Skip to content
Branch: master
Find file History
Pull request Compare This branch is 7 commits behind vulhub:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
src
1.png
2.png
Dockerfile
README.md
README.zh-cn.md
docker-compose.yml
docker-entrypoint.sh

README.md

Django JSONField/HStoreField SQL Injection Vulnerability (CVE-2019-14234)

中文版本(Chinese version)

Django released a security update on August 1, 2019, which fixes a SQL injection vulnerability in the two model fields of JSONField and HStoreField.

Reference link:

The vulnerability requires the developer to use JSONField/HStoreField; moreover, the field name of the queryset can be controlled. Django's built-in application Django-Admin is affected, which gives us an easy way to reproduce the vulnerability.

Start Vulnerability Application

Compile and start a vulnerable Django 2.2.3 by executing the following command:

Docker-compose build
Docker-compose up -d

After the environment is started, you can see the home page of Django at http://your-ip:8000.

Vulnerability Reproduce

First, log in to the Django-Admin http://your-ip:8000/admin/ with username admin and password a123123123.

Then go to the list-view http://your-ip:8000/admin/vuln/collection/ of the model Collection:

Add detail__a'b=123 to the GET parameter, where detail is the JSONField:

http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123

You can see that the single quote has been injected successfully, and the SQL statement reports an error:

You can’t perform that action at this time.