Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-7471 PoC — Django SQL注入漏洞

Source
https://github.com/SNCKER/CVE-2020-7471
Associated Vulnerability
Title:Django SQL注入漏洞 (CVE-2020-7471)
Description:Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 1.11.28之前的1.11版本、2.2.10之前的2.2版本和3.0.3之前的3.0版本中存在SQL注入漏洞。远程攻击者可借助特制StringAgg分隔符利用该漏洞造成拒绝服务,获取信息或提升权限。
Description
CVE-2020-7471 Potential SQL injection via StringAgg(delimiter)
Readme
### CVE-2020-7471 

这个仓库提供 CVE-2020-7471 Potential SQL injection via StringAgg(delimiter) 漏洞的环境和 POC 

### 受影响的 django 版本

- 1.11 到 1.11.28(不含)
- 2.2 到 2.2.10(不含)
- 3.0 到 3.0.3(不含)

### 下载使用前需要如下操作:

1. 安装 django 漏洞版本,我测试用的是

   ```python
   pip install django==3.0.2 -i https://pypi.tuna.tsinghua.edu.cn/simple
   ```

2. 参考 [https://www.runoob.com/postgresql/windows-install-postgresql.html](https://www.runoob.com/postgresql/windows-install-postgresql.html) 完成 postgres 数据库的安装

3. 新建数据库

   ```sql
   CREATE DATABASE test;
   ```


4. 修改 sqlvul_projects/settings.py 里面的数据库配置,如果上一步你安装用的默认配置(包括设置密码为postgres),就无需修改任何配置,可以跳过这一步

   ```
   DATABASES = {
       'default': {
           'ENGINE': 'django.db.backends.postgresql',
           'NAME': 'test',         # 数据库名称
           'USER': 'postgres',
           'PASSWORD': 'postgres', # 数据库用户密码
           'HOST': '127.0.0.1',    # 数据库地址
           'PORT': '5432',
       }
   }
   ```

5. 通过 django 初始化数据表

   ```shell
   python3 manage.py migrate
   python3 manage.py makemigrations test_app
   python3 manage.py migrate test_app
   ```

然后运行 POC 脚本`poc.py`就可以了

参考<https://github.com/Saferman/CVE-2020-7471>
File Snapshot

 [4.0K]  /data/pocs/21dff55a555f0ee855a8d7efa6bdadecd0312190
├── [ 634]  manage.py
├── [1.3K]  poc.py
├── [1.5K]  README.md
├── [4.0K]  sqlvul_project
│   ├── [ 405]  asgi.py
│   ├── [   0]  __init__.py
│   ├── [4.0K]  __pycache__
│   │   ├── [ 143]  __init__.cpython-36.pyc
│   │   ├── [ 156]  __init__.cpython-37.pyc
│   │   ├── [2.3K]  settings.cpython-36.pyc
│   │   ├── [2.3K]  settings.cpython-37.pyc
│   │   ├── [ 969]  urls.cpython-36.pyc
│   │   ├── [ 982]  urls.cpython-37.pyc
│   │   └── [ 560]  wsgi.cpython-36.pyc
│   ├── [3.2K]  settings.py
│   ├── [ 789]  urls.py
│   └── [ 405]  wsgi.py
└── [4.0K]  test_app
    ├── [  63]  admin.py
    ├── [  90]  apps.py
    ├── [   0]  __init__.py
    ├── [4.0K]  migrations
    │   ├── [ 525]  0001_initial.py
    │   ├── [   0]  __init__.py
    │   └── [4.0K]  __pycache__
    │       ├── [ 645]  0001_initial.cpython-37.pyc
    │       └── [ 161]  __init__.cpython-37.pyc
    ├── [ 152]  models.py
    ├── [4.0K]  __pycache__
    │   ├── [ 191]  admin.cpython-37.pyc
    │   ├── [ 150]  __init__.cpython-37.pyc
    │   └── [ 401]  models.cpython-37.pyc
    ├── [  60]  tests.py
    └── [  63]  views.py

6 directories, 28 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.