POC详情: 083a4474edb48a283d3cb106d1e5aa463ca3ec2b

来源
关联漏洞
标题: phpIPAM SQL注入漏洞 (CVE-2022-23046)
描述:phpIPAM是一套开源的基于PHP和MySQL的IP地址管理应用程序(IPAM)。 PhpIPAM v1.4.4版本存在SQL注入漏洞,该漏洞源于经过身份验证的管理员用户在通过app/admin/routing/edit bgp mapping search搜索子网时,可在subnet参数中插入SQL语句。
介绍
# CVE-2022-23046
The original discovery and manual PoC is from [Fluidattacks](https://fluidattacks.com/advisories/mercury/):

PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php.

This PoC executes some easy SQLi to fetch info like:

- Basic Server Info
- SMTP Settings
- Other authentication method like AD/LDAP/Radius
- PHPIpam Users and hashes
- MySQL db Users
- Other schemas availables

Some of them are accessible through the backend but I added here just as an easy way to fetch all the information in a single query. Feel free to add/remove your own payloads

For more advanced stuff, create your own payloads (in res.payloads), use burpsuite or use sqlmap.


# Installation

```bash
git clone https://github.com/jcarabantes/CVE-2022-23046.git
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

python CVE-2022-23046.py -h
```

# This PoC was made using the phpipam docker image below

```yaml
version: '3'

services:
  phpipam-web:
    image: phpipam/phpipam-www:v1.4.3
    ports:
      - "8888:80"
    environment:
      - TZ=Europe/London
      - IPAM_DATABASE_HOST=phpipam-mariadb
      - IPAM_DATABASE_PASS=my_secret_phpipam_pass
      - IPAM_DATABASE_WEBHOST=%
    restart: unless-stopped
    volumes:
      - phpipam-logo:/phpipam/css/images/logo
    depends_on:
      - phpipam-mariadb

  phpipam-cron:
    image: phpipam/phpipam-cron:latest
    ports:
      - "8889:80"
    environment:
      - TZ=Europe/London
      - IPAM_DATABASE_HOST=phpipam-mariadb
      - IPAM_DATABASE_PASS=my_secret_phpipam_pass
      - SCAN_INTERVAL=1h
    restart: unless-stopped
    depends_on:
      - phpipam-mariadb

  phpipam-mariadb:
    image: mariadb:latest
    environment:
      - MYSQL_ROOT_PASSWORD=my_secret_mysql_root_pass
    restart: unless-stopped
    volumes:
      - phpipam-db-data:/var/lib/mysql

volumes:
  phpipam-db-data:
  phpipam-logo:
```

# Quick usage
```bash

python CVE-2022-23046.py -h
  ___  _  _  ____     ___   ___  ___   ___      ___   ___   ___    __    _  
 / __)( \/ )( ___)___(__ \ / _ \(__ \ (__ \ ___(__ \ (__ ) / _ \  /. |  / ) 
( (__  \  /  )__)(___)/ _/( (_) )/ _/  / _/(___)/ _/  (_ \( (_) )(_  _)/ _ \
 \___)  \/  (____)   (____)\___/(____)(____)   (____)(___/ \___/   (_) \___/

                                     Vulnerability discovered by Oscar Uribe
                                                 PoC author: @javicarabantes
usage: CVE-2022-23046.py [-h] [-d] [-q] --url URL --user USER

optional arguments:
  -h, --help   show this help message and exit
  -d           Debug output
  -q           Do not print the banner
  --url URL    phpipam url: https://ipamserver:8081/
  --user USER  admin user


python CVE-2022-23046.py --url http://localhost:8888/ --user admin
```

![example](docs/example.png)


# Additional info
I've been testing this PoC in different phpipam versions 1.4.3, 1.4.4 and 1.5 which worked fine (not only < 1.4.5).
Checking at the phpipam github project I saw that the commit 4b764b9cb236d1a4a06fc8ad9a93b306b3f5c04d also affected version 1.5

Usefull file: https://github.com/phpipam/phpipam/blob/master/misc/CHANGELOG

Check if CHANGELOG is accessible and has the comment about this fix, otherwise the phpipam server may be vulnerable

> curl -sk https://phpipamserver/misc/CHANGELOG | grep "edit-bgp-mapping-search.php"
文件快照

[4.0K] /data/pocs/083a4474edb48a283d3cb106d1e5aa463ca3ec2b ├── [3.2K] CVE-2022-23046.py ├── [4.0K] docs │   └── [ 66K] example.png ├── [3.4K] README.md ├── [ 37] requirements.txt └── [4.0K] res ├── [2.4K] functions.py ├── [ 0] __init__.py └── [2.1K] payloads.py 2 directories, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。