Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-35042 PoC — Django SQL注入漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-35042.yaml
Associated Vulnerability
Title:Django SQL注入漏洞 (CVE-2021-35042)
Description:Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 存在SQL注入漏洞,该漏洞源于未检测的用户输入传递给"QuerySet.order by()"可以在标记为弃用的路径中绕过预期的列引用验证,从而导致潜在的SQL注入。
Description
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.order_by, letting attackers execute arbitrary SQL commands, exploit requires attacker to control order_by input.
File Snapshot

 id: CVE-2021-35042

info:
  name: Django QuerySet.order_by - SQL Injection
  author: 0x_Akoko
  seve

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.