aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
django/CVE-2019-14234/README.zh-cn.md Normal file
View File

@@ -0,0 +1,44 @@
# Django JSONField/HStoreField SQL注入漏洞CVE-2019-14234
Django是一个高级的Python Web框架支持快速开发和简洁实用的设计。
Django在2019年8月1日发布了安全更新修复了在JSONField和HStoreField两个模型字段中存在的SQL注入漏洞。该漏洞影响Django 2.2.4、2.1.11和1.11.23之前的版本。
该漏洞需要开发者使用了JSONField/HStoreField且用户可以控制查询集中的键名。Django的内置管理界面受此漏洞影响这为我们提供了一个简单的漏洞演示方法。
参考链接:
- <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
- <https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html>
## 环境搭建
执行如下命令编译并启动一个存在漏洞的Django 2.2.3服务器:
```
docker compose build
docker compose up -d
```
环境启动后,访问`http://your-ip:8000`即可看到Django默认首页。
## 漏洞复现
首先使用以下凭据登录Django管理界面`http://your-ip:8000/admin/`
- 用户名:`admin`
- 密码:`a123123123`
导航到Collection模型的列表视图`http://your-ip:8000/admin/vuln/collection/`
![](1.png)
要利用SQL注入漏洞在GET参数中添加`detail__a'b=123`,其中`detail`是JSONField字段
```
http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123
```
SQL错误信息将会显示证实注入成功
![](2.png)