Need to create SQL Injection flaw

Question

I have an assignment to add an SQL injection flaw to a web application, and I'm hoping someone can give me a nudge in the right direction that doesn't involve rewriting the whole program.

Here's the code where most of the work is done:

package todolist;

import java.util.ArrayList;
import java.util.List;

import org.hibernate.HibernateException;
import org.hibernate.Session;
import org.hibernate.Transaction;
import org.hibernate.query.Query;

public class DAOImp implements ItemListDAO {

    @Override
    public void addItem(String itemStr) {
        ListItem item = new ListItem(itemStr);
        Session session = HibernateUtil.getSessionFactory().openSession();
        Transaction tx = null;
        Integer itemID = null;
        try {
            tx = session.beginTransaction();
            itemID = ((Integer) session.save(item));
            tx.commit();
        } catch (HibernateException e) {
            if (tx != null)
                tx.rollback();
            e.printStackTrace();
        } finally {
            session.close();
        }   
    }

    @Override
    public void delItem(int itemNbr) {
        Session session = HibernateUtil.getSessionFactory().openSession();      
        Transaction tx = null;
        ListItem item2 = session.get(ListItem.class, itemNbr);
        try {
            tx = session.beginTransaction();
            session.delete(item2);
            tx.commit();
        } catch (HibernateException e) {
            if (tx != null)
                tx.rollback();
            e.printStackTrace();
        } finally {
            session.close();
        }
    }

    @Override
    public List<ListItem> getList() {
        List<ListItem> list = new ArrayList<>();
        Session session = HibernateUtil.getSessionFactory().openSession();
        Transaction tx = null;
        try {
            tx = session.beginTransaction();
            Query<ListItem> queryList = session.createQuery("FROM ListItem");
            list = queryList.list();
            tx.commit();
        } catch (HibernateException e) {
            if (tx != null)
                tx.rollback();
            e.printStackTrace();
        } finally {
            session.close();
        }
        return list;
    }

}

As I'm creating an object that is then transferred to the database, I'm not sure how exactly to create the injection flaw, or whether it would be easier to do it in the add or delete sections. Any help is appreciated and any additional information you might need, I would be happy to provide.

Hmm, you are using hibernate I don't think that SQL Injection is possible — Youcef LAIDANI, Mar 29 '19 at 18:18
I do not see you building a dynamic query as text based on user input. Where do you expect the injection to come from? — PM 77-1, Mar 29 '19 at 18:20
read this post https://stackoverflow.com/questions/14102334/how-to-prevent-sql-injection-with-jpa-and-hibernate, maybe you can find the solution in the question — Youcef LAIDANI, Mar 29 '19 at 18:22
Would it be possible to change the session.get() statement in the delItem method to a session.createQuery() to manufacture the vulnerability? — Josh, Mar 29 '19 at 19:11
Pass SQL on the method parameter and you have easy SQL injection. It allows to store and retrieve SQL code from database for dynamic queries. If you need to know how hibernate protects from SQL injection see https://stackoverflow.com/a/31490488/573032 — Roman C, Mar 29 '19 at 19:18
Roman, could you please be a little more specific in regards to my code? I'm a little lost as to what you're saying. — Josh, Mar 29 '19 at 19:25
Josh, your code is not clear. You didn't provide the code where you tried it with vulnerable SQL. Just asking is there a SQL injection in the code above is wrong, because answering *yes* is impossible without showing an example, answering *no* is wrong. The correct answer should sound like *probably*. And you have to figure out how, this is already not easy task. — Roman C, Mar 29 '19 at 19:32
I'm not asking if there is an injection in the code above. I'm trying to manufacture a security flaw for an assignment. The way I have the program written, I'm fairly certain that there are no injection vulnerabilities, at least I've been unable to trigger them. — Josh, Mar 29 '19 at 19:40
So far, I've got this in the delItem method, where the session.get() was before: Query query = session.createQuery("FROM ListItem where itemID = " + itemNbr); ListItem item2 = (ListItem) query.list().get(0); But I don't know what I could pass into the field to exploit the injection. I could also change it to createSQLQuery(), but I have the same problem. I'm unfamiliar with how to exploit it. — Josh, Mar 29 '19 at 20:32

Need to create SQL Injection flaw

0 Answers0