来源

关联漏洞

描述

POC-Django JSONField/HStoreField SQL Injection Vulnerability (CVE-2019-14234)

介绍

# POC-Django JSONField/HStoreField SQL Injection Vulnerability Exploit (CVE-2019-14234)
Django released a security update on August 1, 2019, which fixes a SQL injection vulnerability in the two model fields of JSONField and HStoreField.

Reference link: 

https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html

The vulnerability requires the developer to use JSONField/HStoreField; moreover, the field name of the queryset can be controlled. Django's built-in application Django-Admin is affected, which gives us an easy way to reproduce the vulnerability.

## Start Vulnerability Application
Compile and start a vulnerable Django 2.2.3 by executing the following command:


```
docker compose build
docker compose up -d
```

After the environment is started, you can see the home page of Django at http://your-ip:8000.

## Vulnerability Reproduce
First, log in to the Django-Admin `http://your-ip:8000/admin/` with username `admin` and password `a123123123`.

Then go to the list-view `http://your-ip:8000/admin/vuln/collection/` of the model `Collection`:

Add `detail__a'b=123` to the GET parameter, where `detail` is the JSONField:

http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123

You can see that the single quote has been injected successfully, and the SQL statement reports an error:

文件快照

 [4.0K]  /data/pocs/7faf51b522a4cf54e67bfbd4db1d3b6790c406b7
├── [ 584]  0001_initial.py
├── [ 126]  admin.py
├── [  83]  apps.py
├── [ 558]  collection.json
├── [ 203]  docker-compose.yml
├── [ 372]  docker-entrypoint.sh
├── [ 293]  Dockerfile
├── [   0]  __init__.py
├── [ 632]  manage.py
├── [ 234]  models.py
├── [1.4K]  README.md
├── [3.1K]  settings.py
├── [ 754]  urls.py
└── [ 401]  wsgi.py

0 directories, 14 files

备注