276 lines
7.4 KiB
Java
276 lines
7.4 KiB
Java
package org.owasp.webgoat.lessons;
|
|
|
|
import java.sql.Connection;
|
|
import java.sql.PreparedStatement;
|
|
import java.sql.ResultSet;
|
|
import java.sql.ResultSetMetaData;
|
|
import java.sql.SQLException;
|
|
import java.sql.Statement;
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.html.BR;
|
|
import org.apache.ecs.html.Input;
|
|
import org.apache.ecs.html.P;
|
|
import org.apache.ecs.html.PRE;
|
|
import org.owasp.webgoat.session.DatabaseUtilities;
|
|
import org.owasp.webgoat.session.ECSFactory;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
|
|
|
|
/**
|
|
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
|
|
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
|
|
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
|
|
* this software.
|
|
*
|
|
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
|
|
* @created October 28, 2003
|
|
*/
|
|
public class SqlStringInjection extends LessonAdapter
|
|
{
|
|
private final static String ACCT_NAME = "account_name";
|
|
private static Connection connection = null;
|
|
private static String STAGE = "stage";
|
|
private String accountName;
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
protected Element createContent( WebSession s )
|
|
{
|
|
return super.createStagedContent(s);
|
|
}
|
|
|
|
protected Element doStage1( WebSession s ) throws Exception
|
|
{
|
|
return injectableQuery( s );
|
|
}
|
|
|
|
protected Element doStage2( WebSession s ) throws Exception
|
|
{
|
|
return parameterizedQuery( s);
|
|
}
|
|
|
|
|
|
protected Element injectableQuery( WebSession s )
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
try
|
|
{
|
|
if ( connection == null )
|
|
{
|
|
connection = DatabaseUtilities.makeConnection( s );
|
|
}
|
|
|
|
ec.addElement( makeAccountLine( s ) );
|
|
|
|
String query = "SELECT * FROM user_data WHERE last_name = '" + accountName +"'";
|
|
ec.addElement( new PRE( query ) );
|
|
|
|
try
|
|
{
|
|
Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
|
ResultSet results = statement.executeQuery( query );
|
|
|
|
if ( ( results != null ) && ( results.first() == true ) )
|
|
{
|
|
ResultSetMetaData resultsMetaData = results.getMetaData();
|
|
ec.addElement( DatabaseUtilities.writeTable( results, resultsMetaData ) );
|
|
results.last();
|
|
|
|
// If they get back more than one user they succeeded
|
|
if ( results.getRow() >= 6 )
|
|
{
|
|
makeSuccess( s );
|
|
getLessonTracker(s).setStage(2);
|
|
|
|
StringBuffer msg = new StringBuffer();
|
|
|
|
msg.append("Bet you can't do it again! ");
|
|
msg.append("This lesson has detected your successfull attack ");
|
|
msg.append("and has now switch to a defensive mode. ");
|
|
msg.append("Try again to attack a parameterized query.");
|
|
|
|
s.setMessage(msg.toString());
|
|
}
|
|
}
|
|
else
|
|
{
|
|
ec.addElement( "No results matched. Try Again." );
|
|
}
|
|
}
|
|
catch ( SQLException sqle )
|
|
{
|
|
ec.addElement( new P().addElement( sqle.getMessage() ) );
|
|
}
|
|
}
|
|
catch ( Exception e )
|
|
{
|
|
s.setMessage( "Error generating " + this.getClass().getName() );
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return ( ec );
|
|
}
|
|
|
|
|
|
protected Element parameterizedQuery( WebSession s )
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
ec.addElement("Now that you have successfully performed an SQL injection, try the same " +
|
|
" type of attack on a parameterized query. Type 'restart' in the input field if you wish to " +
|
|
" to return to the injectable query");
|
|
if ( s.getParser().getRawParameter( ACCT_NAME, "YOUR_NAME" ).equals("restart"))
|
|
{
|
|
