提出 #769933: phpipam 1.7.4 SQL Injection情報

タイトル	phpipam 1.7.4 SQL Injection
説明	Vulnerability Summary A Second Order SQL Injection vulnerability was found in phpipam version 1.7.4 the vulnerability exists in the subnetOrdering parameter of the Section management feature. This vulnerability allows an authenticated administrator to inject arbitrary SQL commands that are executed when viewing subnets within that section. The exploitation is time-based blind and heavily constrained by the database column length. Vulnerability Details 1. Injection Request (The "First Order") The vulnerability starts when an administrator updates a Section. The subnetOrdering parameter is stored in the database without sufficient validation for SQL keywords, although it is escaped for storage. File: app/admin/sections/edit-result.php Endpoint: POST /app/admin/sections/edit-result.php Parameter: subnetOrdering The exploit script sets this value to a payload like SLEEP(5). 2. Execution (The "Second Order") The stored payload is retrieved and used unsafely in a SQL query when listing subnets. File: functions/classes/class.Subnets.php Function: fetch_section_subnets Vulnerable Code: // Lines 532-533: Retrieve the stored section settings $section = $this->fetch_object ("sections", "id", $sectionId); if(@$section->subnetOrdering!="default" && !is_blank(@$section->subnetOrdering) ) { $order = pf_explode(',', $section->subnetOrdering); } // ... // Line 549: The stored $order[0] is concatenated directly into the SQL string $query = "SELECT $safe_result_fields FROM `subnets` where `sectionId` = ? $field_query order by `isFolder` desc, case `isFolder` when 1 then description else $order[0] end $order[1]"; ``` The variable $order[0] contains the attacker-controlled string (e.g., SLEEP(5)). Because it is not sanitized or parameterized when constructing the $query string, the database executes the injected SQL command. Limitations on Exploitation The vulnerability is considered limited for the following reasons: 1. Column Length Constraint: The subnetOrdering column in the sections table is defined as VARCHAR(16). This means the total payload length cannot exceed 16 characters. * SLEEP(5) (8 chars) matches. * if(1=1,sleep(5),0) (18 chars) does not fit. * This forces the use of extremely compact payloads. 2. Injection Context: The injection occurs in an ORDER BY clause. Standard UNION SELECT attacks are structurally invalid here. Exploitation primarily relies on: * Time-based calls: SLEEP(x) or BENCHMARK(). * Error-based injection: If errors are displayed (uncommon in production). 3. Authentication Required: The attacker must have administrative privileges to edit Sections. ## Proof of Concept The provided script `sqli_sleep.py` exploits this by: 1. Authenticating as an admin. 2. Editing Section 1 to set `subnetOrdering` to `SLEEP(5)`. 3. Accessing the Subnet list for Section 1. 4. Measuring the server response time (approx 20 seconds, as the sleep runs for multiple rows). I made a vide with the poc: https://drive.google.com/file/d/1yxx2iUTG1ebMKo3W9bHlCFFxUJAhkwEk/view?usp=drive_link Note: I contacted the vendors and got no response
ユーザー	rodtvs (UID 94532)
送信	2026年03月02日 12:18 (2 月 ago)
モデレーション	2026年03月14日 23:31 (12 days later)
ステータス	承諾済み
VulDBエントリ	351095 [phpipam 迄 1.7.4 Section edit-result.php subnetOrdering SQLインジェクション]
ポイント	17

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!