CVE-2023-33361: There is a SQL Injection in the "permalinks" function of piwigo · Issue #1910 · Piwigo/Piwigo

Before replicating this vulnerability, you need to first create a new album and access the “photos_add” function, and choose to create a new album

//like this

Then,accessing permalinks functionality

click this

Select the album you just created and use ‘burp’ to intercept this request

You can see this’ cat_id 'parameter, which is where SQL injection exists

We are trying to add a single quotation mark to trigger an error in MySQL

We can also directly try using the sleep () function to trigger a delay

It is not difficult to find that there is an SQL injection here. Next, we will analyze this problem from the code level.
The vulnerability arises from ‘/admin/permalinks.php’
//Start Here

In our data package, we passed in the “set_permalink” and “cat_ Id"parameter, and "cat_id"is greater than 0, so we can enter this if branch

Then, because we passed in the ‘permalink’ parameter, we actually entered the internal else branch

Then we try to analyze the set_cat_permalink() function.（In /admin/include/functions_permalinks.php）

In the end, we can find this SQL statement, where ‘$cat_id’ is passed directly into the SQL statement without any filtering.It is precisely this location that caused SQL injection

This vulnerability exists in version 13.6.0, and it is uncertain whether this issue exists in earlier versions