.. / CVE-2020-9402

Exploit for Django SQL Injection (CVE-2020-9402)

Description:

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.

Nuclei Template

View the template here CVE-2020-9402.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-9402.yaml

References:

https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY
https://www.debian.org/security/2020/dsa-4705
https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
https://nvd.nist.gov/vuln/detail/CVE-2020-9402
https://docs.djangoproject.com/en/3.0/releases/security/

.. / CVE-2020-9402 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Django SQL Injection (CVE-2020-9402)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2020-9402