CVE-2020-7471 PoC — Django SQL注入漏洞

Source

https://github.com/huzaifakhan771/CVE-2020-7471-Django

Associated Vulnerability

Title:Django SQL注入漏洞 (CVE-2020-7471)
Description:Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

Description

PoC for the SQL injection vulnerability in PostgreSQL with Django, found in Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3

Readme

# CVE-2020-7471-PoC (Django)
PoC for the SQL injection vulnerability in PostgreSQL with Django, found in Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3

The class `django.contrib.postgres.aggregates.StringAgg` for using the PostgreSQL STRING_AGG function had a SQL injection vulnerability. It is 
possible to embed an arbitrary query in the value passed to the delimiter parameter at initialization.

The query is injected through a form in this Django app.
Query used for SQL injection: `-') AS "mydefinedname" FROM "cve_src_example" GROUP BY "cve_src_example"."label" LIMIT 1 OFFSET 1 -- `


### Django Version used: Django 3.0.2
### PostgreSQL version used: 9.6.16

File Snapshot


 [4.0K]  /data/pocs/fa3b59c5e54e776caef94f8cc4db3218db81fac1
├── [ 689]  README.md
├── [1.6K]  requirements.txt
└── [1.0K]  views.py

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!