[WEB SECURITY] Web App vulnerable to HQL Injection ?

sid sid at notsosecure.com
Wed Feb 19 04:37:31 EST 2014

This is a very interesting chain. I cover some of these topics in my Black
Hat class 'The Art of Exploiting Injection Flaws'




--my 10 cents----


It's worth highlighting that when you encounter HQLi, your input is
interpreted by hibernate. You have 2 attack vectors:


1. convince Hibernate that it should not manipulate your input and pass it
to database. You can do this by using functions and injecting your "sql" as
argument to functions.

2. Inject direct hibernate and let the resulting SQL compiled by hibernate
to execute what you want to do on database level.


In my experiments, 2 is rather difficult. Hibernate is very limited language
and does not support union, order by and even comment characters. 1 would
work but there are certain limitations. You cannot query tables which are
not already mapped under hibernate's configuration. So, in my experiments
you can only query tables which are already mapped. You can also return
output of generic functions and keyword like @@version, user etc.


beside this, you may also have a case of Hibernate calling a stored
procedure and the injection point is actually in stored procedure. In which
case, hibernate is just a medium to pass input to stored proc, and the
injection will work like any sqli.

-----end of 10 cents---






NotSoSecure Limited,

9, Old Forge Way,



www.notsosecure.com <http://www.notsosecure.com>  


From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf
Of prasanna.k
Sent: 13 February 2014 09:57
To: Paul AMAR
Cc: websecurity
Subject: Re: [WEB SECURITY] Web App vulnerable to HQL Injection ?


Thanks for the share guys. 




On Thu, Feb 13, 2014 at 3:18 PM, Paul AMAR <aos.paul at gmail.com
<mailto:aos.paul at gmail.com> > wrote:

Nice. I'll take a look today. 

No problem for the "user friendly" thing. 
I just want to practice with those vulnerabilites. 


2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen at continuumsecurity.net
<mailto:stephen at continuumsecurity.net> >:


On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul at gmail.com
<mailto:aos.paul at gmail.com> > wrote:

Do you know any Web app vulnerable to HQL Injection ? 


Here's one I wrote and use for internal testing:
https://github.com/continuumsecurity/RopeyTasks/  there's HQL injection in
two of the Controllers, e.g.:


Best to download grails and run it from there so you can play with the code.
If you run: grails war, you can then copy the resulting .war file to any
servlet container like Tomcat, Jetty etc.


Disclaimer: this wasn't really designed for public consumption, just for my
internal testing, so it's not as user friendly as DVWA and other vulnerable








The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org <mailto:websecurity at lists.webappsec.org> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140219/ec4f9a40/attachment-0003.html>

More information about the websecurity mailing list