SQL Injection Vulnerability on PhpIPAM v1.4.4

Feb 16, 2022 1 min read

CVE-2022-23046

PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the “subnet” parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php.

Installation

Build

git clone https://github.com/dnr6419/CVE-2022-23046.git
cd CVE-2022-23046 && docker-compose up -d 
pip3(or pip) install -r requirements.txt
python3(or python) CVE-2022-23046.py -h

Setup
2-1. Go to the http://[YOUR_IP] and Choose [New phpipam installation].

2-2. Choose [Automatic database installation].
2-3. MySQL username & Password is “root”/”my_secret_mysql_root_pass”.

2-4. Setting the Password and Login to check the installation is complete.

Exploit

  python3 CVE-2022-23046.py --url http://localhost --user admin
  # and input your password

Reference

https://github.com/jcarabantes/CVE-2022-23046.git
https://hub.docker.com/r/phpipam/phpipam-www

GitHub

View Github

John was the first writer to have joined pythonawesome.com. He has since then inculcated very effective writing and reviewing culture at pythonawesome which rivals have found impossible to imitate.

SQL Injection Vulnerability on PhpIPAM v1.4.4

CVE-2022-23046

Installation

Exploit

Reference

GitHub

John

Udacity api reporting pipeline

This module can colorize any text in your terminal

CVE-2022-23046

Installation

Exploit

Reference

GitHub

Udacity api reporting pipeline

This module can colorize any text in your terminal

You might also like...