Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Piwigo has a background command execution vulnerability

Command injection vulnerability trigger point

image-20210828215332817

Use admin to enter the background

image-20210828215510232

Click settings to come to this page

image-20210828215545287

Write in it

image-20210828215622977

<?phpvar_dump(1);}if(1){system('calc');?>

image-20210828215714527

Next breakpoint single step debugging

image-20210828215744709

You will find that this sentence is implemented here

image-20210828215801888

code analysis

image-20210828220311898

Text is passed in $content without filtering_ File and then pass in the function

image-20210828220404762

The incoming code is spliced here. Caused code execution