You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The public / private tags
private means that administrator don’t want others know about album.
But there is some way to know what album his hiding.
And what the private album’s permalinks is.
By creating album , you could know that album id is in rule
So you can brute-force the album id
GET /piwigo/index.php?/category/757 HTTP/1.1
Host: www.test.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Referer: http://www.test.com/piwigo/index.php?/category/c1c12
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pwg_display_thumbnail=display_thumbnail_classic; pwg_id=513v9ik9uahikec64vu4api2o5
Connection: close
- [√] Response with status 200 means that this album is accessible
- [√] Response with status 301 means that you don’t have the privilege to access.
Base on the brute-force result.
You can know the hidden album id
If the hidden album has set permalinks.
By request the album id ,permalinks is in the Response packet.
Now is time to republic it.
Cross-Site Request Forgery in page permalinks & status, visible, comments in page cat_options.
Proof-of-Concept
Version :2.9.1
Incorrect Permissions in album ID
The public / private tags
private means that administrator don’t want others know about album.
But there is some way to know what album his hiding.
And what the private album’s permalinks is.
- [√] Response with status 200 means that this album is accessible
- [√] Response with status 301 means that you don’t have the privilege to access.
Base on the brute-force result.
You can know the hidden album id
If the hidden album has set permalinks.
By request the album id ,permalinks is in the Response packet.
Now is time to republic it.
Cross-Site Request Forgery in page permalinks & status, visible, comments in page cat_options.
There is no pwg_token in the request.
So
Original packet
Refences: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Discover By: topsec(Li Zhiqiang)
The text was updated successfully, but these errors were encountered: