Django JSONField/HStoreField SQL注入漏洞(CVE-2019-14234)

环境

抄p牛作业

https://github.com/AbelChe/vulhub/tree/master/django/CVE-2019-14234

分析和复现

Django 源码

2019年8月14日的更新https://github.com/django/django/commit/c19ad2da4b573431843e5cead77f4139e29c77a0

test_json.py TestQuerying.test_key_sql_injection() 335~345行:

1
2
3
4
5
6
7
8
9
10
11
def test_key_sql_injection(self):
with CaptureQueriesContext(connection) as queries:
self.assertFalse(
JSONModel.objects.filter(**{
"""field__test' = '"a"') OR 1 = 1 OR ('d""": 'x',
}).exists()
)
self.assertIn(
"""."field" -> 'test'' = ''"a"'') OR 1 = 1 OR (''d') = '"x"' """,
queries[0]['sql'],
)

p牛环境的源码

数据结构:

models.py

数据迁移:

明显看到 JSONField() 的域名为 detail

结合这篇文章https://xz.aliyun.com/t/5896

参数detail__title=vulhub

传到后端查询==>Collection.objects.filter(detail__author='vulhub')Collection.objects.filter(**{"detail__author":'vulhub'})

测试注入点

payload:

/admin/vuln/collection/?detail__title'=title%202

注入

payload:

admin/vuln/collection/?detail__title=title%202

参考文章:

https://xz.aliyun.com/t/5896

AbelChe wechat
扫码加微信
Donate here!!!
0%