[Lesson] SQL injection Intro 5 not solvable · Issue #974 · WebGoat/WebGoat · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Lesson] SQL injection Intro 5 not solvable #974

Closed
schwzr opened this issue Mar 30, 2021 · 6 comments
Closed

[Lesson] SQL injection Intro 5 not solvable #974

schwzr opened this issue Mar 30, 2021 · 6 comments
Assignees
@nbaars
Labels
4 - Done
Milestone
8.2.0

Comments

@schwzr
Copy link

schwzr commented Mar 30, 2021

Version used: 8.2.1-SNAPSHOT

Lesson description: "Try to grant the user group "UnauthorizedUser" the right to alter tables"

The lesson can't be solved because the "grant alter table" without the specification of an object (like a table, sequence, ...) is not possible in HSQLDB.

Documentation (http://hsqldb.org/doc/2.0/guide/guide.html#acc_access_rights):

GRANT

grant privilege statement

<grant privilege statement> ::= GRANT <privileges> TO <grantee> [ { <comma> <grantee> }... ] [ WITH GRANT OPTION ] [ GRANTED BY <grantor> ]

Assign privileges on schema objects to roles or users. Each <grantee> is a role or a user. If [ WITH GRANT OPTION ] is specified, then the <grantee> can assign the privileges to other <grantee> objects.

<privileges> ::= <object privileges> ON <object name>

<object privileges> ::= ALL PRIVILEGES | <action> [ <filter clause> ] [ { <comma> <action> }... ]

<action> ::= SELECT | SELECT <left paren> <privilege column list> <right paren> | DELETE | INSERT [ <left paren> <privilege column list> <right paren> ] | UPDATE [ <left paren> <privilege column list> <right paren> ] | REFERENCES [ <left paren> <privilege column list> <right paren> ] | TRIGGER | USAGE | EXECUTE

<object name> ::= [ TABLE ] <table name> | DOMAIN <domain name> | COLLATION <collation name> | CHARACTER SET <character set name> | TRANSLATION <transliteration name> | TYPE <user-defined type name> | SEQUENCE <sequence generator name> | <specific routine designator> | ROUTINE <routine name> | FUNCTION <function name> | PROCEDURE <procedure name>

Solving the challenge was possible before the rewrite of the solution checker (d4da2d0). Maybe just the lesson description is not updated yet?
@github-actions
Copy link

Thanks for submitting your first issue, we will have a look as quickly as possible.

@nbaars
Copy link
Collaborator

nbaars commented Mar 31, 2021

Thanks for reporting indeed this is an issue. This has been reported through the WebGoat mailing list as well, I forgot to make a Github issue for it. It has been fixed but waiting on a release:

d4da2d0

@nbaars nbaars closed this as completed Mar 31, 2021
@nbaars nbaars added the waiting for release Issue is fix, waiting on new release label Mar 31, 2021
@nbaars nbaars self-assigned this Mar 31, 2021
@nbaars nbaars added this to the 8.1.1 milestone Mar 31, 2021
@nbaars nbaars reopened this Mar 31, 2021
@schwzr
Copy link
Author

schwzr commented Mar 31, 2021

@nbaars thank you for your fast response and all of your work, especially in the last couple of days.

I read the commit (as I wrote in the issue description) - In the current version (on the develop branch) the lesson description is not matching the solution. Maybe I am missing a commit where the description was changed, but it seems the description says you should grant the right to alter tables where you actually should grant the right to perform select queries on the grant_rights table.

@nbaars
Copy link
Collaborator

nbaars commented Apr 1, 2021

@schwzr thanks you for checking! I will check the lesson description think I indeed forgot to update the text

nbaars added a commit that referenced this issue Apr 1, 2021
@nbaars
#974: Update the lesson text
0c6fead
@nbaars
Copy link
Collaborator

nbaars commented Apr 1, 2021

@schwzr updated the lesson text #981

nbaars added a commit that referenced this issue Apr 2, 2021
@nbaars
#974: Update the lesson text
ba2cb7d
@nbaars nbaars closed this as completed Jul 27, 2021
@nbaars nbaars modified the milestones: 8.1.1, 8.2.0 Jul 27, 2021
@nbaars nbaars added 4 - Done and removed waiting for release Issue is fix, waiting on new release labels Jul 27, 2021
@hsienjian
Copy link

thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nbaars nbaars

Labels
4 - Done
Projects
None yet
Milestone
8.2.0
Development

No branches or pull requests
3 participants
@nbaars @schwzr @hsienjian