LibreNMS 1.46 search SQL Injection

2020.05.11
Credit: Punt
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection # Google Dork:unknown # Date: 2019-09-01 # Exploit Author: Punt # Vendor Homepage: https://www.librenms.org # Software Link: https://www.librenms.org # Version:1.46 and less # Tested on:Linux and Windows # CVE: N/A #Affected Device: more than 4k found on Shodan and Censys. #Description about the bug Vunlerable script /html/ajax_serarch.php if (isset($_REQUEST['search'])) { $search = mres($_REQUEST['search']); header('Content-type: application/json'); if (strlen($search) > 0) { $found = 0; if ($_REQUEST['type'] == 'group') { include_once '../includes/device-groups.inc.php'; foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) { if ($_REQUEST['map']) { $results[] = array( 'name' => 'g:'.$group['name'], 'group_id' => $group['id'], as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST[''] dbFetchRows() used to exectute sql query now lets check the mres() function the mres() fuction is located under /includes/common.php function mres($string) { return $string; // global $database_link; return mysqli_real_escape_string($database_link, $string); as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%' #POC: 1st lgoin to your LibreNMS 2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules 3rd you will see an sql syntax error The Librenms team have applyed a patch . Thanks Punt (From Ethiopia)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top