Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201675870
HistoryJun 14, 2016 - 12:00 a.m.

HITB16 issues resolution: Java applications ORM injection the development of new methods-vulnerability warning-the black bar safety net

2016-06-1400:00:00
佚名
www.myhack58.com
18
JSON

! [](/Article/UploadPic/2016-6/2 0 1 6 6 1 4 1 8 1 3 2 9 5 9 6. png? The black bar safety net)
“Hack In The Box”conference is in Europe in Amsterdam, organized by the global well-known Security Summit. This year’s conference very interesting, one by a security researcher Mikhail Egorov and Sergey Soldatov presented the topic“Java application ORM injection the development of new methods,”triggered a hot debate.
What is Object Relational mapping ORM be?
ORM refers to object mapping, which is a program to develop technology for implementing object-oriented programming language in different types of system data between the conversion. From the effect on that it actually is to create a programming language using a“virtual object database”. Nowadays this technology in commercial applications extensively.
A few of the famous Java ORM database:
–Hibernate ORM, often the application in Wildfly and JBoss)
–eclipselink for GlassFish)
–TopLink for Oracle WebLogic)
–OpenJPA for TomEE and IBM WAS)
SQL vs ORM injection
Mikhail and Sergey focused on Java database ORM injection study. ORM injection is also called JPQL or HQL injection, theySQL injectionis very similar. Not directly define the SQL query, the ORM libraries use their own proprietary language JPQL/HQL(Java Persistence Query Language/Hibernate Query Language). These queries are ORM libraries translated into SQL.
! [](/Article/UploadPic/2016-6/2 0 1 6 6 1 4 1 8 1 3 2 9 2 1 2. png? The black bar safety net)
! [](/Article/UploadPic/2016-6/2 0 1 6 6 1 4 1 8 1 3 2 9 4 9 2. png? The black bar safety net)
They think the language is strange and limited. If you find a way to inject the ORM a query, you will find that your permissions are restricted, only access is mapped to the entities of the database tables, Java objects, and can not use sqlmap to.
The development of technology
Mikhail and Sergey shows you how to use this ORM library to bypass the ORM language, as well as send abritary SQL query, and how to use sqlmap in-depth penetration.
Eclipselink and TopLink ORM
Eclipselink ORM and TopLink ORM has fantastic features, allowing the execution of arbitrary SQL functions: Eclipselink has a function () with the original func () to call database specific functions. You can not only perform database functions, you can also use this“trick”for the normal SQL query:
JPQL statement:
… FUNCTION(‘(select count(1) from table where 1=1)>0 and length’,‘qq’)=2 …
Translated into the SQL statement:
… (select count(1) from table where 1=1)>0 and length(‘qq’)=2 …
If this is the TopLink, you do not need to use this“trick”, because it can perform normal SQL queries and the sql()command.
OpenJPA
In the Apache OpenJPA ORM they found execute abritary SQL functions in two ways: the first one is the error of the process: checking grammar, through a’single quote replaces a sequence”in double quotation marks. This makes the string hidden in the SELECT statement possible:
ORM see: and ‘1’=‘1" and (select 1 where 1=1) = "1’ and
DBMS: and ‘1’=‘1’ and (select 1 where 1=1) = ‘1’ and
The second method is the quotes are not sensitive:
ORM see: and “a’ = ‘a’ and (select 8 where 1=1)=8 and ‘b” = ‘b’
DBMS: and ‘a’ = ‘a’ and (select 8 where 1=1)=8 and ‘b’ = ‘b’
Hibernate
In the Hibernate library, they have discovered several methods: the first one is the single quote escape method, this method in MySQL where the work, because in string with a backslash,\’skip single quotes:
In HQL is a string:
‘abc"or 1=(select 1)–’
In MySQL is a string and one additional SQL expression:
‘abc"or 1=(select 1)–’
In PostgreSQL and H2 where it is possible to use two dollar symbols to skip string$$on. They’ve already this method will be applied to the$reference to the String method:
In HQL compared to a string it is interpreted as the variable$ A$: The
$$=‘$$=concat(chr(6 1),chr(3 9)) and 1=1–’
But in the SQL in the a$ $ reference string and the contact()function compared to:
$$=‘$$=concat(chr(6 1),chr(3 9)) and 1=1–’
For PostgreSQL and Oracle, they also show a magical function method. PostgreSQL has a build in function query_to_xml the’arbitrary SQL”and the Oracle dbms_xmlgen getXML(’sql”in. Use this feature to execute arbitrary SQL statements.
The fourth method is using UNICODE symbols: Microsoft SQL Server and H2 to convert unicode delimiters, such as the no break space U+00A0, %C2%A0 as whitespace, so SELECT LEN(U+00A0of the function and SELECT LEN((SELECT(1)))the same. HQL allows the symbol identifiers using unicode, function or parameter name. You can use this, because Hibernate will U+00A0 is converted to a valid function name, and it is seen as a function call.
The last method is a JAVA CONSTANTS, in addition to MySQL, most of the DBMS can use this method. Hibernate re-solve the Java in the HQL query in the public static fields. A special character or string field must be in the class path of the class/interface declared. They have given several deadly Java library, which you can find the desired character.
This HQL statement on the use of this method:
…dummy’ and hqli. persistent. Constants. C_QUOTE_1*X(‘CHAR(4 1)(select count(1) from sysibm. sysdummy1)>0 --’)=1 and ‘1’=‘1…
Then in the following SQL query:
…dummy’ and "'*X('CHAR(4 1) and (select count(1) from

sysibm. sysdummy1)>0 --')=1 and ‘1’=…
How to identify an ORM is?
In the end, they give a good list, this is very helpful to determine the application in the use of the ORM library:
– Hibernate: … and 1bi = 1bd and …

– EclipseLink: … and FUNCTION(‘1=1 and’,‘2’)=‘2’ and …

– TopLink: … and SQL(‘1=1’) and …

– OpenJPA: … and “1”=‘1’ and …

JSON