Adding extra lesson for order by clauses

chencool · Jun 15, 2017 · a484467 · a484467
1 parent ee912f7
commit a484467
Show file tree

Hide file tree

Showing 20 changed files with 1,318 additions and 1,010 deletions.
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java b/webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java
@@ -4,6 +4,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.util.FileSystemUtils;
 
 import javax.annotation.PostConstruct;
 import java.io.File;
@@ -23,14 +24,6 @@ public class CleanupLocalProgressFiles {
     @PostConstruct
     public void clean() {
         File dir = new File(webgoatHome);
-        if (dir.exists()) {
-            File[] progressFiles = dir.listFiles(f -> f.getName().endsWith(".progress"));
-            if (progressFiles != null) {
-                log.info("Removing stored user preferences...");
-                for (File f : progressFiles) {
-                    f.delete();
-                }
-            }
-        }
+        FileSystemUtils.deleteRecursively(dir);
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
diff --git a/.../webgoat/plugin/SqlInjectionAdvanced.java → ...plugin/advanced/SqlInjectionAdvanced.java b/.../webgoat/plugin/SqlInjectionAdvanced.java → ...plugin/advanced/SqlInjectionAdvanced.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.advanced;
 
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.NewLesson;

diff --git a/...webgoat/plugin/SqlInjectionChallenge.java → ...lugin/advanced/SqlInjectionChallenge.java b/...webgoat/plugin/SqlInjectionChallenge.java → ...lugin/advanced/SqlInjectionChallenge.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.advanced;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;

diff --git a/...rg/owasp/webgoat/plugin/SqlInjection.java → ...oat/plugin/introduction/SqlInjection.java b/...rg/owasp/webgoat/plugin/SqlInjection.java → ...oat/plugin/introduction/SqlInjection.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import java.util.ArrayList;
 import java.util.List;

diff --git a/.../webgoat/plugin/SqlInjectionLesson5a.java → ...in/introduction/SqlInjectionLesson5a.java b/.../webgoat/plugin/SqlInjectionLesson5a.java → ...in/introduction/SqlInjectionLesson5a.java
@@ -1,5 +1,5 @@
 
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;

diff --git a/.../webgoat/plugin/SqlInjectionLesson5b.java → ...in/introduction/SqlInjectionLesson5b.java b/.../webgoat/plugin/SqlInjectionLesson5b.java → ...in/introduction/SqlInjectionLesson5b.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;

diff --git a/.../webgoat/plugin/SqlInjectionLesson6a.java → ...in/introduction/SqlInjectionLesson6a.java b/.../webgoat/plugin/SqlInjectionLesson6a.java → ...in/introduction/SqlInjectionLesson6a.java
@@ -1,5 +1,5 @@
 
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
@@ -14,8 +14,6 @@
 import java.io.IOException;
 import java.sql.*;
 
-import static org.owasp.webgoat.plugin.SqlInjectionLesson5a.writeTable;
-
 
 /***************************************************************************************************
  *
@@ -74,7 +72,7 @@ protected AttackResult injectableQuery(String accountName) {
                     ResultSetMetaData resultsMetaData = results.getMetaData();
                     StringBuffer output = new StringBuffer();
 
-                    output.append(writeTable(results, resultsMetaData));
+                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
                     results.last();
 
                     // If they get back more than one user they succeeded

diff --git a/.../webgoat/plugin/SqlInjectionLesson6b.java → ...in/introduction/SqlInjectionLesson6b.java b/.../webgoat/plugin/SqlInjectionLesson6b.java → ...in/introduction/SqlInjectionLesson6b.java
@@ -1,5 +1,5 @@
 
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.introduction;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;

diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java
@@ -0,0 +1,56 @@
+package org.owasp.webgoat.plugin.mitigation;
+
+import com.google.common.collect.Lists;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.SneakyThrows;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.*;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.util.List;
+
+/**
+ * @author nbaars
+ * @since 6/13/17.
+ */
+@RestController
+@RequestMapping("SqlInjection/servers")
+public class Servers {
+
+    @AllArgsConstructor
+    @Getter
+    private class Server {
+
+        private String id;
+        private String hostname;
+        private String ip;
+        private String mac;
+        private String status;
+        private String description;
+    }
+
+    @Autowired
+    private WebSession webSession;
+
+    @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
+    @SneakyThrows
+    @ResponseBody
+    public List<Server> sort(@RequestParam String column) {
+        Connection connection = DatabaseUtilities.getConnection(webSession);
+        PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column);
+        ResultSet rs = preparedStatement.executeQuery();
+        List<Server> servers = Lists.newArrayList();
+        while (rs.next()) {
+            Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
+            servers.add(server);
+        }
+        return servers;
+    }
+
+}
diff --git a/...ql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java b/...ql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
@@ -0,0 +1,46 @@
+package org.owasp.webgoat.plugin.mitigation;
+
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.sql.*;
+
+/**
+ * @author nbaars
+ * @since 6/13/17.
+ */
+@AssignmentPath("SqlInjection/attack12a")
+@AssignmentHints(value = {"SqlStringInjectionHint8", "SqlStringInjectionHint9", "SqlStringInjectionHint10", "SqlStringInjectionHint11"})
+@Slf4j
+public class SqlInjectionLesson12a extends AssignmentEndpoint {
+
+    @Autowired
+    private WebSession webSession;
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    @SneakyThrows
+    public AttackResult completed(@RequestParam String ip) {
+        Connection connection = DatabaseUtilities.getConnection(webSession);
+        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?");
+        preparedStatement.setString(1, ip);
+        ResultSet resultSet = preparedStatement.executeQuery();
+        if (resultSet.next()) {
+            return trackProgress(success().build());
+        }
+        return trackProgress(failed().build());
+    }
+}
+
+
diff --git a/...bgoat/plugin/SqlInjectionMitigations.java → ...n/mitigation/SqlInjectionMitigations.java b/...bgoat/plugin/SqlInjectionMitigations.java → ...n/mitigation/SqlInjectionMitigations.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin;
+package org.owasp.webgoat.plugin.mitigation;
 
