55 lines
No EOL
1.7 KiB
Text
55 lines
No EOL
1.7 KiB
Text
# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection
|
|
# Google Dork:unknown
|
|
# Date: 2019-09-01
|
|
# Exploit Author: Punt
|
|
# Vendor Homepage: https://www.librenms.org
|
|
# Software Link: https://www.librenms.org
|
|
# Version:1.46 and less
|
|
# Tested on:Linux and Windows
|
|
# CVE: N/A
|
|
|
|
#Affected Device: more than 4k found on Shodan and Censys.
|
|
|
|
#Description about the bug
|
|
Vunlerable script /html/ajax_serarch.php
|
|
|
|
if (isset($_REQUEST['search'])) {
|
|
$search = mres($_REQUEST['search']);
|
|
header('Content-type: application/json');
|
|
if (strlen($search) > 0) {
|
|
$found = 0;
|
|
|
|
if ($_REQUEST['type'] == 'group') {
|
|
include_once '../includes/device-groups.inc.php';
|
|
foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) {
|
|
if ($_REQUEST['map']) {
|
|
$results[] = array(
|
|
'name' => 'g:'.$group['name'],
|
|
'group_id' => $group['id'],
|
|
|
|
|
|
as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST['']
|
|
|
|
dbFetchRows() used to exectute sql query
|
|
|
|
now lets check the mres() function
|
|
|
|
the mres() fuction is located under /includes/common.php
|
|
|
|
function mres($string)
|
|
{
|
|
return $string; //
|
|
global $database_link;
|
|
return mysqli_real_escape_string($database_link, $string);
|
|
|
|
as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%'
|
|
|
|
|
|
#POC:
|
|
1st lgoin to your LibreNMS
|
|
2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules
|
|
3rd you will see an sql syntax error
|
|
|
|
The Librenms team have applyed a patch .
|
|
Thanks
|
|
Punt (From Ethiopia) |