Shulou(Shulou.com)05/31 Report--

This article is about how to analyze Django JSONField,HStoreField SQL injection vulnerabilities. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

I. Preface

Django is an open source Web application framework written by Python. The frame pattern of MTV is adopted, that is, model M, view V and template T. It was originally developed to manage some of the Lawrence Publishing Group's news-based websites, the CMS (content Management system) software, and was released under the BSD license in July 2005.

Second, brief introduction of loopholes

Django made a security patch update on August 2, 2019, fixing four CVE, including a SQL injection vulnerability.

Third, loophole harm

According to the analysis of Douxiang Security Emergency response team, attackers can attack servers using fragile versions of Django framework through carefully constructed request packets. Successful attacks will lead to SQL injection vulnerabilities and disclose website data information.

IV. Scope of influence products

Django

Version

Django 2.2.x < 2.2.4

Django 2.1.x < 2.1.11

Django 1.11.x < 1.11.23

Version

Django

V. recurrence of loopholes

None for the time being

VI. Restoration plan

1. Upgrade the Django version to 2.2.4, 2.1.11, 1.11.23

Add rules to intercept SQL attacks in 2.WAF

The above is how to analyze Django JSONField,HStoreField SQL injection vulnerabilities, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.