From 094bfcace993c612d153fea0311a9e675cadfeaa Mon Sep 17 00:00:00 2001
From: Justin Applegate <70449145+Legoclones@users.noreply.github.com>
Date: Tue, 30 Jan 2024 21:52:51 -0500
Subject: [PATCH 1/4] Create django.md

Added cache manipulation
---
 network-services-pentesting/pentesting-web/django.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 network-services-pentesting/pentesting-web/django.md

diff --git a/network-services-pentesting/pentesting-web/django.md b/network-services-pentesting/pentesting-web/django.md
new file mode 100644
index 00000000000..2c600316342
--- /dev/null
+++ b/network-services-pentesting/pentesting-web/django.md
@@ -0,0 +1,8 @@
+# Django
+
+## Cache Manipulation to RCE
+Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**. 
+
+Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache stored in a Redis server or database are the most likely attack vectors (Redis injection and SQL injection), but an attacker may also be able to use file-based cache to turn an arbitrary write into RCE. Maintainers have marked this as a [non-issue](https://github.com/pallets-eco/flask-caching/pull/209). It's important to note that the cache file folder, SQL table name, and Redis server details will vary based on implementation.
+
+This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436

From d8a6d00b9d39942adb7355ccd54d7050577798c0 Mon Sep 17 00:00:00 2001
From: Justin Applegate <70449145+Legoclones@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:00:55 -0500
Subject: [PATCH 2/4] Adding CVE number for Django cache manipulation

---
 network-services-pentesting/pentesting-web/django.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/network-services-pentesting/pentesting-web/django.md b/network-services-pentesting/pentesting-web/django.md
index 2c600316342..3ff38c24131 100644
--- a/network-services-pentesting/pentesting-web/django.md
+++ b/network-services-pentesting/pentesting-web/django.md
@@ -1,6 +1,6 @@
 # Django
 
-## Cache Manipulation to RCE
+## CVE-2021-33026 - Cache Manipulation to RCE
 Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**. 
 
 Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache stored in a Redis server or database are the most likely attack vectors (Redis injection and SQL injection), but an attacker may also be able to use file-based cache to turn an arbitrary write into RCE. Maintainers have marked this as a [non-issue](https://github.com/pallets-eco/flask-caching/pull/209). It's important to note that the cache file folder, SQL table name, and Redis server details will vary based on implementation.

From 8ebee8912b153317dea08d35fdb5960bb5ce1460 Mon Sep 17 00:00:00 2001
From: Justin Applegate <70449145+Legoclones@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:05:13 -0500
Subject: [PATCH 3/4] Mixing up Django and Flask

---
 network-services-pentesting/pentesting-web/django.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/network-services-pentesting/pentesting-web/django.md b/network-services-pentesting/pentesting-web/django.md
index 3ff38c24131..bb54398da92 100644
--- a/network-services-pentesting/pentesting-web/django.md
+++ b/network-services-pentesting/pentesting-web/django.md
@@ -1,8 +1,10 @@
 # Django
 
-## CVE-2021-33026 - Cache Manipulation to RCE
+## Cache Manipulation to RCE
 Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**. 
 
-Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache stored in a Redis server or database are the most likely attack vectors (Redis injection and SQL injection), but an attacker may also be able to use file-based cache to turn an arbitrary write into RCE. Maintainers have marked this as a [non-issue](https://github.com/pallets-eco/flask-caching/pull/209). It's important to note that the cache file folder, SQL table name, and Redis server details will vary based on implementation.
+Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache stored in a Redis server or database are the most likely attack vectors (Redis injection and SQL injection), but an attacker may also be able to use file-based cache to turn an arbitrary write into RCE. Maintainers have marked this as a non-issue. It's important to note that the cache file folder, SQL table name, and Redis server details will vary based on implementation.
 
 This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436
+
+*Note that this same issue exists in the `flask-caching` extension for Flask sites*

From 09b618c00ec61256ece9adc68002529fae8c942f Mon Sep 17 00:00:00 2001
From: Justin Applegate <70449145+Legoclones@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:15:31 -0500
Subject: [PATCH 4/4] Flask extension isn't vulnerable anymore actually

---
 network-services-pentesting/pentesting-web/django.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/network-services-pentesting/pentesting-web/django.md b/network-services-pentesting/pentesting-web/django.md
index bb54398da92..2028f616696 100644
--- a/network-services-pentesting/pentesting-web/django.md
+++ b/network-services-pentesting/pentesting-web/django.md
@@ -6,5 +6,3 @@ Django's default cache storage method is [Python pickles](https://docs.python.or
 Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache stored in a Redis server or database are the most likely attack vectors (Redis injection and SQL injection), but an attacker may also be able to use file-based cache to turn an arbitrary write into RCE. Maintainers have marked this as a non-issue. It's important to note that the cache file folder, SQL table name, and Redis server details will vary based on implementation.
 
 This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436
-
-*Note that this same issue exists in the `flask-caching` extension for Flask sites*