first commit

django/CVE-2019-14234/Dockerfile

@@ -0,0 +1,11 @@
+FROM vulhub/django:2.2.3
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY src/ /usr/src/
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+WORKDIR /usr/src
+ENTRYPOINT [ "/docker-entrypoint.sh"]
+CMD [ "python", "manage.py", "runserver", "0.0.0.0:8000" ]

django/CVE-2019-14234/README.md

@@ -0,0 +1,46 @@
+# Django JSONField/HStoreField SQL Injection (CVE-2019-14234)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django released a security update on August 1, 2019, which fixes a SQL injection vulnerability in the JSONField and HStoreField model fields. This vulnerability affects Django versions before 2.2.4, 2.1.11, and 1.11.23.
+
+The vulnerability requires the developer to use JSONField/HStoreField, and the field name of the queryset can be controlled by the user. Django's built-in admin interface is affected by this vulnerability, providing an easy way to demonstrate the issue.
+
+References:
+
+- <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
+- <https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html>
+
+## Environment Setup
+
+Execute the following command to compile and start a vulnerable Django 2.2.3 server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+First, log in to the Django admin interface at `http://your-ip:8000/admin/` using the following credentials:
+
+- Username: `admin`
+- Password: `a123123123`
+
+Navigate to the Collection model's list view at `http://your-ip:8000/admin/vuln/collection/`:
+
+![](1.png)
+
+To exploit the SQL injection vulnerability, add `detail__a'b=123` to the GET parameters, where `detail` is the JSONField:
+
+```
+http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123
+```
+
+The SQL error message will be displayed, confirming the successful injection:
+
+![](2.png)

django/CVE-2019-14234/README.zh-cn.md

@@ -0,0 +1,44 @@
+# Django JSONField/HStoreField SQL注入漏洞（CVE-2019-14234）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django在2019年8月1日发布了安全更新，修复了在JSONField和HStoreField两个模型字段中存在的SQL注入漏洞。该漏洞影响Django 2.2.4、2.1.11和1.11.23之前的版本。
+
+该漏洞需要开发者使用了JSONField/HStoreField，且用户可以控制查询集中的键名。Django的内置管理界面受此漏洞影响，这为我们提供了一个简单的漏洞演示方法。
+
+参考链接：
+
+- <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
+- <https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html>
+
+## 环境搭建
+
+执行如下命令编译并启动一个存在漏洞的Django 2.2.3服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+首先使用以下凭据登录Django管理界面`http://your-ip:8000/admin/`：
+
+- 用户名：`admin`
+- 密码：`a123123123`
+
+导航到Collection模型的列表视图`http://your-ip:8000/admin/vuln/collection/`：
+
+![](1.png)
+
+要利用SQL注入漏洞，在GET参数中添加`detail__a'b=123`，其中`detail`是JSONField字段：
+
+```
+http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123
+```
+
+SQL错误信息将会显示，证实注入成功：
+
+![](2.png)

django/CVE-2019-14234/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    build: .
+    ports:
+    - "8000:8000"
+    depends_on:
+    - db
+  db:
+   image: postgres:9.6-alpine
+   environment:
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=cve

django/CVE-2019-14234/docker-entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -ex
+cd /usr/src
+
+wait-for-it.sh -t 0 db:5432 -- echo "postgres is up"
+
+python manage.py migrate
+python manage.py loaddata collection.json
+python manage.py shell -c "from django.contrib.auth.models import User; User.objects.create_superuser('admin', 'admin@vulhub.org', 'a123123123') if not User.objects.filter(username='admin').exists() else 0"
+
+exec "$@"

django/CVE-2019-14234/src/collection.json

@@ -0,0 +1,28 @@
+[
+    {
+      "model": "vuln.Collection",
+      "pk": 1,
+      "fields": {
+        "name": "Example 1",
+        "detail": {
+            "title": "title 1",
+            "author": "vulhub",
+            "tags": ["python", "django"],
+            "content": "..."
+        }
+      }
+    },
+    {
+      "model": "vuln.Collection",
+      "pk": 2,
+      "fields": {
+        "name": "Example 2",
+        "detail": {
+            "title": "title 2",
+            "author": "vulhub",
+            "tags": ["python"],
+            "content": "..."
+        }
+      }
+    }
+  ]

