Piwigo 2.5.2 - Cross-Site Scripting

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1065215 漏洞类型
发布时间 2013-09-26 更新时间 2013-09-26
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/28560
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# Exploit Title: Piwigo 2.5.2 <= Cross Site Scripting
# Date: 2013 26 September
# Author: Arsan
# Software Homepage: http://www.piwigo.org
# Version : 2.5.2
# Tested on: Linux & Windows
# Category: webapps
# Google Dork: intext:"Powered by Piwigo"
#
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# [+] Exploit :
#
# [-] About Piwigo :
#
# Host and share your photos with Piwigo
# Piwigo is photo gallery software for the web, built by an active community of users and developers.
# Extensions make Piwigo easily customizable. Icing on the cake, Piwigo is free and opensource.
# Browse the demo (http://www.piwigo.org/demo) to discover Piwigo features on gallery side and change graphical theme on the fly.
#
# 	[-] Description :
#	
#	    1) Download "Piwigo" And Install.
#	    2) Create New Album ( Photos > Add > create a new album ) ~> Follow this link :
#	       http://localhost/piwigo/admin.php?page=photos_add
#	    3) Insert A photo In Your Album And Save It.
#	    4) And Go To Photo Edit; Follow This Way :
#	       Photos > Batch Manager > single mode
#	       http://localhost/piwigo/admin.php?page=batch_manager&mode=unit
#	    5) Now Insert This Code In "Title","Author","Tags","Description" :
#	       "><script>alert(/Arsan/)</script>
#	    6) Try To See Your Photo In Gallery;
#	       http://localhost/cms/piwigo/picture.php?/[Number Photo]/category/[Number Album]
#	    :) You See Alert "Arsan" . Enjoy ;)
#
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# [+] Demo :
#
# http://www.piwigo.org/demo
#
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
#
# [+] Contact Me :
#
#     Arsan.Blackhat@gmail.com
#     Twitter.com/ArsanBlackhat
# 
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
# I L0ve Inj3ct0r Team
#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#