0

I am a pentester en found a HQL injection point. I can extract the password hashes of the users, but I have to do that with more or less a blind select statement where I put an extra parameter in the where:

select count(userName) from DB where userName='admin' AND Password like 'INJECT%' AND '1'='1

The INJECT I just loop through all possibilities and get a yes or no response if he can find password that starts with something. The bold part is the input that I have full control over.

Now my problem is that this like query is case insensitive, while a hash is case sensitive. SO is there anyway that I can make sure the like query is executed case sensitive from only this injection point? (so I cannot do actuall HQL or SQL queries besides from this).

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
Wealot
  • 201
  • 2
  • 9
  • 1
    Unless your database doesn't respect standards, a like query **is** case-sensitive. But anyway, are you actually asking us how to crack passwords? – JB Nizet Mar 30 '18 at 12:28
  • Apparently the backend database indeed does not respect standards... And I am not asking to crack anything, I have permission to look at this application through the eyes of a hacker. So I have a nice vulnerability that I can show as I have the hash. Except that I get the hash in all lower case instead of case sensitive. For my POC to management to show how bad this is I want to show the actually usable hash. So I wanted to get case sensitive data out. (not doing anything bad) – Wealot Mar 30 '18 at 13:48
  • OK, thanks for the response. Frankly, if the management isn't convinced already that HQL injection is a problem that needs to be fixed, then all hope is lost. But you can probably replace `password like 'INJECT%` by `substring( password, 1, 6 ) = 'INJECT'`. – JB Nizet Mar 30 '18 at 14:14
  • I am not sure what this would do (and I broke the application so they have to fix it before I can test again :P). Do I need to put something in INJECT in your example? Or does it do something else? – Wealot Mar 30 '18 at 14:35
  • It does exactly the same thing as your own example, but without using a case-insensitive like. So, whatever strategy you wanted to use using like can be applied by using substring and =, which is, hopefully, case-sensitive. – JB Nizet Mar 30 '18 at 14:41
  • That said, the fact that their query is case-insensitive is another big security hole. Now an attacker that has a hash of a user doesn't even need to be able to find the original password of the user to attack the application. All he needs to do is to find any password that generates a hash that is equal, ignoring the case. – JB Nizet Mar 30 '18 at 14:45
  • THanks! As soon as it is up and running again I'll try it again. And your second comment is absolutely right! I will get them to check that as well :P Didn't even think about that ! – Wealot Mar 30 '18 at 14:50
  • It still keeps on doing it case insensitive, it might be that they are doing something with the query that is injected (some lower() or something). I'll have to talk to the client about it! :P. – Wealot Apr 03 '18 at 10:10

1 Answers1

0

Whether the query is case sensitive is not an inherent characteristic of the LIKE operator or = or other string functions.

It has to do with the collation of the strings being compared. That is, if either string in your comparison is a string value with a case-sensitive collation, then the comparison will be case-sensitive.

If you can inject arbitrary SQL expressions, then you can inject an expression that converts the string to a case-sensitive collation.

Example: SQL Case Sensitive String Compare

There might be some variation in the syntax based on the brand of SQL database you use. You did not say which database you're using (unless you're one of those Microsoft users who say "SQL" when you mean "Microsoft SQL Server").

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • Weirdly enough this also doesn't work. For your last remark, I actually have no idea what they are using. A lot of the time these "grey box" pentests tend to have clients that don't want to share to make it "easier" although it would just make life easier and results better. But hey! :P – Wealot Apr 03 '18 at 10:09