Home > Operation and Maintenance > Safety > What are the five sql injections of piwigo v2.9.5?

What are the five sql injections of piwigo v2.9.5?

PHPz
Release: 2023-05-15 20:55:10
forward
994 people have browsed it

0x0 Project introduction

Project address: https://github.com/Piwigo/Piwigo

Project introduction: piwigo is an open source photo studio for the Internet software. Designed for organizations, teams and individuals to manage your photo library.

Official website address: piwigo.org

0x1 Preparation

Download under Linux https://github.com/Piwigo/Piwigo/archive/ 2.9.5.zip Unzip, empower, enter the directory and use docker to install:

docker run -d --name piwigo_mysql -e MYSQL_DATABASE=piwigo -e MYSQL_ROOT_PASSWORD=123456 mysql:5.7
docker run -d -p 3000:80 -v $(pwd)/:/var/www/html/ --link piwigo_mysql:mysql --name piwigo nimmis/apache-php5
Copy after login

You will see the startup interface

0x2 Audit

Injection of the selection and parent parameters in admin/group_perm.php:

The selection value is entered into the move_categories function without verification

piwigo v2.9.5的5个sql注入分别是怎样的

Tracing the move_categories function, you can see that the function decomposes the value and directly connects it to the sql statement

piwigo v2.9.5的5个sql注入分别是怎样的

The vulnerability can be found after testing

piwigo v2.9.5的5个sql注入分别是怎样的piwigo v2.9.5的5个sql注入分别是怎样的

Second sql injection of the group_selection parameter in admin/group_list.php:

You can see in the picture that the group_selection value is put into $groups In the code, the selectAction value is put into $action

piwigo v2.9.5的5个sql注入分别是怎样的

$action in the code corresponds to multiple actions, but in multiple actions $group is directly bonded to sql In the statement, here I will take a look at the delete method:

piwigo v2.9.5的5个sql注入分别是怎样的

It is very intuitive to see that it is put into the sql statement. Try it

piwigo v2.9.5的5个sql注入分别是怎样的

Three sql injections where the cat_false parameter exists in admin/user_perm.php:

You can see in the picture that cat_false is put into the function,

piwigo v2.9.5的5个sql注入分别是怎样的

We track this function and find the function in admin/include/functions.php. The $cat_false value changes to $category. After judging whether it is an array and judging the quantity, it is put into the get_uppercat_ids function for processing. ,

piwigo v2.9.5的5个sql注入分别是怎样的

Continue to track the get_uppercat_ids function. The above-mentioned vulnerable parameter becomes $cat_ids. You can see in the figure that $cat_ids is put into the sql statement after simple judgment and the query starts. ,

piwigo v2.9.5的5个sql注入分别是怎样的

This kind of vulnerable function has many jumps, and there is no obvious place to see the echo. This situation is particularly suitable for time injection. We use

1 and if(ascii(substr(database(),1,1))>97,1,sleep(5)) Verification can find the delay in opening the web page, proving that the vulnerability exists. Use sqlmap to run A wave of

piwigo v2.9.5的5个sql注入分别是怎样的

piwigo v2.9.5的5个sql注入分别是怎样的

Four sql vulnerabilities in admin/group_perm.php:

This The vulnerability is the same as the above three admin/user_perm.php vulnerabilities. The same function is called. The only difference is the user and group. Look at the entry picture to understand:

piwigo v2.9.5的5个sql注入分别是怎样的

sqlmap run Let’s look at the injection of the filter_category parameter in admin/batch_manager.php:

Let’s look at the specific code:

piwigo v2.9.5的5个sql注入分别是怎样的When the 'filter_category_use' key exists in the post package, set the 'filter_category' value to xx['category']

piwigo v2.9.5的5个sql注入分别是怎样的

Go down and find xx[' Where category'] is called, you can see that the value is directly placed in the sql statement without being filtered.

It should be noted that this request link is not found in the web page and needs to be manually added to the post package filter_category_use=on&filter_category=1

piwigo v2.9.5的5个sql注入分别是怎样的

sqlmap Run

piwigo v2.9.5的5个sql注入分别是怎样的

piwigo v2.9.5的5个sql注入分别是怎样的

The above is the detailed content of What are the five sql injections of piwigo v2.9.5?. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template