Skip to content

[11.5.0]SQL Injection Vulnerability #1470

Closed
@HolaAsuka

Description

The following is the detail about this vulnerability I found in Piwigo 11.5.0:
First, visit URL/admin.php and login, then click Album-Move. On this page, click ORDER on the right side.

1
Then we can see:

2
Select default, use Burpsuite during clicking APPLY.

3
Then in sqlmap:

python sqlmap.py -r post.txt -o --dbms=MySQL
6

See admin\cat_move.php:

8

Here there seems to be no confirmation of the legitimacy of the parameter $_POST[id]. And other parameters are legal so query is done.

Here is the manual injection test:

(Load successfully after sleeping 5 seconds)
4

Thanks for reading!

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions