Shulou(Shulou.com)05/31 Report--

Piwigo v2.9.5 of the five sql injection is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Introduction of 0x0 Project

Project address: https://github.com/Piwigo/Piwigo

Project description: piwigo is an open source photo studio software for the network. Designed for organizations, teams and individuals to manage your photo library.

Official website address: piwigo.org

0x1 preparation work

Download https://github.com/Piwigo/Piwigo/archive/2.9.5.zip under Linux, decompress and empower it, and install it using docker after entering the directory:

Docker run-d-name piwigo_mysql-e MYSQL_DATABASE=piwigo-e MYSQL_ROOT_PASSWORD=123456 mysql:5.7docker run-d-p 3000 MYSQL_ROOT_PASSWORD=123456 mysql:5.7docker run 80-v $(pwd) /: / var/www/html/-- link piwigo_mysql:mysql-- name piwigo nimmis/apache-php5

You can see the startup interface.

0x2 audit

Injection of selection and parent parameters in admin/group_perm.php:

The selection value is entered into the move_categories function without verification

Tracking the move_categories function can see that the function decomposes the value and connects it directly to the sql statement.

The vulnerability can be found under the test.

Second, sql injection with group_selection parameter in admin/group_list.php:

In the figure, you can see that the group_ option value is put into $groups, and the selectAction value is put into $action.

In the code, $action corresponds to multiple actions, but in multiple actions, $group is directly glued into the sql statement. Let me take a look at the delete method here:

It is very intuitive to see that it has been put into the sql statement. Try it out.

3. Sql injection with cat_false parameter in admin/user_perm.php:

In the figure, you can see that cat_false is put into the function

We trace this function and find the function in admin/include/functions.php. The value of $cat_ false becomes $category. After judging whether it is an array or not, it is put into the get_uppercat_ids function.

Continue to trace the get_uppercat_ids function, and the above vulnerable parameter is changed to $cat_ids. In the figure, you can see that the $cat_ids is simply judged to be put into the sql statement and starts the query.

This kind of vulnerability function jumps a lot, and there is no obvious place to see the echo, this situation is especially suitable for time injection, we use

1 and if (ascii (substr (database (), 1Magne1)) > 97 substr (1) sleep (5) Verification can find the web page opening time delay, prove the existence of vulnerabilities, and use sqlmap to run a wave.

4 sql vulnerabilities in admin/group_perm.php:

This vulnerability is the same as the above three admin/user_perm.php vulnerabilities. The same function is called, but there is a difference between the user and the group. Take a look at the entry chart.

Sqlmap, run.

Fifth, the injection of filter_category parameter in admin/batch_manager.php: let's look at the specific code:

Give the 'filter_category' value to xx [' category'] when there is a 'filter_category_use' key in the post package

Go down and find where xx ['category'] is called, and you can see that the value is put into the sql statement without being filtered.

It should be noted that the request link was not found in the web page, so you need to manually add filter_category_use=on&filter_category=1 to the post package.

Sqlmap, run.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.