getLessonTracker(s).getLessonProperties().setProperty(STAGE,"1");
|
|
return( injectableQuery(s));
|
|
}
|
|
|
|
ec.addElement( new BR() );
|
|
|
|
try
|
|
{
|
|
if ( connection == null )
|
|
{
|
|
connection = DatabaseUtilities.makeConnection( s );
|
|
}
|
|
|
|
ec.addElement( makeAccountLine( s ) );
|
|
|
|
String query = "SELECT * FROM user_data WHERE last_name = ?";
|
|
ec.addElement( new PRE( query ) );
|
|
|
|
try
|
|
{
|
|
PreparedStatement statement = connection.prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
|
|
statement.setString(1, accountName);
|
|
ResultSet results = statement.executeQuery();
|
|
|
|
if ( ( results != null ) && ( results.first() == true ) )
|
|
{
|
|
ResultSetMetaData resultsMetaData = results.getMetaData();
|
|
ec.addElement( DatabaseUtilities.writeTable( results, resultsMetaData ) );
|
|
results.last();
|
|
|
|
// If they get back more than one user they succeeded
|
|
if ( results.getRow() >= 6 )
|
|
{
|
|
makeSuccess( s );
|
|
}
|
|
}
|
|
else
|
|
{
|
|
ec.addElement( "No results matched. Try Again." );
|
|
}
|
|
}
|
|
catch ( SQLException sqle )
|
|
{
|
|
ec.addElement( new P().addElement( sqle.getMessage() ) );
|
|
}
|
|
}
|
|
catch ( Exception e )
|
|
{
|
|
s.setMessage( "Error generating " + this.getClass().getName() );
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return ( ec );
|
|
}
|
|
|
|
protected Element makeAccountLine( WebSession s )
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
ec.addElement( new P().addElement( "Enter your last name: " ) );
|
|
|
|
accountName = s.getParser().getRawParameter( ACCT_NAME, "Your Name" );
|
|
Input input = new Input( Input.TEXT, ACCT_NAME, accountName.toString() );
|
|
ec.addElement( input );
|
|
|
|
Element b = ECSFactory.makeButton( "Go!" );
|
|
ec.addElement( b );
|
|
|
|
return ec;
|
|
|
|
}
|
|
|
|
|
|
/**
|
|
* Gets the category attribute of the SqNumericInjection object
|
|
*
|
|
* @return The category value
|
|
*/
|
|
protected Category getDefaultCategory()
|
|
{
|
|
return AbstractLesson.A6;
|
|
}
|
|
|
|
|
|
/**
|
|
* Gets the hints attribute of the DatabaseFieldScreen object
|
|
*
|
|
* @return The hints value
|
|
*/
|
|
protected List getHints()
|
|
{
|
|
List<String> hints = new ArrayList<String>();
|
|
hints.add( "The application is taking your input and inserting it at the end of a pre-formed SQL command." );
|
|
hints.add( "This is the code for the query being built and issued by WebGoat:<br><br> " +
|
|
"\"SELECT * FROM user_data WHERE last_name = \" + accountName " );
|
|
hints.add( "Compound SQL statements can be made by joining multiple tests with keywords like AND and OR." +
|
|
"Try appending a SQL statement that always resolves to true");
|
|
hints.add( "Try entering [ smith' OR '1' = '1 ]." );
|
|
|
|
return hints;
|
|
}
|
|
|
|
private final static Integer DEFAULT_RANKING = new Integer(75);
|
|
|
|
protected Integer getDefaultRanking()
|
|
{
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
/**
|
|
* Gets the title attribute of the DatabaseFieldScreen object
|
|
*
|
|
* @return The title value
|
|
*/
|
|
public String getTitle()
|
|
{
|
|
return ( "How to Perform String SQL Injection" );
|
|
}
|
|
|
|
|
|
/**
|
|
* Constructor for the DatabaseFieldScreen object
|
|
*
|
|
* @param s Description of the Parameter
|
|
*/
|
|
public void handleRequest( WebSession s )
|
|
{
|
|
try
|
|
{
|
|
super.handleRequest( s );
|
|
|
|
if ( connection == null )
|
|
{
|
|
connection = DatabaseUtilities.makeConnection( s );
|
|
}
|
|
}
|
|
catch ( Exception e )
|
|
{
|
|
System.out.println( "Exception caught: " + e );
|
|
e.printStackTrace( System.out );
|
|
}
|
|
}
|
|
}
|
|
|