|
| 1 | +/** |
| 2 | + * OWASP Benchmark v1.2 |
| 3 | + * |
| 4 | + * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For |
| 5 | + * details, please see <a |
| 6 | + * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>. |
| 7 | + * |
| 8 | + * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms |
| 9 | + * of the GNU General Public License as published by the Free Software Foundation, version 2. |
| 10 | + * |
| 11 | + * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY |
| 12 | + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR |
| 13 | + * PURPOSE. See the GNU General Public License for more details. |
| 14 | + * |
| 15 | + * @author Dave Wichers |
| 16 | + * @created 2015 |
| 17 | + */ |
| 18 | +package org.owasp.benchmark.copilot; |
| 19 | + |
| 20 | +import javax.servlet.ServletException; |
| 21 | +import javax.servlet.annotation.WebServlet; |
| 22 | +import javax.servlet.http.HttpServlet; |
| 23 | +import javax.servlet.http.HttpServletRequest; |
| 24 | +import javax.servlet.http.HttpServletResponse; |
| 25 | +import java.io.IOException; |
| 26 | + |
| 27 | +// ToDo: Review files |
| 28 | +@WebServlet(value = "/sqli-00/BenchmarkTest00032") |
| 29 | +public class BenchmarkTest00032 extends HttpServlet { |
| 30 | + |
| 31 | + private static final long serialVersionUID = 1L; |
| 32 | + |
| 33 | + @Override |
| 34 | + public void doGet(HttpServletRequest request, HttpServletResponse response) |
| 35 | + throws ServletException, IOException { |
| 36 | + doPost(request, response); |
| 37 | + } |
| 38 | + |
| 39 | + @Override |
| 40 | + public void doPost(HttpServletRequest request, HttpServletResponse response) |
| 41 | + throws ServletException, IOException { |
| 42 | + // some code |
| 43 | + response.setContentType("text/html;charset=UTF-8"); |
| 44 | + |
| 45 | + java.util.Map<String, String[]> map = request.getParameterMap(); |
| 46 | + String param = ""; |
| 47 | + if (!map.isEmpty()) { |
| 48 | + String[] values = map.get("BenchmarkTest00032"); |
| 49 | + if (values != null) param = values[0]; |
| 50 | + } |
| 51 | + |
| 52 | + try { |
| 53 | + String sql = "SELECT * from USERS where USERNAME='foo' and PASSWORD='" + param + "'"; |
| 54 | + |
| 55 | + org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.execute(sql); |
| 56 | + response.getWriter() |
| 57 | + .println( |
| 58 | + "No results can be displayed for query: " |
| 59 | + + org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql) |
| 60 | + + "<br>" |
| 61 | + + " because the Spring execute method doesn't return results."); |
| 62 | + |
| 63 | + } catch (org.springframework.dao.DataAccessException e) { |
| 64 | + if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { |
| 65 | + response.getWriter().println("Error processing request."); |
| 66 | + } else throw new ServletException(e); |
| 67 | + } |
| 68 | + } |
| 69 | +} |
0 commit comments