CVE-2025-57833 PoC — Django SQL注入漏洞

Source

https://github.com/ianoboyle/CVE-2025-57833

Associated Vulnerability

Title:Django SQL注入漏洞 (CVE-2025-57833)
Description:Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 4.2.24之前版本、5.1.12之前版本和5.2.6之前版本存在SQL注入漏洞，该漏洞源于FilteredRelation在列别名中受到SQL注入的影响。

Description

Example Vulnerable application for CVE-2025–57833

Readme

# CVE-2025-57833
Example Vulnerable application for [CVE-2025–57833](https://nvd.nist.gov/vuln/detail/CVE-2025-57833)

Django 4.2 before 4.2.24 Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6 is vulnerable to a SQL injection 
via Dictionary expansion as **kwargs is passed to QuerySet.annotate() or QuerySet.alias()

Currently a work in progress. 

This is for educational purposes only.

File Snapshot


 [4.0K]  /data/pocs/767687aa140c4823bd4a026f76d98400664b2da9
├── [ 499]  Dockerfile
├── [  58]  exploit.sh
├── [ 409]  README.md
└── [4.0K]  vulnproj
    ├── [4.0K]  books
    │   ├── [  63]  admin.py
    │   ├── [ 142]  apps.py
    │   ├── [   0]  __init__.py
    │   ├── [4.0K]  migrations
    │   │   ├── [ 917]  0001_initial.py
    │   │   └── [   0]  __init__.py
    │   ├── [ 238]  models.py
    │   ├── [  60]  tests.py
    │   └── [ 526]  views.py
    ├── [ 664]  manage.py
    ├── [ 919]  seed.json
    └── [4.0K]  vulnproj
        ├── [ 393]  asgi.py
        ├── [   0]  __init__.py
        ├── [3.2K]  settings.py
        ├── [ 792]  urls.py
        └── [ 393]  wsgi.py

5 directories, 18 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!