Django SQL ×¢ÈëÎó²î£¨CVE-2021-35042£©

Ðû²¼Ê±¼ä 2021-07-06

0x00 Îó²î¸ÅÊö

CVE     ID

CVE-2021-35042

ʱ      ¼ä

2021-07-06

Àà      ÐÍ

SQL×¢Èë

µÈ      ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


¹¥»÷ÖØƯºó


¿ÉÓÃÐÔ

¸ß

Óû§½»»¥

ÎÞ

ËùÐèȨÏÞ


PoC/EXP

δ¹ûÕæ

ÔÚҰʹÓÃ

·ñ

 

0x01 Îó²îÏêÇé

image.png

Django ÊÇ Python ÓïÑÔÇý¶¯µÄÒ»¸ö¿ªÔ´Ä£×Ó-ÊÓͼ-¿ØÖÆÆ÷£¨MVC£©Æø¸ÅµÄ Web Ó¦ÓóÌÐò¿ò¼Ü¡£¡£¡£¡£¡£ ¡£

2021Äê07ÔÂ01ÈÕ£¬£¬£¬£¬£¬Django Ðû²¼ÁË3.2.5 ºÍ 3.1.13°æ±¾£¬£¬£¬£¬£¬ÐÞ¸´ÁËDjangoÖеÄÒ»¸öSQL×¢ÈëÎó²î£¨CVE-2021-35042£©£¬£¬£¬£¬£¬Django½¨ÒéÓû§¾¡¿ìÉý¼¶¡£¡£¡£¡£¡£ ¡£

ÓÉÓÚת´ï¸øQuerySet.order_by()µÄÓû§ÊäÈëδ¾­´¦Öóͷ££¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔʹÓÃÕâÈƹý±ê¼ÇΪÆúÓõÄ·¾¶ÖеÄÔ¤ÆÚÁÐÒýÓÃÑéÖ¤£¬£¬£¬£¬£¬´Ó¶øµ¼ÖÂSQL×¢Èë¡£¡£¡£¡£¡£ ¡£

 

Ó°Ïì¹æÄ£

Django  3.2

Django  3.1

 

0x02 ´¦Öóͷ£½¨Òé

 ÏÖÔÚ´ËÎó²îÒѾ­ÐÞ¸´£¬£¬£¬£¬£¬½¨ÒéʵʱÉý¼¶ÖÁDjango 3.2.5 »ò 3.1.13¡£¡£¡£¡£¡£ ¡£

Django 3.2.5ÏÂÔØÁ´½Ó£º

https://www.djangoproject.com/m/releases/3.2/Django-3.2.5.tar.gz

 

Django 3.1.13ÏÂÔØÁ´½Ó£º

https://www.djangoproject.com/m/releases/3.1/Django-3.1.13.tar.gz

 

0x03 ²Î¿¼Á´½Ó

https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35042

https://nvd.nist.gov/vuln/detail/CVE-2021-35042

 

0x04 ʱ¼äÏß

2021-07-01  DjangoÐû²¼¸üÐÂͨ¸æ

2021-07-06  VSRCÐû²¼Ç徲ͨ¸æ

0x05 ¸½Â¼

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png