Headline
CVE-2021-40317: [11.5.0]SQL Injection Vulnerability · Issue #1470 · Piwigo/Piwigo
Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.
The following is the detail about this vulnerability I found in Piwigo 11.5.0:
First, visit URL/admin.php and login, then click Album-Move. On this page, click ORDER on the right side.
Then we can see:
Select default, use Burpsuite during clicking APPLY.
Then in sqlmap:
python sqlmap.py -r post.txt -o --dbms=MySQL
See admin\cat_move.php:
Here there seems to be no confirmation of the legitimacy of the parameter $_POST[id]. And other parameters are legal so query is done.
Here is the manual injection test:
(Load successfully after sleeping 5 seconds)
Thanks for reading!