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.NewLesson;

diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@@ -27,6 +27,84 @@
     <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_content12a.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_order_by.adoc"></div>
+    <script th:src="@{/lesson_js/assignment12.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SqlInjection/attack12a"
+              enctype="application/json;charset=UTF-8">
+            <div class="container-fluid">
+                <div class="row">
+                    <div class="panel panel-primary">
+                        <div class="panel-heading">
+                            <h3>List of servers
+                                <div class="pull-right">
+                                    <button id="btn-admin" class="btn btn-default"><span
+                                            class="glyphicon glyphicon-pencil"></span> Edit
+                                    </button>
+                                </div>
+                            </h3>
+                        </div>
+                        <div id="toolbar-admin" class="panel-body">
+                            <div class="btn-toolbar" role="toolbar" aria-label="admin">
+                                <div class="btn-group pull-right" role="group">
+                                    <button id="btn-online" type="button" class="btn btn-success">Online</button>
+                                    <button id="btn-offline" type="button" class="btn btn-warning">Offline</button>
+                                    <button id="btn-out-of-order" type="button" class="btn btn-danger">Out Of Order
+                                    </button>
+                                </div>
+                            </div>
+                        </div>
+                        <table class="table table-striped table-hover">
+                            <thead>
+                            <tr>
+                                <th class="col-check"></th>
+                                <th></th>
+                                <th>Hostname <span onclick="getServers('hostname')"><i
+                                        class="fa fa-fw fa-sort"></i></span>
+                                </th>
+                                <th>IP <span onclick="getServers('ip')"><i class="fa fa-fw fa-sort"></i></span></th>
+                                <th>MAC <span onclick="getServers('mac')"><i class="fa fa-fw fa-sort"></i></span></th>
+                                <th>Status <span onclick="getServers('status')"><i class="fa fa-fw fa-sort"></i></span>
+                                </th>
+                                <th>Description <span onclick="getServers('description')"><i
+                                        class="fa fa-fw fa-sort"></i></span>
+                                </th>
+                            </tr>
+                            </thead>
+                            <tbody id="servers">
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+                <br/>
+                <br/>
+            </div>
+        </form>
+        <form class="attack-form" method="POST" name="form" action="SqlInjection/attack12a">
+            <div class="form-group">
+                <div class="input-group">
+                    <div class="input-group-addon">IP address webgoat-prd server:</div>
+                    <input type="text" class="form-control" id="ip" name="ip"
+                           placeholder="192.1.0.12"/>
+                </div>
+                <div class="input-group" style="margin-top: 10px">
+                    <button type="submit" class="btn btn-primary">Submit</button>
+                </div>
+            </div>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
 </div>

diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@@ -9,6 +9,10 @@ SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
 SqlStringInjectionHint5=First try to find out the number of columns by adding a group by 1,2,3 etc to the query.
 SqlStringInjectionHint6=Try adding a union to the query, the number of columns should match.
 SqlStringInjectionHint7=Try entering [ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- ].
+SqlStringInjectionHint8=Try sorting and look at the request
+SqlStringInjectionHint9=Intercept the request and try to specify a different order by
+SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
+SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 
 sql-injection.5a.success=You have succeed: {0}
 sql-injection.5a.no.results=No results matched. Try Again.

diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js b/webgoat-lessons/sql-injection/src/main/resources/js/assignment12.js
@@ -0,0 +1,61 @@
+$(function () {
+    $('.col-check').hide();
+    $('#btn-admin').on('click', function () {
+        if ($("#toolbar-admin").is(":visible")) {
+            $("#toolbar-admin").hide();
+            $(".col-check").hide();
+        }
+        else {
+            $("#toolbar-admin").show();
+            $(".col-check").show();
+        }
+    });
+
+    $('#btn-online').on('click', function () {
+        $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('success');
+        $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('online');
+    });
+    $('#btn-offline').on('click', function () {
+        $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('warning');
+        $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('offline');
+    });
+    $('#btn-out-of-order').on('click', function () {
+        $('table tr').filter(':has(:checkbox:checked)').find('td').parent().removeClass().addClass('danger');
+        $('table tr').filter(':has(:checkbox:checked)').find('td.status').text('out of order');
+    });
+
+});
+
+$(document).ready(function () {
+    getServers('id');
+});
+
+var html = '<tr class="STATUS">' +
+    '<td class="col-check"><input type="checkbox" class="form-check-input"/></td>' +
+    '<td>HOSTNAME</td>' +
+    '<td>IP</td>' +
+    '<td>MAC</td>' +
+    '<td class="status">ONLINE</td>' +
+    '<td>DESCRIPTION</td>' +
+    '</tr>';
+
+function getServers(column) {
+    $.get("SqlInjection/servers?column=" + column, function (result, status) {
+        $("#servers").empty();
+        for (var i = 0; i < result.length; i++) {
+            var server = html.replace('ID', result[i].id);
+            var status = "success";
+            if (result[i].status === 'offline') {
+                status = "danger";
+            }
+            server = server.replace('ONLINE', status);
+            server = server.replace('STATUS', status);
+            server = server.replace('HOSTNAME', result[i].hostname);
+            server = server.replace('IP', result[i].ip);
+            server = server.replace('MAC', result[i].mac);
+            server = server.replace('DESCRIPTION', result[i].description);
+            $("#servers").append(server);
+        }
+
+    });
+}