first commit

django/CVE-2022-34265/README.md

@@ -0,0 +1,38 @@
+# Django Trunc(kind) and Extract(lookup_name) SQL Injection (CVE-2022-34265)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
+
+Django released a security update on July 4, 2022, which fixes a SQL injection vulnerability in the Trunc() and Extract() database functions. This vulnerability affects Django versions before 4.0.6, 3.2.14.
+
+References:
+
+- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
+- https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
+
+## Environment Setup
+
+Execute the following command to start a vulnerable Django 4.0.5 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can access the web page at `http://your-ip:8000`.
+
+## Vulnerability Reproduction
+
+The web application uses the `Trunc` function to aggregate page click counts by datetime. Visit `http://your-ip:8000/?date=minute` to see the number of clicks per minute:
+
+![](1.png)
+
+To exploit the SQL injection vulnerability, modify the `date` parameter with malicious input:
+
+```
+http://your-ip:8000/?date=xxxx'xxxx
+```
+
+The SQL error message will be displayed, confirming the successful injection:
+
+![](2.png)

django/CVE-2022-34265/README.zh-cn.md

@@ -0,0 +1,36 @@
+# Django Trunc(kind)和Extract(lookup_name)函数SQL注入漏洞（CVE-2022-34265）
+
+Django是一个高级的Python Web框架，支持快速开发和简洁实用的设计。
+
+Django在2022年7月4日发布了安全更新，修复了在数据库函数`Trunc()`和`Extract()`中存在的SQL注入漏洞。该漏洞影响Django 4.0.6和3.2.14之前的版本。
+
+参考链接：
+
+- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
+- https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
+
+## 环境搭建
+
+执行如下命令启动一个存在漏洞的Django 4.0.5服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8000`即可看到Web页面。
+
+## 漏洞复现
+
+该Web应用使用`Trunc`函数来按照日期时间聚合页面点击次数。访问`http://your-ip:8000/?date=minute`可以查看每分钟的点击次数：
+
+![](1.png)
+
+要利用SQL注入漏洞，修改`date`参数为恶意输入：
+
+```
+http://your-ip:8000/?date=xxxx'xxxx
+```
+
+SQL错误信息将会显示，证实注入成功：
+
+![](2.png)

django/CVE-2022-34265/docker-compose.yml

@@ -0,0 +1,24 @@
+version: '2'
+services:
+  web:
+    image: vulhub/django:4.0.5
+    ports:
+    - "8000:8000"
+    depends_on:
+    - db
+    volumes:
+    - ./web:/usr/src
+    - ./docker-entrypoint.sh:/docker-entrypoint.sh
+    entrypoint:
+    - bash
+    - /docker-entrypoint.sh
+    command:
+    - python
+    - app.py
+    - runserver
+    - 0.0.0.0:8000
+  db:
+   image: postgres:13-alpine
+   environment:
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=CVE_2022_34265

django/CVE-2022-34265/docker-entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -ex
+cd /usr/src
+
+wait-for-it.sh -t 0 db:5432 -- echo "database is up"
+
+python app.py migrate
+
+exec "$@"

django/CVE-2022-34265/web/app.py

@@ -0,0 +1,46 @@
+import os
+import sys
+
+
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", __name__)
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+DEBUG = True
+SECRET_KEY = 'vulhub'
+ALLOWED_HOSTS = ['*']
+MIDDLEWARE = [
+    'django.middleware.common.CommonMiddleware',
+]
+
+ROOT_URLCONF = 'vuln.urls'
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+        },
+    },
+    'loggers': {
+        'django': {
+            'handlers': ['console'],
+            'level': os.getenv('DJANGO_LOG_LEVEL', 'WARNING'),
+        },
+    },
+}
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': 'CVE_2022_34265',
+        'USER': 'postgres',
+        'PASSWORD': 'postgres',
+        'HOST': 'db',
+        'PORT': '5432',
+    }
+}
+INSTALLED_APPS = [
+    'vuln'
+]
+
+
+from django.core.management import execute_from_command_line
+execute_from_command_line(sys.argv)

django/CVE-2022-34265/web/vuln/apps.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class VulnConfig(AppConfig):
+    name = 'vuln'
+    default_auto_field = 'django.db.models.BigAutoField'

django/CVE-2022-34265/web/vuln/migrations/0001_initial.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.0.6 on 2022-07-13 22:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='WebLog',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('method', models.CharField(max_length=16)),
+                ('url', models.CharField(max_length=256)),
+                ('user_agent', models.CharField(max_length=256)),
+                ('created_time', models.DateTimeField(auto_now_add=True)),
+            ],
+        ),
+    ]

django/CVE-2022-34265/web/vuln/models.py

@@ -0,0 +1,9 @@
+from operator import mod
+from django.db import models
+
+
+class WebLog(models.Model):
+    method = models.CharField(max_length=16)
+    url = models.CharField(max_length=256)
+    user_agent = models.CharField(max_length=256)
+    created_time = models.DateTimeField(auto_now_add=True)

django/CVE-2022-34265/web/vuln/urls.py

@@ -0,0 +1,7 @@
+from django.urls import include, path, re_path
+from . import views
+
+
+urlpatterns = [
+    path('', views.vul),
+]

django/CVE-2022-34265/web/vuln/views.py

@@ -0,0 +1,22 @@
+from django.http import HttpResponse, JsonResponse
+from django.db.models.functions import Trunc
+from django.db.models import Count
+from .models import WebLog
+
+
+def create_log(request):
+    method = request.method
+    url = request.build_absolute_uri()
+    user_agent = request.META.get('HTTP_USER_AGENT')
+    WebLog.objects.create(
+        method=method,
+        url=url,
+        user_agent=user_agent
+    )
+
+
+def vul(request):
+    create_log(request)
+    date = request.GET.get('date', 'minute')
+    objects = list(WebLog.objects.annotate(time=Trunc('created_time', date)).values('time').order_by('-time').annotate(count=Count('id')))
+    return JsonResponse(data=objects, safe=False)