SQL Injection Vulnerability on PhpIPAM v1.4.4# CVE-2022-23046
PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php.
# Installation
1. Build
```bash
git clone https://github.com/dnr6419/CVE-2022-23046.git
cd CVE-2022-23046 && docker-compose up -d
pip3(or pip) install -r requirements.txt
python3(or python) CVE-2022-23046.py -h
```
2. Setup
2-1. Go to the http://[YOUR_IP] and Choose [New phpipam installation].<br>
<img src="https://user-images.githubusercontent.com/43310843/153968318-0a3b46e9-f1d6-4e90-9f62-0bd02314d999.png" width="70%" height="20%">
2-2. Choose [Automatic database installation]. <br>
2-3. MySQL username & Password is "root"/"my_secret_mysql_root_pass".<br>
<img src="https://user-images.githubusercontent.com/43310843/153968762-a36f7260-e408-455e-a575-08b92458139d.png" width="70%" height="20%">
2-4. Setting the Password and Login to check the installation is complete.<br>
<img src="https://user-images.githubusercontent.com/43310843/153968865-ddbfc133-d695-4a91-8754-d1882b31b869.png" width="70%" height="20%">
# Exploit
```bash
python3 CVE-2022-23046.py --url http://localhost --user admin
# and input your password
```
<img src="https://user-images.githubusercontent.com/43310843/153969081-fc1ac148-f827-4003-b477-103e5b0f78ac.png" width="70%" height="20%">
# Reference
https://github.com/jcarabantes/CVE-2022-23046.git<br>
https://hub.docker.com/r/phpipam/phpipam-www
[4.0K] /data/pocs/3176cff65a666363b4bf263b7f33cc63be6d0129
├── [3.2K] CVE-2022-23046.py
├── [ 953] docker-compose.yml
├── [1.5K] README.md
├── [ 37] requirements.txt
└── [4.0K] res
├── [2.4K] functions.py
├── [ 0] __init__.py
├── [2.1K] payloads.py
└── [4.0K] __pycache__
├── [2.4K] functions.cpython-39.pyc
├── [ 149] __init__.cpython-39.pyc
└── [1.8K] payloads.cpython-39.pyc
2 directories, 10 files