django/CVE-2019-14234/src/cve201914234/settings.py

@@ -0,0 +1,125 @@
+"""
+Django settings for cve201914234 project.
+
+Generated by 'django-admin startproject' using Django 2.2.3.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/2.2/topics/settings/
+
+For the full list of settings and their values, see
+https://docs.djangoproject.com/en/2.2/ref/settings/
+"""
+
+import os
+
+# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'rg3d%3$4%%syk866u%sho7-u+m46m4(_uhwy=t-ms4r9wssus_'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = True
+
+ALLOWED_HOSTS = ["*"]
+
+
+# Application definition
+
+INSTALLED_APPS = [
+    'django.contrib.admin',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'vuln',
+]
+
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+
+ROOT_URLCONF = 'cve201914234.urls'
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'cve201914234.wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/2.2/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': 'cve',
+        'USER': 'postgres',
+        'PASSWORD': 'postgres',
+        'HOST': 'db',
+        'PORT': '5432',
+    }
+}
+
+
+# Password validation
+# https://docs.djangoproject.com/en/2.2/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/2.2/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/2.2/howto/static-files/
+
+STATIC_URL = '/static/'

django/CVE-2019-14234/src/cve201914234/urls.py

@@ -0,0 +1,21 @@
+"""cve201914234 URL Configuration
+
+The `urlpatterns` list routes URLs to views. For more information please see:
+    https://docs.djangoproject.com/en/2.2/topics/http/urls/
+Examples:
+Function views
+    1. Add an import:  from my_app import views
+    2. Add a URL to urlpatterns:  path('', views.home, name='home')
+Class-based views
+    1. Add an import:  from other_app.views import Home
+    2. Add a URL to urlpatterns:  path('', Home.as_view(), name='home')
+Including another URLconf
+    1. Import the include() function: from django.urls import include, path
+    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
+"""
+from django.contrib import admin
+from django.urls import path
+
+urlpatterns = [
+    path('admin/', admin.site.urls),
+]

django/CVE-2019-14234/src/cve201914234/wsgi.py

@@ -0,0 +1,16 @@
+"""
+WSGI config for cve201914234 project.
+
+It exposes the WSGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/
+"""
+
+import os
+
+from django.core.wsgi import get_wsgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'cve201914234.settings')
+
+application = get_wsgi_application()

django/CVE-2019-14234/src/manage.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+"""Django's command-line utility for administrative tasks."""
+import os
+import sys
+
+
+def main():
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'cve201914234.settings')
+    try:
+        from django.core.management import execute_from_command_line
+    except ImportError as exc:
+        raise ImportError(
+            "Couldn't import Django. Are you sure it's installed and "
+            "available on your PYTHONPATH environment variable? Did you "
+            "forget to activate a virtual environment?"
+        ) from exc
+    execute_from_command_line(sys.argv)
+
+
+if __name__ == '__main__':
+    main()

django/CVE-2019-14234/src/vuln/admin.py

@@ -0,0 +1,5 @@
+from django.contrib import admin
+from .models import Collection
+
+# Register your models here.
+admin.site.register(Collection)

django/CVE-2019-14234/src/vuln/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class VulnConfig(AppConfig):
+    name = 'vuln'

django/CVE-2019-14234/src/vuln/migrations/0001_initial.py

@@ -0,0 +1,23 @@
+# Generated by Django 2.2.3 on 2019-08-02 19:41
+
+from django.db import migrations, models
+from django.contrib.postgres.fields import JSONField
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Collection',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=128)),
+                ('detail', JSONField()),
+            ],
+        ),
+    ]

django/CVE-2019-14234/src/vuln/models.py

@@ -0,0 +1,10 @@
+from django.db import models
+from django.contrib.postgres.fields import JSONField
+
+
+class Collection(models.Model):
+    name = models.CharField(max_length=128)
+    detail = JSONField()
+
+    def __str__(self):
+        return self.name