A SQL injection vulnerability in get_discovery_results function of automation_devices.php.paramter networkconcat into sql_wherewithout Sufficient filtration.
$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . 'network_id=' . $network;
The is being concatenated into the SQL statement .
In automation_devices.php line 375
'network' => array(
'filter' => FILTER_CALLBACK,
'pageset' => true,
'default' => '',
'options' => array('options' => 'sanitize_search_string')
filter of is FILTER_CALLBACK, that means sanitize_search_string will filter param network
in lib/function.php
function sanitize_search_string($string) {
static $drop_char_match = array('(',')','^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
static $drop_char_replace = array('','',' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
/* Replace line endings by a space */
$string = preg_replace('/[\n\r]/is', ' ', $string);
/* HTML entities like */
$string = preg_replace('/\b&[a-z]+;\b/', ' ', $string);
/* Remove URL's */
$string = preg_replace('/\b[a-z0-9]+:\/\/[a-z0-9\.\-]+(\/[a-z0-9\?\.%_\-\+=&\/]+)?/', ' ', $string);
/* Filter out strange characters like ^, $, &, change "it's" to "its" */
for($i = 0; $i < cacti_count($drop_char_match); $i++) {
$string = str_replace($drop_char_match[$i], $drop_char_replace[$i], $string);
return $string;
we found sanitize_search_string just filter many Symbol.
However, the parameter network is not enclosed in quotes, so we can directly insert it into the SQL statement for execution.
A SQL injection vulnerability in get_discovery_results function of automation_devices.php.paramter networkconcat into sql_wherewithout Sufficient filtration.
LoRexxar@Qianxin Tiangong Lab
In automation_devices.php line 416
The is being concatenated into the SQL statement .
In automation_devices.php line 375
filter of is FILTER_CALLBACK, that means sanitize_search_string will filter param network
in lib/function.php
we found sanitize_search_string just filter many Symbol.
However, the parameter network is not enclosed in quotes, so we can directly insert it into the SQL statement for execution.

set network to 321 or 1means eternal truth condition. you can get all result back