2023-03-30

Exploiting Hibernate Injection in "Order by" Clause (Oracle database)

Pranaam to all πŸ™

In this blog post, I will be discussing case of Hibernate Query Injection

In this case, the web application was passing user-supplied data as column name to "Order by" clause.

The below mentioned error message indicated that this was the case of Hibernate Injection:

The moment, we realised that it is something different for which we need to come up with different payload, me and my "Partner in SQLI Crime" suited up 🀩


 

Available research:

There is an awesome research presented by "Mikhail Egorov" regarding the exploitation of the HQL injection attack in different type of database servers:

 https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm

For Oracle database, below mentioned payload can be used to exploit Boolean-based Blind injection 

The web application responds with different HTTP content (depends on the true/false codition)

Limitation in this case

In my case, following was the limitation:

  • The available payload is converting and comparing output of the inline SQL query with value 1. Whereas "Order by" caluse does not allow use of comparison operator such as <,>,= outside the function or inline SQL query

As user data is getting passed to "Order by" clause, which has some specific rules. 

To inject payload we need to take care of following things:

Syntax which is supported:- 

 

Syntax which is not supported:- 

 

Key to kingdom:

To exploit this vulnerable endpoint, I came up with following pointers.

πŸ‘‰ Select statement will not be evaluated if condition is false:


 πŸ‘‰Select statement will be evaluated if condition is true:

 πŸ‘‰Select statement will be evaluated if condition is true:

Exploitation - Exception for the win 🀘😎🀘:

For exploitation, I will be using:

πŸ‘‰ Inject inline queries which raise an exception when condition is true
πŸ‘‰ To raise an exception, use tricks such as 'division by zero' or
πŸ‘‰ A function which complains about an invalid format argument such as To_date() function

Below mentioned is the inline query based on 'division by zero'approach:

And this one ishaving To_date() function with an invalid format:

Let's observe and confirm the behaviour of inline query having To_date() function with invalid format.

Inline SQL query with true condition was executed and Oracle database raised an error because 'b0x' is not a valid date format:


Now, let's use this inline query in the existing payload and construct a final payload which can exploit HQL injection for our case:

πŸ‘‰True condition payload:

 πŸ‘‰False condition payload:

 We have reached to end of the blog post 😎

I would like to say "Thank you" to @Soroush Dalili sir and @Noman Riffat bhai ji who helped me a lot during the exploitation of this injection.

./init 0

 

Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top