package org.owasp.webgoat.lessons;

import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;

/* loaded from: input_file:WebGoat.war:plugin_lessons/back-doors-1.0.jar:org/owasp/webgoat/lessons/BackDoors.class */
public class BackDoors extends SequentialLessonAdapter {
    private static final Integer DEFAULT_RANKING = new Integer(80);
    private static final String USERNAME = "username";
    private static final String SELECT_ST = "select userid, password, ssn, salary, email from employee where userid=";

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        return super.createStagedContent(webSession);
    }

    @Override // org.owasp.webgoat.lessons.SequentialLessonAdapter
    protected Element doStage1(WebSession webSession) throws Exception {
        return concept1(webSession);
    }

    @Override // org.owasp.webgoat.lessons.SequentialLessonAdapter
    protected Element doStage2(WebSession webSession) throws Exception {
        return concept2(webSession);
    }

    private void addDBEntriesToEC(ElementContainer elementContainer, ResultSet resultSet) {
        try {
            if (resultSet.next()) {
                Table border = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(1);
                TR tr = new TR();
                tr.addElement(new TH("User ID"));
                tr.addElement(new TH(ECSFactory.PASSWORD));
                tr.addElement(new TH("SSN"));
                tr.addElement(new TH("Salary"));
                tr.addElement(new TH("E-Mail"));
                border.addElement(tr);
                TR tr2 = new TR();
                tr2.addElement(new TD(resultSet.getString("userid")));
                tr2.addElement(new TD(resultSet.getString("password")));
                tr2.addElement(new TD(resultSet.getString(GoatHillsFinancial.SSN)));
                tr2.addElement(new TD(resultSet.getString(GoatHillsFinancial.SALARY)));
                tr2.addElement(new TD(resultSet.getString(WebgoatContext.FEEDBACK_ADDRESS)));
                border.addElement(tr2);
                while (resultSet.next()) {
                    TR tr3 = new TR();
                    tr3.addElement(new TD(resultSet.getString("userid")));
                    tr3.addElement(new TD(resultSet.getString("password")));
                    tr3.addElement(new TD(resultSet.getString(GoatHillsFinancial.SSN)));
                    tr3.addElement(new TD(resultSet.getString(GoatHillsFinancial.SALARY)));
                    tr3.addElement(new TD(resultSet.getString(WebgoatContext.FEEDBACK_ADDRESS)));
                    border.addElement(tr3);
                }
                elementContainer.addElement(border);
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }

    protected Element concept1(WebSession webSession) throws Exception {
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(makeUsername(webSession));
        try {
            String rawParameter = webSession.getParser().getRawParameter(USERNAME, "");
            if (!rawParameter.equals("")) {
                String[] split = (SELECT_ST + rawParameter).split(";");
                Statement createStatement = DatabaseUtilities.getConnection(webSession).createStatement(1004, 1007);
                if (split.length == 2) {
                    createStatement.executeUpdate(split[1]);
                    getLessonTracker(webSession).setStage(2);
                    webSession.setMessage("You have succeeded in exploiting the vulnerable query and created another SQL statement. Now move to stage 2 to learn how to create a backdoor or a DB worm");
                }
                addDBEntriesToEC(elementContainer, createStatement.executeQuery(split[0]));
            }
        } catch (Exception e) {
            elementContainer.addElement(new PRE(e.getMessage()));
        }
        return elementContainer;
    }

    protected Element concept2(WebSession webSession) throws Exception {
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(makeUsername(webSession));
        String rawParameter = webSession.getParser().getRawParameter(USERNAME, "");
        if (!rawParameter.equals("")) {
            String str = SELECT_ST + rawParameter;
            String[] split = str.split(";");
            Statement createStatement = DatabaseUtilities.getConnection(webSession).createStatement(1004, 1007);
            if (split.length == 2 && str.toUpperCase().indexOf("CREATE TRIGGER") != -1) {
                makeSuccess(webSession);
            }
            addDBEntriesToEC(elementContainer, createStatement.executeQuery(split[0]));
        }
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getInstructions(WebSession webSession) {
        String str = "";
        if (!getLessonTracker(webSession).getCompleted()) {
            switch (getStage(webSession)) {
                case 1:
                    str = (((("Stage " + getStage(webSession) + ": Use String SQL Injection to execute more than one SQL Statement. ") + " The first stage of this lesson is to teach you how to use a vulnerable field to create two SQL ") + " statements. The first is the system's while the second is totally yours.") + " Your account ID is 101. This page allows you to see your password, ssn and salary.") + "  Try to inject another update to update salary to something higher";
                    break;
                case 2:
                    str = ((((("Stage " + getStage(webSession) + ": Use String SQL Injection to inject a backdoor. ") + " The second stage of this lesson is to teach you how to use a vulneable fields to inject the DB work or the backdoor.") + " Now try to use the same technique to inject a trigger that would act as ") + " SQL backdoor, the syntax of a trigger is: <br>") + " CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com'WHERE userid = NEW.userid<br>") + " Note that nothing will actually be executed because the current underlying DB doesn't support triggers.";
                    break;
            }
        }
        return str;
    }

    protected Element makeUsername(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("<style type=\"text/css\"> ");
        stringBuffer.append("#lessonContent .blocklabel { margin-top: 8pt; }");
        stringBuffer.append("#lessonContent .myClass     { color:red;");
        stringBuffer.append(" font-weight: bold;");
        stringBuffer.append("padding-left: 1px;");
        stringBuffer.append("padding-right: 1px;");
        stringBuffer.append("background: #DDDDDD;");
        stringBuffer.append("border: thin black solid; }");
        stringBuffer.append("#lessonContent li   { margin-top: 10pt; }");
        stringBuffer.append("</style>");
        elementContainer.addElement(new StringElement(stringBuffer.toString()));
        elementContainer.addElement(new StringElement("User ID: "));
        elementContainer.addElement(new Input("TEXT", USERNAME, ""));
        String rawParameter = webSession.getParser().getRawParameter(USERNAME, "");
        elementContainer.addElement(new BR());
        elementContainer.addElement(new BR());
        elementContainer.addElement(new Div(SELECT_ST + ("<span class='myClass'>" + rawParameter + "</span>")));
        Input input = new Input();
        input.setName("Submit");
        input.setType(Input.SUBMIT);
        input.setValue("Submit");
        elementContainer.addElement(new PRE(input));
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("Your user id is 101. Use it to see your information");
        arrayList.add("A semi-colon usually ends a SQL statement and starts a new one.");
        arrayList.add("Try this 101 or 1=1; update employee set salary=100000");
        arrayList.add("For stage 2, Try 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com' WHERE userid = NEW.userid");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.INJECTION;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Database Backdoors ";
    }
}
