first commit

django/CVE-2017-12794/README.md

@@ -0,0 +1,41 @@
+# Django 500 Debug Page Cross-Site Scripting (XSS) (CVE-2017-12794)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django versions before 1.11.5 and 1.10.8 contain a cross-site scripting (XSS) vulnerability in the debug error page. When DEBUG mode is enabled, error pages could potentially expose sensitive information through unescaped HTML in the error message.
+
+The vulnerability is triggered when a database error occurs and its details are displayed in the debug page. The error message from the database is not properly escaped before being rendered in the template.
+
+References:
+
+- <https://www.djangoproject.com/weblog/2017/sep/05/security-releases/>
+- <https://nvd.nist.gov/vuln/detail/CVE-2017-12794>
+- <https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Django server (the version of Django is 1.11.4):
+
+```
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+Visit the following URL to create a user with a malicious username containing JavaScript code:
+
+```
+http://your-ip:8000/create_user/?username=<script>alert(1)</script>
+```
+
+The first request will succeed. Then, visit the same URL again to trigger a database unique constraint error. The error page will include the unescaped username in the error message:
+
+![](1.png)
+
+The JavaScript code in the username will be executed in the browser, demonstrating the XSS vulnerability. This vulnerability could be exploited by attackers to execute arbitrary JavaScript code in the context of the debug page, potentially leading to session hijacking or other client-side attacks.
+
+For detailed principle of this vulnerability, please refer to the third link in the references section: <https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>

django/CVE-2017-12794/README.zh-cn.md

@@ -0,0 +1,39 @@
+# Django调试页面跨站脚本漏洞（CVE-2017-12794）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django 1.11.5和1.10.8版本之前的调试错误页面中存在跨站脚本（XSS）漏洞。当启用DEBUG模式时，错误页面可能会通过未经转义的HTML错误消息暴露敏感信息。
+
+该漏洞在数据库错误发生并且其详细信息显示在调试页面时触发。数据库的错误消息在模板渲染之前没有被正确转义。
+
+参考链接：
+
+- <https://www.djangoproject.com/weblog/2017/sep/05/security-releases/>
+- <https://nvd.nist.gov/vuln/detail/CVE-2017-12794>
+- <https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Django服务器（Django版本为1.11.4）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+访问以下URL创建一个包含JavaScript代码的恶意用户名：
+
+```
+http://your-ip:8000/create_user/?username=<script>alert(1)</script>
+```
+
+第一次请求将成功创建用户。然后，再次访问相同的URL以触发数据库唯一约束错误。错误页面将在错误消息中包含未经转义的用户名：
+
+![](1.png)
+
+用户名中的JavaScript代码将在浏览器中执行，证实了XSS漏洞的存在。攻击者可以利用此漏洞在调试页面的上下文中执行任意JavaScript代码，可能导致会话劫持或其他客户端攻击。
+
+有关此漏洞的详细原理，请参考这篇博客：<https://www.leavesongs.com/PENETRATION/django-debug-page-xss.html>

django/CVE-2017-12794/app.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+import os
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", __name__)
+import sys
+import dj_database_url
+from django.conf.urls import url
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DEBUG = True
+SECRET_KEY = '__secret_key__'
+ALLOWED_HOSTS = ['*']
+
+ROOT_URLCONF = __name__
+TEMPLATES = [{
+    'BACKEND': 'django.template.backends.django.DjangoTemplates',
+    'DIRS': [os.path.join(BASE_DIR, 'templates')],
+}]
+DATABASES = {
+    'default': dj_database_url.config(default='sqlite:///%s' % os.path.join(BASE_DIR, 'db.sqlite3'))
+}
+INSTALLED_APPS = [
+   'xss'
+]
+
+
+def user(request):
+    from django.http import HttpResponse
+    from xss.models import User
+    User.objects.create(username=request.GET['username'])
+    return HttpResponse('Hello, user has been created!')
+
+
+urlpatterns = [
+    url(r'^create_user/$', user)
+]
+
+
+from django.core.management import execute_from_command_line
+execute_from_command_line(sys.argv)

django/CVE-2017-12794/docker-compose.yml

@@ -0,0 +1,16 @@
+version: '2'
+services:
+ web:
+   image: vulhub/django:1.11.4
+   volumes:
+    - .:/app
+   ports:
+    - "8000:8000"
+   depends_on:
+    - db 
+   environment:
+    - DATABASE_URL=postgres://postgres:postgres@db:5432/postgres
+ db:
+   image: postgres:9.6-alpine
+   environment:
+    - POSTGRES_PASSWORD=postgres

django/CVE-2017-12794/xss/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class XssConfig(AppConfig):
+    name = 'xss'

django/CVE-2017-12794/xss/migrations/0001_initial.py

@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.4 on 2017-09-08 05:07
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='User',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('username', models.CharField(max_length=32, unique=True, verbose_name='Username')),
+            ],
+        ),
+    ]

django/CVE-2017-12794/xss/models.py

@@ -0,0 +1,5 @@
+from django.db import models
+
+
+class User(models.Model):
+    username = models.CharField('Username', unique=True, max_length=32)