-
-
Save jipengxiang/3ed6d0fcb15f03ccfc0191b8e8028954 to your computer and use it in GitHub Desktop.
<input name="password" type="password" size="10" maxlength="8"> | |
# String SQL injection for stage 1 | |
' or 'a'='a';-- | |
' or 1=1;-- | |
abc' or 1=1;-- | |
Select field1, field2 from table where username="" and password ='abc' or 1=1;-- |
Stage 2:
Stage 2: Parameterized Query # 1
It is requested to develop a patch to prevent the injection made in the previous step:
cd ~ / WebGoat / tomcat / webapps / WebGoat / JavaSource / org / owasp / webgoat / lessons / SQLInjection /
vim Login.java
Replace the simple request:
String query = "SELECT * FROM employee WHERE userid =" + userId + "and password = '" + password + "'";
// System.out.println ("Query:" + query);
try
{
Statement answer_statement = WebSession.getConnection (s)
.createStatement (ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery (query);
...
By a "prepared" request:
String query = "SELECT * FROM employee WHERE userid =? And password =?";
try
{
Connection connection = WebSession.getConnections (s);
PreparedStatement statement = connection.prepareStatement (query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString (1, userId);
statement.setString (2, password);
ResultSet answer_results = statement.executeQuery ();
...
Stage 4: Parameterized Query # 2
To apply the security patch, the method is similar to the one used in step 2 ("prepared" request).
cd ~ / WebGoat-5.2 / tomcat / webapps / WebGoat / JavaSource / org / owasp / webgoat / lessons / SQLInjection /
vim ViewProfile.java
Modify the simple request:
String query = "SELECT employee. *"
- "FROM employee, ownership WHERE employee.userid = ownership.employee_id and"
- "ownership.employer_id =" + userId + "and ownership.employee_id =" + subjectUserId;
try
{
Statement answer_statement = WebSession.getConnection (s)
.createStatement (ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery (query);
...
By a prepared request:
String query = "SELECT employee. *"
- "FROM employee, ownership WHERE employee.userid = ownership.employee_id and"
- "ownership.employer_id =? and ownership.employee_id =?";
try
{
Connection connection = WebSession.getConnections (s);
PreparedStatement statement = connection.prepareStatement (query,
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString (1, userId);
statement.setString (2, subjectUserId);
ResultSet answer_results = statement.executeQuery ();
...
Solution:
As we can see from the above picture, the SQL statement is
SELECT * FROM user_data WHERE last_name = 'Your Name'
Instead, we can use comment mark to ignore the end single quote.
Attacking Input: Smith' or 1=1; -- ("--" is comment mark, anything followed will be ignored)
Smith' or '1'='1'; --
Then the SQL statement will become:
SELECT * FROM user_data WHERE last_name = 'Smith' or 1=1; --'
Stage 3:
login as Larry, larry