Listen to this Post
This vulnerability is a time-based blind SQL injection found in LibreNMS versions prior to 24.4.0. The flaw resides in includes/html/table/address-search.inc.php, where the `address` parameter is processed. When a user submits a value containing a slash (e.g., 127.0.0.1/INJECTION), the part after the slash is stored in the `$prefix` variable. On lines 34 and 52 of the file, this `$prefix` is directly concatenated into an SQL query using double quotes (" AND ipv4_prefixlen='$prefix'") without any sanitization or parameter binding . An authenticated attacker can exploit this by sending a crafted `address` parameter to the `/ajax_table.php` endpoint. The malicious payload uses SQL conditional statements with a `SLEEP()` function. By measuring the time it takes for the server to respond, the attacker can infer whether a condition is true or false. This binary search allows them to systematically extract data character by character from the database, including administrative credentials and password hashes .
Platform: LibreNMS
Version: before 24.4.0
Vulnerability: time-based blind SQLi
Severity: High (7.1-8.8)
date: 2024-04-22
Prediction: patch already released
What Undercode Say:
Analytics
Based on the ‘s provided script and the official advisories, this CVE targets a specific input validation failure. The vulnerability was patched in version 24.4.0, released shortly after the disclosure on April 22, 2024 . The CVSS score varies between 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and 8.8, depending on the vector calculated, but all confirm a “High” severity due to the low attack complexity and high potential for data breach . The exploit requires authentication but grants read access to any authenticated user, making it a significant internal threat.
Bash Commands and Codes
The primary exploitation method is a Python script that performs a binary search via time-based injection.
Key injection logic from the
injection_string = f"' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING(({inject_qry}),{i},1))=[bash],SLEEP({sleep_delay}),0))x) AND '1'='1"
This payload is inserted into the `address` parameter:
Example POST data format containing the payload POST /ajax_table.php HTTP/1.1 ... address=127.0.0.1/aa' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING((SELECT CURRENT_USER()),1,1))=97,SLEEP(1.5),0))x) AND '1'='1
The Python script automates this by iterating through characters and measuring response delays to reconstruct the output of queries like SELECT CURRENT_USER().
How Exploit:
- Authentication: The attacker must first log in to the LibreNMS web interface to obtain a valid session cookie.
- Craft Payload: The attacker creates a time-based SQL injection string. The ‘s script uses a binary search method to guess characters. For example, to guess the first letter of the database user, it injects:
' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING((SELECT CURRENT_USER()),1,1))>97,SLEEP(1.5),0))x) AND '1'='1. - Send Request: The payload is placed after a slash in the `address` parameter of a POST request to `/ajax_table.php` while maintaining the required fields like `search_type=ipv4` and
device_id=1. - Time Analysis: If the guessed condition is true, the database sleeps, delaying the HTTP response. The script measures this delay to determine if the character guess was correct.
- Data Exfiltration: The script repeats this process for each character and each desired data string, eventually extracting credentials or password hashes .
Protection from this CVE
- Upgrade LibreNMS: The primary and most effective fix is to update to version 24.4.0 or later, where the vulnerability is patched .
- Input Validation (Code Fix): Developers must replace the dangerous direct concatenation with parameterized queries. The vulnerable code `$sql .= ” AND ipv4_prefixlen=’$prefix'”;` should be changed to use a placeholder (e.g.,
?) and bind the `$prefix` variable to it. - Principle of Least Privilege: Ensure that database accounts used by LibreNMS have the minimum necessary permissions. This limits the data an attacker can extract even if SQL injection is successful.
- Web Application Firewall (WAF): Deploy WAF rules (like those from Check Point IPS) that can detect and block SQL injection patterns in the `address` parameter .
Impact
- Confidentiality Breach: Any authenticated user can extract the entire contents of the LibreNMS database. This includes device credentials, SNMP community strings, and user tables.
- Credential Theft: Attackers can specifically target password hashes of administrator accounts. If cracked, these grant full control over the monitoring system .
- Privilege Escalation: Gaining admin access to LibreNMS could be a stepping stone to compromising managed network devices, as the system often stores credentials for accessing switches and routers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

