Exploiting Hibernate Injection in "Order by" Clause (Oracle database)

Pranaam to all 🙏

In this blog post, I will be discussing case of Hibernate Query Injection

In this case, the web application was passing user-supplied data as column name to "Order by" clause.

The below mentioned error message indicated that this was the case of Hibernate Injection:

Dual is not mapped [from com.....

The moment, we realised that it is something different for which we need to come up with different payload, me and my "Partner in SQLI Crime" suited up 🤩

 

Available research:

There is an awesome research presented by "Mikhail Egorov" regarding the exploitation of the HQL injection attack in different type of database servers:

 https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm

For Oracle database, below mentioned payload can be used to exploit Boolean-based Blind injection 

AND NVL(TO_CHAR(DBMS_XMLGEN.getxml('Inline_SQL_query_goes_here')),'1')!='1'

The web application responds with different HTTP content (depends on the true/false codition)

Limitation in this case

In my case, following was the limitation:

• The available payload is converting and comparing output of the inline SQL query with value 1. Whereas "Order by" caluse does not allow use of comparison operator such as <,>,= outside the function or inline SQL query
  

As user data is getting passed to "Order by" clause, which has some specific rules. 

To inject payload we need to take care of following things:

Syntax which is supported:- 

  ORDER BY (inline SQL query) or ORDER BY some_function(inline SQL query)

Syntax which is not supported:- 

  ORDER BY (inline SQL query) = some_value or ORDER BY some_function(inline SQL query) = some_value

Key to kingdom:

To exploit this vulnerable endpoint, I came up with following pointers.

👉 Select statement will not be evaluated if condition is false:

 👉Select statement will be evaluated if condition is true:

 👉Select statement will be evaluated if condition is true:

Exploitation - Exception for the win 🤘😎🤘:

For exploitation, I will be using:

👉 Inject inline queries which raise an exception when condition is true
👉 To raise an exception, use tricks such as 'division by zero' or
👉 A function which complains about an invalid format argument such as To_date() function

Below mentioned is the inline query based on 'division by zero'approach:

(SELECT 1/0 FROM dual where true/false_condition)

And this one ishaving To_date() function with an invalid format:

(SELECT TO_DATE(1337, 'b0x') FROM dual where true/false_condition)

Let's observe and confirm the behaviour of inline query having To_date() function with invalid format.

Inline SQL query with true condition was executed and Oracle database raised an error because 'b0x' is not a valid date format:

Now, let's use this inline query in the existing payload and construct a final payload which can exploit HQL injection for our case:

👉True condition payload:

ASCII(DBMS_XMLGEN.getxml('SELECT TO_DATE(1337, ''b0x'') FROM dual where user=''Database_User'''))

 👉False condition payload:

ASCII(DBMS_XMLGEN.getxml('SELECT TO_DATE(1337, ''b0x'') FROM dual where user=''Random_String'''))

 We have reached to end of the blog post 😎

I would like to say "Thank you" to @Soroush Dalili sir and @Noman Riffat bhai ji who helped me a lot during the exploitation of this injection.

./init 0