webPromedium

Lab 51 — InsightGrid — SQL Injection via Django JSONField Key Paths

hackadvisor

Task: Django analytics platform with Custom Report Builder API that passes user-controlled metadata field names to QuerySet.values(), generating unescaped SQL column aliases for JSONField extraction. Solution: exploit CVE-2024-42005 by injecting double quotes into the field name to break out of the AS alias, then use UNION-based SQLite injection with error-based extraction to enumerate tables and read the flag from secret_flags.

$ ls tags/ techniques/

sqlite sql_injection django decoy_flag union_injection jsonfield cve_2024_42005 column_alias_injection error_based_extraction

decoy_flag_recognitionunion_based_sql_injectionerror_based_data_extractioncve_2024_42005_exploitationcolumn_alias_sqli_via_double_quote_breakoutsqlite_schema_enumeration_via_sqlite_masterplaceholder_binding_consumption

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 87 — GridWatch — SQL Injection in Agent Heartbeat API— hackadvisor
[web][Pro]Lab 103 — DataPilot — AI SQL Injection via Natural Language Query— hackadvisor
[web][Pro]MetricFlow— hackadvisor
[web][Pro]Lab 144 — InsightForge — Blind XXE via XML Data Import— hackadvisor
[web][Pro]Lab 80 — GateGuard — SQL Injection in Organization Filter API— hackadvisor