Hibernate is a ormapping framework that can be used internally with native SQL and HQL languages SQL operation.
The so-called HQL injection means that no valid validation of data in Hibernate causes malicious data to enter the application.
Take a look at this piece of code:
Input parameter can cause injection.
But in hibernate createquery pdo setstring fill placeholder for sql statement stitching, if so, naturally there is no sql
Under normal circumstances:
the Sqlin parameter has an injection vulnerability, so:
because hibernate hql Most of the cases do not support Span style= "Font-family:times New Roman" >union meta data So how to figure out the entity name and column name to continue extracting useful data, Unfortunately, no method was found to burst the current column name.
see http://blog.h3xstream.com/2014/02/ hql-for-pentesters.html , said to submit a nonexistent column name, but the local test did not succeed, visual is try-catch things submitted, then e.getsql () method.
For example, the source of error processing, output e.getsql () and e.getxsqlexception (), the results and the above Foreigner said trick the same:
But I think there is little chance of such a "friendly" mistake.
At present,HQL Injection In addition to the universal password, know the name of the table names in the case of blind, I did not think of a better way to exploit the exploits, the individual think Hibernate in the injection is more chicken.
HQL injection Vulnerability in hibernate framework