LibreNMS version 1.46 suffers from a remote SQL injection vulnerability.
e3563f5b8dbf8c92538f0b993871da66# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection
# Google Dork:unknown
# Date: 2019-09-01
# Exploit Author: Punt
# Vendor Homepage: https://www.librenms.org
# Software Link: https://www.librenms.org
# Version:1.46 and less
# Tested on:Linux and Windows
# CVE: N/A
#Affected Device: more than 4k found on Shodan and Censys.
#Description about the bug
Vunlerable script /html/ajax_serarch.php
if (isset($_REQUEST['search'])) {
$search = mres($_REQUEST['search']);
header('Content-type: application/json');
if (strlen($search) > 0) {
$found = 0;
if ($_REQUEST['type'] == 'group') {
include_once '../includes/device-groups.inc.php';
foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) {
if ($_REQUEST['map']) {
$results[] = array(
'name' => 'g:'.$group['name'],
'group_id' => $group['id'],
as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST['']
dbFetchRows() used to exectute sql query
now lets check the mres() function
the mres() fuction is located under /includes/common.php
function mres($string)
{
return $string; //
global $database_link;
return mysqli_real_escape_string($database_link, $string);
as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%'
#POC:
1st lgoin to your LibreNMS
2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules
3rd you will see an sql syntax error
The Librenms team have applyed a patch .
Thanks
Punt (From Ethiopia)