---

Introduction

This long-read blog post analyzes a recently discovered SQL Injection vulnerability in the popular open-source IP address management application, PhpIPAM (v1.4.4). Designated as CVE-2022-23046, the vulnerability enables an authenticated admin user to inject SQL statements into the "subnet" search function. This post will explain the exploit in detail and include code snippets for both the vulnerable application code and potential attack payloads.

Background

PhpIPAM (PHP IP Address Management) is an open-source IPAM solution that provides a web-based platform for efficient management of IP addresses and networks. With this application, administrators can easily track IP assignments, perform subnetting operations, and manage devices in their network.

Version 1.4.4 of PhpIPAM has a known vulnerability that is exploitable by an authenticated admin user. The attack vector in question lies in the "subnet" search functionality within the app/admin/routing/edit-bgp-mapping-search.php file.

The Vulnerability

The vulnerability (CVE-2022-23046) arises from the lack of proper input validation and sanitization in the "subnet" parameter. This can lead to SQL Injection attacks where an authenticated admin user can craft malicious SQL statements in the search box.

Code Snippet

The issue occurs in the app/admin/routing/edit-bgp-mapping-search.php file. Here is a snippet of the vulnerable code segment:

// app/admin/routing/edit-bgp-mapping-search.php

// check for searching a subnet
if(isset($_POST['subnet'])) {
    $subnet = $_POST['subnet'];
    // create SQL search query string
    $query = "SELECT * FROM subnets WHERE description LIKE '%" . $subnet . "%'";
    // execute query and fetch results
    $search_result = $database->query($query);
}

As seen in the code above, the user input from the 'subnet' parameter ($_POST['subnet']) is directly concatenated into the SQL query without any validation or sanitization. This allows an attacker to craft an SQL payload that can manipulate the query, ultimately giving them unauthorized access to sensitive data or the ability to perform other malicious actions.

Exploitation

To exploit this vulnerability, an attacker must first have admin-level access to the PhpIPAM application. This can be either through legitimate means (e.g., an insider threat) or by compromising a weak admin account.

Once inside, the attacker can visit the edit-bgp-mapping-search.php page and submit a malicious payload containing SQL statements through the subnet search form. For example:

foo'; DROP TABLE users; --

This payload, when submitted, would insert a statement into the original SQL query, causing the application to execute the DROP TABLE statement and delete the 'users' table.

Potential Impact

Successful exploitation of this vulnerability can lead to devastating consequences. An attacker can leverage this vulnerability to extract sensitive data (e.g., user information), modify data, or delete important information from the application.

Furthermore, if the database's user account has extended permissions, such as access to other databases or administrative functions, the attacker could escalate privileges and potentially gain complete control over the entire system.

Original References

- CVE-2022-23046
- PhpIPAM Official Website
- PhpIPAM GitHub Repository

Conclusion

CVE-2022-23046 is a critical SQL Injection vulnerability that affects PhpIPAM v1.4.4. It enables an authenticated admin user to inject SQL sentences in the "subnet" parameter and potentially exploit the system. To mitigate the risk, users are encouraged to apply security patches or update to a newer, secure version of the application. Additionally, it is crucial to follow best security practices, such as strong user authentication, least privilege access, and input validation and sanitization in web applications, to minimize the chances of successful exploitation.

Timeline

Published on: 01/19/2022 21:15:00 UTC
Last modified on: 02/11/2022 14:01:00 UTC