Django
Django is a python framework to create and deploy websites.
$ django-admin startproject <project_name>
$ python3 manage.py migrate # apply configuration
$ python3 manage.py runserver
$ python3 manage.py runserver 0.0.0.0:8080
$ python3 manage.py startapp <app_name>
The default admin page is at URI: /admin
.
You will usually edit urls.py
to add a route which is a path
, a function
, and optionally a name. For instance:
from django.http import HttpResponse
def index(request):
return HttpResponse("Hello, World!")
from django.shortcuts import render
def index(request):
return render(request, 'index.html')
If you're using HTML, then you can use template injection: {% ... %}
. Refer to the documentation, there are multiple instructions possible.
Django Pentester Notes β οΈ
Django Enumeration
-
Check if there is a
/admin
or a/media
endpoint -
Check for Python Headers (
WSGIServer
,CPython
) -
If
DEBUG
mode is enabled, error 404 will expose the endpoints -
If
DEBUG
mode is enabled, error 500 will expose a lot of information. It can be triggered sometimes by omitting parameters, or using invalid parameters such as an invalid format or type.
Python Version - may help to customize payloads
Django Version - may help tunning attacks
HOSTNAME - may help to customize payloads
Server time - may help to customize payloads
ALLOWED_HOSTS - List of domains allowed along with localhost.
LOGIN_URL - if you didn't know the URL ; may not be correct
DBMS Section - Type of DBMS and configuration
ANY_PATH - may expose usernames such as in /home/toto/myapp/
You can examine variables and the code in the traceback section too.
Django FootHold
Django hashes have the format pbkdf2_sha256$iter$salt$hash
. They can be cracked with hashcat and maybe john too.
$ hashcat -m 10000 hash /usr/share/wordlists/rockyou.txt
$ john --format="django" [...] # didn't work