Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: Success if only Smith earn most salary #1744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zubcevic merged 5 commits into from
Jun 1, 2024
Merged

fix: Success if only Smith earn most salary #1744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b59b178
Update labels
FrancoisCapon Feb 10, 2024
ed30a0b
Update Java
FrancoisCapon Feb 10, 2024
97a44e7
Update Test
FrancoisCapon Feb 10, 2024
ef22bd5
Merge branch 'main' into fix-increase-only-smith-salary
zubcevic May 28, 2024
390a58a
Merge branch 'main' into fix-increase-only-smith-salary
zubcevic Jun 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 54 additions & 46 deletions src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,66 +63,74 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au

protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
StringBuilder output = new StringBuilder();
String query =
String queryInjection =
"SELECT * FROM employees WHERE last_name = '"
+ name
+ "' AND auth_tan = '"
+ auth_tan
+ "'";
try (Connection connection = dataSource.getConnection()) {
try {
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
SqlInjectionLesson8.log(connection, query);
ResultSet results = statement.executeQuery(query);
var test = results.getRow() != 0;
if (results.getStatement() != null) {
if (results.first()) {
output.append(SqlInjectionLesson8.generateTable(results));
} else {
// no results
return failed(this).feedback("sql-injection.8.no.results").build();
}
}
} catch (SQLException e) {
System.err.println(e.getMessage());
return failed(this)
.output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
.build();
// V2019_09_26_7__employees.sql
int oldMaxSalary = this.getMaxSalary(connection);
int oldSumSalariesOfOtherEmployees = this.getSumSalariesOfOtherEmployees(connection);
// begin transaction
connection.setAutoCommit(false);
// do injectable query
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
SqlInjectionLesson8.log(connection, queryInjection);
statement.execute(queryInjection);
// check new sum of salaries other employees and new salaries of John
int newJohnSalary = this.getJohnSalary(connection);
int newSumSalariesOfOtherEmployees = this.getSumSalariesOfOtherEmployees(connection);
if (newJohnSalary > oldMaxSalary
&& newSumSalariesOfOtherEmployees == oldSumSalariesOfOtherEmployees) {
// success commit
connection.commit(); // need execute not executeQuery
connection.setAutoCommit(true);
output.append(
SqlInjectionLesson8.generateTable(this.getEmployeesDataOrderBySalaryDesc(connection)));
return success(this).feedback("sql-injection.9.success").output(output.toString()).build();
}

return checkSalaryRanking(connection, output);

} catch (Exception e) {
// failed roolback
connection.rollback();
return failed(this)
.feedback("sql-injection.9.one")
.output(
SqlInjectionLesson8.generateTable(this.getEmployeesDataOrderBySalaryDesc(connection)))
.build();
} catch (SQLException e) {
System.err.println(e.getMessage());
return failed(this)
.output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
.build();
}
}

private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
try {
String query = "SELECT * FROM employees ORDER BY salary DESC";
try (Statement statement =
connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); ) {
ResultSet results = statement.executeQuery(query);
private int getSqlInt(Connection connection, String query) throws SQLException {
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
ResultSet results = statement.executeQuery(query);
results.first();
return results.getInt(1);
}

results.first();
// user completes lesson if John Smith is the first in the list
if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) {
output.append(SqlInjectionLesson8.generateTable(results));
return success(this)
.feedback("sql-injection.9.success")
.output(output.toString())
.build();
} else {
return failed(this).feedback("sql-injection.9.one").output(output.toString()).build();
}
}
} catch (SQLException e) {
return failed(this)
.output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
.build();
}
private int getMaxSalary(Connection connection) throws SQLException {
String query = "SELECT max(salary) FROM employees";
return this.getSqlInt(connection, query);
}

private int getSumSalariesOfOtherEmployees(Connection connection) throws SQLException {
String query = "SELECT sum(salary) FROM employees WHERE auth_tan != '3SL99A'";
return this.getSqlInt(connection, query);
}

private int getJohnSalary(Connection connection) throws SQLException {
String query = "SELECT salary FROM employees WHERE auth_tan = '3SL99A'";
return this.getSqlInt(connection, query);
}

private ResultSet getEmployeesDataOrderBySalaryDesc(Connection connection) throws SQLException {
String query = "SELECT * FROM employees ORDER BY salary DESC";
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
return statement.executeQuery(query);
}
}
4 changes: 2 additions & 2 deletions src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,8 @@ SqlStringInjectionHint.8.3=Try appending a SQL statement that always resolves to
SqlStringInjectionHint.8.4=Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct.
SqlStringInjectionHint.8.5=Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.

sql-injection.9.success=Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing the salary!
sql-injection.9.one=Still not earning enough! Better try again and change that.
sql-injection.9.success=Well done! Now you are earning the most money. And at the same time you successfully compromised the integrity of data by changing your salary!
sql-injection.9.one=Still not earning enough or only your own salary must be changed! Better try again and change that.
SqlStringInjectionHint.9.1=Try to find a way, to chain another query to the end of the existing one.
SqlStringInjectionHint.9.2=Use the ; metacharacter to do so.
SqlStringInjectionHint.9.3=Make use of DML to change your salary.
Expand Down
148 changes: 35 additions & 113 deletions ...est/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,148 +37,70 @@
*/
public class SqlInjectionLesson9Test extends SqlLessonTest {

private String completedError = "JSON path \"lessonCompleted\"";
private final String completedError = "JSON path \"lessonCompleted\"";

@Test
public void oneAccount() throws Exception {
try {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))))
.andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;

mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
.andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
}
}

@Test
public void multipleAccounts() throws Exception {
public void malformedQueryReturnsError() throws Exception {
try {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1"))
.param("auth_tan", "3SL99A' OR '1' = '1'"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))))
.andExpect(
jsonPath(
"$.output",
containsString(
"<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;

mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1"))
.param("auth_tan", "3SL99A' OR '1' = '1'"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
.andExpect(
jsonPath(
"$.output",
containsString(
"<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
}
}

@Test
public void wrongNameReturnsNoAccounts() throws Exception {
try {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
.andExpect(jsonPath("$.output").doesNotExist());
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;

mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", "3SL99A"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.success"))))
.andExpect(jsonPath("$.output").doesNotExist());
}
public void SmithIsNotMostEarning() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param(
"auth_tan",
"3SL99A'; UPDATE employees SET salary = 9999 WHERE last_name = 'Smith"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))));
}

@Test
public void wrongTANReturnsNoAccounts() throws Exception {
try {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", ""))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
.andExpect(jsonPath("$.output").doesNotExist());
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;

mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smithh")
.param("auth_tan", ""))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
.andExpect(jsonPath("$.output").doesNotExist());
}
public void OnlySmithSalaryMustBeUpdated() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A'; UPDATE employees SET salary = 9999 -- "))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))));
}

@Test
public void malformedQueryReturnsError() throws Exception {
try {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1'"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
} catch (AssertionError e) {
if (!e.getMessage().contains(completedError)) throw e;

mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "Smith")
.param("auth_tan", "3SL99A' OR '1' = '1'"))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(true)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
.andExpect(jsonPath("$.output", containsString("feedback-negative")));
}
public void OnlySmithMustMostEarning() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/SqlInjection/attack9")
.param("name", "'; UPDATE employees SET salary = 999999 -- ")
.param("auth_tan", ""))
.andExpect(status().isOk())
.andExpect(jsonPath("lessonCompleted", is(false)))
.andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))));
}

@Test
Expand Down