Friday, January 8, 2016

HQL Injection on Web Application Running Oracle Database


Recent pentest encountered me with an application that it seems at first glance to vulnerable to SQL Injection as the common test usually I tested shows some firm behavior.

https://site.yappare/index.jsp?id=1' error
https://site.yappare/index.jsp?id=1'' no error / normal page
I believe this should be an Oracle SQL Injection after few tests. However, no result! SQLMap shows that this can be exploited via Time-Based but also no success at the end. During the fuzzing, an error message triggered as shown:

 Googling the error message pointing me to result as shown:

So, my initial understanding is slightly wrong. I should focus on Hibernate. Did some reading and looking for any good references for Hibernate Injection. These links really help me.

After understand a little bit on how to do the injection. Did it via Blind technique as described by Paulsec, and voila! able to dump the current Hibernate version.

https://site.yappare/index.jsp?id=1') and substr(org.hibernate.cfg.Environment.VERSION,0,1)=’n' and ('1'='1
where n is actually numbers/characters that we are querying for.

Hibernate version 3.0.2

This is not enough to demonstrate the impact. Tried to read about hibernate/orm structure it seems they are using prepared statement query. I'm not able to get any clue how to query the database information. It'll be harder to me. Luckily Mikhail Egorov and Sergey Soldatov recent presentation helps me!

It is possible to query a standard injection via DBMS_XMLGEN.getxml(‘SQL’) for Oracle dbms.
and Voilaa!! 
https://site.yappare/index.jsp?id=1') and NVL(TO_CHAR(DBMS_XMLGEN.getxml('Boolean Blind SQL Injection') and ('1'='1