Hibernate SQL Injection

I'm auditing a project and I found a way to inject data in a query. The project uses Hibernate and for this piece of code Session.createSqlQuery() and then a .list()

The SQL is something like : " SELECT * FROM tablename ORDER BY column XXXXXX "

XXXXXX can be modified using Fiddler. So I tried

SELECT * FROM tablename ORDER BY column DESC; truncate table tablename;

Unfortunately (well only for my injection attempt) it's not working and I'm getting :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'truncate table tablename'

My question is, since they're using createSQLQuery, are they safe from injection. If they're not, could you give me an example to highlight the issue.

I tried using %08 (Backspace character) thinking I would be able to delete previous query characters for example (It didn't work ;) )

Thanks.


After some research it seems I won't be able to modify data with this security hole, however using ORDER BY (CASE WHEN ...) would allow to "scan" the tables and the data.


Is the column name specified using a parameterized statement or are you just concatenating text?

ex: in perl::DBI, the drivers support the following syntax:

$dbh->do("SELECt * FROM asdf ORDER BY ?", undef, $order_by);

The ? there is a form of parameterized statement which sanitizes the input automatically.

链接地址: http://www.djcxy.com/p/93830.html

上一篇: 如何在mssql节点模块中处理SQL注入

下一篇: Hibernate SQL注入