platformQuickStarts
webgoat-container
webgoat-images
webgoat-lessons
bypass-restrictions
challenge
client-side-filtering
command-injection
cross-site-scripting
csrf
html-tampering
http-basics
http-proxies
idor
insecure-login
jwt
sql-injection
src
main
java
resources
css
html
i18n
WebGoatLabels.properties
WebGoatLabels_de.properties
WebGoatLabels_fr.properties
WebGoatLabels_ru.properties
js
lessonPlans
lessonSolutions
test
.sonatype
pom.xml
vulnerable-components
xxe
pom.xml
sol.txt
webgoat-server
.gitignore
.travis.yml
README.MD
buildspec.yml
mvn-debug
pom.xml
webgoat_developer_bootstrap.sh
28 lines
2.0 KiB
Properties
28 lines
2.0 KiB
Properties
#StringSqlInjection.java
|
|
StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query. Restart the lesson if you wish to return to the injectable query.
|
|
EnterLastName=Enter your last name:
|
|
NoResultsMatched=No results matched. Try Again.
|
|
SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
|
|
SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
|
|
SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
|
|
SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
|
|
SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query.
|
|
SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match.
|
|
SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
|
|
SqlStringInjectionHint8=Try sorting and look at the request
|
|
SqlStringInjectionHint9=Intercept the request and try to specify a different order by
|
|
SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
|
SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
|
|
|
|
sql-injection.5a.success=You have succeed: {0}
|
|
sql-injection.5a.no.results=No results matched. Try Again.
|
|
|
|
sql-injection.5b.success=You have succeed: {0}
|
|
sql-injection.5b.no.results=No results matched. Try Again.
|
|
|
|
sql-injection.6a.success=You have succeed: {0}
|
|
sql-injection.6a.no.results=No results matched. Try Again.
|
|
|
|
sql-injection.6b.success=You have succeed: {0}
|
|
sql-injection.6b.no.results=No results matched. Try Again.
|