[sqlite-dev] 转发: SQLite3's vulnerability in 3.27.1 and 3.26

[范龙飞]

---

发件人: 范龙飞
发送时间: 2019年2月22日 17:01
收件人: sqlite...@mailinglists.sqlite.org
主题: SQLite3's vulnerability in 3.27.1 and 3.26

 

​SELECT(+++++++++++++++++++ last_insert_rowid()++++++++++sum(0)oVER())ORDER BY (+++++++++++++++++++ last_insert_rowid()++++++++++sum(0)oVER())ORDER BY 1,1,1,1,1,1​

Best regards
Longfei Fan from 360 Codesafe Team of Legendsec​

[Luuk]

It's simple, and more easy to read if you leave out the extra '+' signs..:

select (last_insert_rowid()+sum(0)over())
order by (last_insert_rowid()+sum(0)over());

Than, indeed sqlite3.exe stop without giving a result.

make a change to the statement, and it works:

select (last_insert_rowid()+sum(0)over())
order by (0+last_insert_rowid()+sum(0)over());

make another change, and it stop working again:

select (0+last_insert_rowid()+sum(0)over())
order by (0+last_insert_rowid()+sum(0)over());

but i do not think it's a vulnerability, it seems more like a minor bug?

[Luuk]

same bug with:

select (1+sum(0)over()) order by (1+sum(0)over());

or

select (2+sum(0)over()) order by (2+sum(0)over());

also with:

select (2+sum(0)over(order by 1)) order by (2+sum(0)over(order by 1));

but not with:

select (2+sum(0)over(order by 1)) order by (2+sum(0)over(order by 2));

[Luuk]

C:\TEMP>\util\sqlite3
SQLite version 3.27.1 2019-02-08 13:17:39
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.

sqlite> select (2+sum(0)over(order by 1)) order by (2+sum(0)over(order by 1.01));
QUERY PLAN
|--CO-ROUTINE 2
|  |--CO-ROUTINE 3
|  |  |--CO-ROUTINE 4
|  |  |  `--SCAN CONSTANT ROW
|  |  `--SCAN SUBQUERY 4
|  |--SCAN SUBQUERY 3
|  `--USE TEMP B-TREE FOR ORDER BY
|--SCAN SUBQUERY 2
`--USE TEMP B-TREE FOR ORDER BY
2
sqlite> select (2+sum(0)over(order by 1.01)) order by (2+sum(0)over(order by 1.01));

C:\TEMP>