[WEB SECURITY] Web App vulnerable to HQL Injection ?

Paul AMAR aos.paul at gmail.com
Fri Feb 21 02:23:43 EST 2014


Hi there,

@Sid, thanks for those informations;

I tried to get as much resource as I could and I started to develop a tool
to exploit those HQL injections.
Feel free to check it (and fork?) : https://github.com/PaulSec/HQLmap

I just wanted something really simple to highlight those vulns.
However, the next step would be to add a new dbms and integrate it in
SQLmap which seems a good idea (thanks to Philippe).

Cheers


2014-02-19 10:37 GMT+01:00 sid <sid at notsosecure.com>:

> This is a very interesting chain. I cover some of these topics in my Black
> Hat class 'The Art of Exploiting Injection Flaws'
>
>
>
>
> http://blackhat.com/us-14/training/the-art-of-exploiting-injection-flaws.html
>
>
>
> --my 10 cents----
>
>
>
> It's worth highlighting that when you encounter HQLi, your input is
> interpreted by hibernate. You have 2 attack vectors:
>
>
>
> 1. convince Hibernate that it should not manipulate your input and pass it
> to database. You can do this by using functions and injecting your "sql" as
> argument to functions.
>
> 2. Inject direct hibernate and let the resulting SQL compiled by hibernate
> to execute what you want to do on database level.
>
>
>
> In my experiments, 2 is rather difficult. Hibernate is very limited
> language and does not support union, order by and even comment characters.
> 1 would work but there are certain limitations. You cannot query tables
> which are not already mapped under hibernate's configuration. So, in my
> experiments you can only query tables which are already mapped. You can
> also return output of generic functions and keyword like @@version, user
> etc.
>
>
>
> beside this, you may also have a case of Hibernate calling a stored
> procedure and the injection point is actually in stored procedure. In which
> case, hibernate is just a medium to pass input to stored proc, and the
> injection will work like any sqli.
>
> -----end of 10 cents---
>
>
>
> Thanks
>
> Sid
>
>
>
> Founder/Director
>
> NotSoSecure Limited,
>
> 9, Old Forge Way,
>
> Sawston,
>
> CB223BZ
>
> www.notsosecure.com
>
>
>
> *From:* websecurity [mailto:websecurity-bounces at lists.webappsec.org] *On
> Behalf Of *prasanna.k
> *Sent:* 13 February 2014 09:57
> *To:* Paul AMAR
> *Cc:* websecurity
> *Subject:* Re: [WEB SECURITY] Web App vulnerable to HQL Injection ?
>
>
>
> Thanks for the share guys.
>
>
>
> PK
>
>
>
> On Thu, Feb 13, 2014 at 3:18 PM, Paul AMAR <aos.paul at gmail.com> wrote:
>
> Nice. I'll take a look today.
>
> No problem for the "user friendly" thing.
> I just want to practice with those vulnerabilites.
>
>
>
> 2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen at continuumsecurity.net
> >:
>
>
>
> On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul at gmail.com> wrote:
>
>
> Do you know any Web app vulnerable to HQL Injection ?
>
>
>
> Here's one I wrote and use for internal testing:
> https://github.com/continuumsecurity/RopeyTasks/  there's HQL injection
> in two of the Controllers, e.g.:
> https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy
>
>
>
> Best to download grails and run it from there so you can play with the
> code.  If you run: grails war, you can then copy the resulting .war file to
> any servlet container like Tomcat, Jetty etc.
>
>
>
> Disclaimer: this wasn't really designed for public consumption, just for
> my internal testing, so it's not as user friendly as DVWA and other
> vulnerable apps.
>
>
>
> regards,
>
> Stephen
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140221/16786a29/attachment.html>


More information about the websecurity mailing list