The majority of applications written in Java use Object-relational Mapping (ORM) libraries for working with underlying relational database management systems (RDBMS). Java has API for utilizing ORM functionality called Java Persistence API (JPA), which is the part of J2SE and J2EE specifications since version 5. Usage of ORM simplifies database programming and gives solid benefits to the developer over plain JDBC, like providing database and schema independence, leveraging object oriented programming and object model usage, providing performance features (caching and sophisticated database and query optimizations).
In this talk, we dive deep into internals of popular ORM libraries in Java: EclipseLink, TopLink, Hibernate, OpenJPA, JPA for WebSphere Application Server (JPA for WAS). We’ll cover how JPQL/HQL statements are processed and transformed into SQL statements for underlying RDBMS. For all these ORM libraries we’ve identified oddities in processing of JPQL/HQL statements that allowed us to bypass ORM restrctions and access arbitrary tables in the underlying database. More precisely, we found methods for exploiting JPQL or HQL injections as plain blind SQL injections.
JPQLi/HQLi exploitation techniques we’ve identified works for popular RDBMS used in Java ecosystem: SQLite, MySQL, PostgreSQL, Oracle, MS SQL Server, IBM DB2, SAP HANA. The part of our work regarding injection exploitation in Hibernate ORM library for MySQL, Postgresql, Oracle and Microsoft SQL Server have been already presented on ZeroNights 0x05 conference. Here we extend our previous research to other popular ORM libraries and RDBMS widely deployed in Java ecosystem.