Cve-2019-14234 Django jsonfield SQL injection vulnerability

One 、 Summary of vulnerability

Django It's a big and complete Web frame , It supports many database engines , Include Postgresql、Mysql、Oracle、Sqlite3 etc. , But with Django There is no better database than Postgresql 了 ,Django The official also suggested to cooperate with Postgresql Use it together . The reason for this vulnerability is that Django in JSONField The realization of the class ,Django Of model The most essential function is to generate SQL sentence , And in the Django adopt JSONField Generate sql When the sentence is , It's a simple string concatenation .

Two 、 Affects version

• Django Main development branch
• Django 2.2.x < 2.2.4
• Django 2.1.x < 2.1.11
• Django 1.11.x < 1.11.23

3、 ... and 、 Loophole principle

　　 In fact, this is a SQL Another form of injection ——ORM Inject （Object Relational Mapping）

　　1.ORM What is it? ：ORM It is a way of writing programs , In the past, when writing a program to check the database, it was code plus sql Statements are written together , When the program is huge, it is difficult to manage , It's hard to maintain . Later, the program and sql The sentences are separated . meanwhile ORM hold sql Is encapsulated , Program call is more convenient , It allows programmers to really pay attention to the logic layer code , Go to object-oriented programming ;

　　2. The cause of the vulnerability ：queryset There is transform and lookup Two way , Are acted on “ Connect two tables through foreign keys ” and “ How to compare with the value inside （ By default exact）”. So as long as it is controlled queryset Key name of , The injection is natural , But there is a problem here .filter( ) There is no way to control the key name in , Only the key value can be controlled . But there is a situation , That is, the developer passes the entire object passed in by the user to filter() Function time , Users can control filter To further control queryset Key name of , To realize ORM Inject .—— come from phith0n The master ：Django JSONField SQL Inject holes （CVE-2019-14234） Analysis and impact | Farewell song

Four 、 Loophole recurrence environment

Kali Linux + Vulfocus
Infiltration machine ：Kali Linux 
Drone aircraft ：Vulfocus

5、 ... and 、 The experimental steps

1. Open the mirror environment , Access page ( Go directly to the backstage Collection Model management )

 2. structure payload：http://192.168.117.131:58480/admin/vuln/collection/detail__a%27b=1

3. Recurrence is still very simple , The main thing here is to record ORM Inject the situation and ideas into .

6、 ... and 、 Repair method

Django Officials have released a new version that fixes the bug , Affected users are requested to upgrade and protect as soon as possible . upgrade Django To >=2.2.4、>=2.1.11、>=1.11.23 edition .

Django 2.2.4 Download address ：

https://www.djangoproject.com/m/releases/2.2/Django-2.2.4.tar.gz

Django 2.1.11 Download address

https://www.djangoproject.com/m/releases/2.1/Django-2.1.11.tar.gz

Django 1.11.23 Download address ：

https://www.djangoproject.com/m/releases/1.11/Django-1.11.23.tar.gz
——https://blog.csdn.net/weixin_42250835/article/details/121106792

7、 ... and 、POC

1.Poc_CVE-2019-14234 - wavesky - Blog Garden

2.https://github.com/wave-to/Poc/blob/main/Sql_or_ORM_injuection/Poc_CVE-2019-14234.py