Closed
Description
The following is the detail about this vulnerability I found in Piwigo 11.5.0:
First, visit URL/admin.php and login, then click Album-Move. On this page, click ORDER on the right side.

Select default, use Burpsuite during clicking APPLY.
python sqlmap.py -r post.txt -o --dbms=MySQL

See admin\cat_move.php:
Here there seems to be no confirmation of the legitimacy of the parameter $_POST[id]. And other parameters are legal so query is done.
Here is the manual injection test:
(Load successfully after sleeping 5 seconds)

Thanks for reading!
Metadata
Assignees
Labels
No labels


