Last week I had two short talks on ZeroNights 0x05 conference.

The first talk was about security flaws in WebDav libraries and online services that supports WebDav protocol. I’ve presented it alone. Doing research I’ve found number of interesting vulnerabilities, got 2 CVEs, have been included into yandex’s October hall of fame -  Also I’ve uncovered neat XXE exploitation trick using PUT, PROPPATCH, PROPFIND sequence of requests.

I was limited in time doing the research and, probably, missed cool findings. Nevertheless, using my approach you can find more interesting vulnerabilities in WebDav services :))

WebDav is widely used, it is complex, there are many implementations on different programming languages and its security is not researched well – there are few talks and public CVEs regarding WebDav. Thus, WebDav endpoints might conceal interesting bugs - pentester/bughunter should consider it. 

Here is the presentation slides.

The second talk I had with my friend Sergey. In short, the purpose of our research was to discover new ways of HQL injection exploitation. HQL is object-oriented language and is limited versus normal SQL.

When it comes to HQLi exploitation, the main obstacle for the attacker is the fact that in worst case he can only access one table that is directly mapped to the entity. This is not cool :((

We studied how Hibernate works - how it parses HQL queries and translates them into SQL queries. Finally, we found bypassing techniques that allow us to access arbitrary tables in the database. Our techniques work for MySQL, Postgresql, Oracle, and Microsoft SQL Server DBMS.

Here the slides of our presentation.

Our work attracted much attention, more than 6000 views in a week. Thanks to @agarri_fr and @h3xstream for promoting our work on Twitter :))

Doing research, I have developed simple Java application I called hqli.playground with secure and insecure endpoints. Here is the link to the application - Application gets name parameter in URL and crates HQL query based on its value.

Secure endpoint uses named parameter :name to securely pass URL parameter to HQL query. 
Query query = em.createQuery("SELECT p FROM Post p where", Post.class);
query.setParameter("name", name);
Contrary, insecure endpoint uses string concatenation to pass URL parameter to HQL query.
Query query = em.createQuery("SELECT p FROM Post p where'" + name + "'", Post.class);

To trigger HQLi you have to navigate to URL http://hqli.playground.local:8080/hqli.playground/dummy’or’1’=’1. Doing that you will get all records from post table. In contrast, when you call secure endpoint by navigating to http://hqli.playground.local:8080/hqli.playground/secure/dummy’or’1’=’1 URL, you will get nothing, because secure implementation treats dummy’or’1’=’1 as a string.

I’ve made VM with hqli.playground application running on WildFly application server and Postgresql database. WildFly uses Hiberante as default ORM. Here is the link to the VM - OS user is ubuntu password is reverse. When Postgresql is used as DBMS, you can exploit HQLi using sqlmap (

This command line allows you to dump database banner.
sqlmap -u "http://hqli.playground.local:8080/hqli.playground/dummy%27%20and%20array_upper%28xpath%28%27row%27%2Cquery_to_xml%28%27select%201%20where%201337%3E1*%27%2Ctrue%2Cfalse%2C%27%27%29%29%2C1%29%3D1%20and%20%271%27%3D%271" --dbms="PostgreSQL" --technique B -b -v 0
For convenience, here is decoded URL parameter. Star symbol ‘*’ denotes injection point for sqlmap.
dummy' and array_upper(xpath('row',query_to_xml('select 1 where 1337>1*',true,false,'')),1)=1 and '1'='1
Presentation explains why this works. Also I’ve made video with HQLi exploitation for Postgresql.

I can say that for Oracle and MySQL you can also use sqlmap to exploit HQLi. The hardest DBMS was Microsoft SQL Server - it is not possible to use sqlmap directly for exploitation. Thanks to Sergey, he wrote Perl script for extracting tables/columns information and dumping table content. Script is available here - Besides, Sergey made nice video about HQLi exploitation.