1 into the first input field. Th Output should tell you if this field is injectable.
|
|
|
|
|
SqlStringInjectionHint5b3=The first Input field is not susceptible to sql injection.
|
|
|
|
|
SqlStringInjectionHint5b4=You don't need to insert any quotations into your injection-string.
|
|
|
|
|
|
|
|
|
|
sql-injection.6a.success=You have succeeded: {0}
|
|
|
|
|
sql-injection.6a.no.results=No results matched. Try Again.
|
|
|
|
|
|
|
|
|
|
sql-injection.advanced.6a.success=You have succeed: {0}
|
|
|
|
|
sql-injection.advanced.6a.no.results=No results matched. Try Again.
|
|
|
|
|
SqlStringInjectionHint-advanced-6a-1=Try Appending a new SQL Statement to the Query.
|
|
|
|
|
SqlStringInjectionHint-advanced-6a-2=The new SQL Statement can be really simple like: SELECT ... FROM ...
|
|
|
|
|
SqlStringInjectionHint-advanced-6a-3=Your new SQL Query should start, with a " ; " and end with " -- "
|
|
|
|
|
|
|
|
|
|
sql-injection.6b.success=You have succeeded: {0}
|
|
|
|
|
sql-injection.6b.no.results=No results matched. Try Again.
|
|
|
|
|
|
|
|
|
|
sql-injection.8.success=You have succeeded! You successfully compromised the confidentiality of data by viewing internal information that you should not have access to. Well done! {0}
|
|
|
|
|
sql-injection.8.no.results=No employee found with matching lastname. Or maybe your authentication TAN is incorrect?
|
|
|
|
|
sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0}
|
|
|
|
|
sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data.
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint.8.1=The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command.
|
|
|
|
|
SqlStringInjectionHint.8.2=Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR.
|
|
|
|
|
SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to true.
|
|
|
|
|
SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
|
|
|
|
|
SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.
|
|
|
|
|
|
|
|
|
|
sql-injection.9.success=Well done! Now you're earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary! {0}
|
|
|
|
|
SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one.
|
|
|
|
|
SqlStringInjectionHint.9.2=Use the ; metacharacter to do so.
|
|
|
|
|
SqlStringInjectionHint.9.3=Make use of DML to change your salary.
|
|
|
|
|
SqlStringInjectionHint.9.4=Make sure that the resulting query is syntactically correct.
|
|
|
|
|
SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
|
|
|
|
|
|
|
|
|
|
sql-injection.10.success=Success! You successfully deleted the access_log table and that way compromised the availability of the data.
|
|
|
|
|
SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
|
|
|
|
|
SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
|
|
|
|
|
SqlStringInjectionHint.10.3=Try query chaining to reach the goal.
|
|
|
|
|
SqlStringInjectionHint.10.4=The DDL allows you to delete (DROP) database tables.
|
|
|
|
|
SqlStringInjectionHint.10.5=The underlying sql query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'".
|
|
|
|
|
SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line.
|
|
|
|
|
SqlStringInjectionHint.10.6=Remember that you can use the -- metacharacter to comment out the rest of the line.
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint-mitigation-10a-1=First establish a connection, after that you can create a statement.
|
|
|
|
|
SqlStringInjectionHint-mitigation-10a-2=For every datatype there is a method to insert values into a wildcard symbol in a statement.
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint-mitigation-10b-1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection!
|
|
|
|
|
SqlStringInjectionHint-mitigation-10b-2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections!
|
|
|
|
|
SqlStringInjectionHint-mitigation-10b-3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype!
|
|
|
|
|
|
|
|
|
|
SqlStringInjectionHint-mitigation-12a-1=Try sorting and look at the request
|
|
|
|
|
SqlStringInjectionHint-mitigation-12a-2=Intercept the request and try to specify a different order by
|
|
|
|
|
SqlStringInjectionHint-mitigation-12a-3=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
|
|
|
|
SqlStringInjectionHint-mitigation-12a-4=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
|
|
|
|
|
|
|
|
|
SqlInjectionChallengeHint1=The Table Name is randomized at each start of Webgoat, try to figure out the name first.
|
|
|
|
|
SqlInjectionChallengeHint2=Find the Field which is vulnerable to SQL Injection use that to change the password.
|
|
|
|
|
SqlInjectionChallengeHint3=Change the password through an Update Statement.
|
|
|
|
|
SqlInjectionChallengeHint4=The Vulnerable Field is the Username Field of the Register form.
|
Benedikt - Desktop
Nanne Baars