Trying to wire up the DB connection and fill out first sql stub

gaobaoru · Nov 16, 2016 · 24b2e79 · 24b2e79
1 parent ec2fc5a
commit 24b2e79
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 96 deletions.
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java
@@ -7,6 +7,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import org.springframework.beans.factory.annotation.Autowired;
+
 
 /**
  *************************************************************************************************
@@ -42,6 +44,8 @@ public class DatabaseUtilities
 
 	private static Map<String, Connection> connections = new HashMap<String, Connection>();
 	private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
+    @Autowired
+    private static WebSession webSession;
 
 	/**
 	 * <p>getConnection.</p>
@@ -50,9 +54,9 @@ public class DatabaseUtilities
 	 * @return a {@link java.sql.Connection} object.
 	 * @throws java.sql.SQLException if any.
 	 */
-	public static Connection getConnection(WebSession s) throws SQLException
+	public static Connection getConnection() throws SQLException
 	{
-		return getConnection(s.getUserName(), s.getWebgoatContext());
+		return getConnection(webSession.getUserName(), webSession.getWebgoatContext());
 	}
 
 	/**

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
@@ -62,8 +62,8 @@ public WebSession(WebgoatContext webgoatContext) {
      * @return a {@link java.sql.Connection} object.
      * @throws java.sql.SQLException if any.
      */
-    public static synchronized Connection getConnection(WebSession s) throws SQLException {
-        return DatabaseUtilities.getConnection(s);
+    public static synchronized Connection getConnection() throws SQLException {
+        return DatabaseUtilities.getConnection();
     }
 
     /**

diff --git a/...sp/webgoat/plugin/SqlInjectionLesson.java → .../webgoat/plugin/SqlInjectionLesson5a.java b/...sp/webgoat/plugin/SqlInjectionLesson.java → .../webgoat/plugin/SqlInjectionLesson5a.java
@@ -2,11 +2,17 @@
 package org.owasp.webgoat.plugin;
 
 import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
 
 import javax.servlet.http.HttpServletRequest;
 
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.model.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -44,106 +50,104 @@
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-public class SqlInjectionLesson extends Assignment {
+public class SqlInjectionLesson5a extends Assignment {
 
 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String person, HttpServletRequest request) throws IOException {
-	    if (!person.toString().equals("")) {
-	        return trackProgress(AttackResult.success("The server has reversed your name: " + new StringBuffer(person).reverse().toString()));
-	    } else {
-	        return trackProgress(AttackResult.failed("You are close, try again"));
-	    }
+	public @ResponseBody AttackResult completed(@RequestParam String answer, HttpServletRequest request) throws IOException {
+System.out.println("answer:" + answer);
+		return injectableQuery(answer);
 	}
 
     @Override
     public String getPath() {
-        return "/SqlInjection/attack1";
+        return "/SqlInjection/attack5a";
     }
 
 
-//    private final static String ACCT_NAME = "account_name";
-//
-//    private static String STAGE = "stage";
-//
-//    private String accountName;
-//
-//    /**
-//     * Description of the Method
-//     * 
-//     * @param s
-//     *            Description of the Parameter
-//     * @return Description of the Return Value
-//     */
-//    protected Element createContent(WebSession s)
-//    {
-//        return super.createStagedContent(s);
-//    }
-//
-//    protected Element doStage1(WebSession s) throws Exception
-//    {
-//        return injectableQuery(s);
-//    }
-//
-//    protected Element doStage2(WebSession s) throws Exception
-//    {
-//        return parameterizedQuery(s);
-//    }
-//
-//    protected Element injectableQuery(WebSession s)
-//    {
-//        ElementContainer ec = new ElementContainer();
-//
-//        try
-//        {
-//            Connection connection = DatabaseUtilities.getConnection(s);
-//
-//            ec.addElement(makeAccountLine(s));
-//
-//            String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
-//            ec.addElement(new PRE(query));
-//
-//            try
-//            {
-//                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-//                                                                    ResultSet.CONCUR_READ_ONLY);
-//                ResultSet results = statement.executeQuery(query);
-//
-//                if ((results != null) && (results.first() == true))
-//                {
-//                    ResultSetMetaData resultsMetaData = results.getMetaData();
-//                    ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
-//                    results.last();
-//
-//                    // If they get back more than one user they succeeded
-//                    if (results.getRow() >= 6)
-//                    {
-//                        makeSuccess(s);
-//                        getLessonTracker(s).setStage(2);
-//
-//                        StringBuffer msg = new StringBuffer();
-//
-//                        msg.append(getLabelManager().get("StringSqlInjectionSecondStage"));
-//
-//                        s.setMessage(msg.toString());
-//                    }
-//                }
-//                else
-//                {
-//                    ec.addElement(getLabelManager().get("NoResultsMatched"));
-//                }
-//            } catch (SQLException sqle)
-//            {
-//                ec.addElement(new P().addElement(sqle.getMessage()));
-//                sqle.printStackTrace();
-//            }
-//        } catch (Exception e)
-//        {
-//            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
-//            e.printStackTrace();
-//        }
-//
-//        return (ec);
-//    }
+
+    protected AttackResult injectableQuery(String accountName)
+    {
+        try
+        {
+            Connection connection = DatabaseUtilities.getConnection();
+            String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
+
+            try
+            {
+                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+                                                                    ResultSet.CONCUR_READ_ONLY);
+                ResultSet results = statement.executeQuery(query);
+
+                if ((results != null) && (results.first() == true))
+                {
+                    ResultSetMetaData resultsMetaData = results.getMetaData();
+                	StringBuffer output = new StringBuffer();
+
+                    output.append(writeTable(results, resultsMetaData));
+                    results.last();
+
+                    // If they get back more than one user they succeeded
+                    if (results.getRow() >= 6)
+                    {
+                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                   } else {
+                	   return trackProgress(AttackResult.failed("You are close, try again. "));
+                   }
+
+                }
+                else
+                {
+                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+
+//                    output.append(getLabelManager().get("NoResultsMatched"));
+                }
+            } catch (SQLException sqle)
+            {
+            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            }
+        } catch (Exception e)
+        {
+        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName()));
+        }
+    }
+
+    public String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
+	SQLException 
+    {
+		int numColumns = resultsMetaData.getColumnCount();
+		results.beforeFirst();
+		StringBuffer t = new StringBuffer();
+
+		if (results.next())
+		{
+			for (int i = 1; i < (numColumns + 1); i++)
+			{
+				t.append(resultsMetaData.getColumnName(i));
+				t.append(", ");
+			}
+
+			t.append(System.getProperty("line.separator"));
+			results.beforeFirst();
+
+			while (results.next())
+			{
+
+				for (int i = 1; i < (numColumns + 1); i++)
+				{
+					t.append(results.getString(i));
+					t.append(", ");
+				}
+
+				t.append(System.getProperty("line.separator"));
+			}
+
+			return (t.toString());
+		}
+		else
+		{
+			return ("Query Successful; however no data was returned from this query.");
+		}
+    }
 //
 //    protected Element parameterizedQuery(WebSession s)
 //    {

diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/html/SqlInjection.html
@@ -56,7 +56,7 @@
 					enctype="application/json;charset=UTF-8">
 					<table>
 						<tr>
-							<td>Name:</td>
+							<td>Account Name:</td>
 							<td><input name="answer" value="" type="TEXT" /></td>
 							<td></td>
 						</tr>