目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CVE-2020-15175 PoC — GLPI 安全漏洞

来源
https://github.com/Xn2/GLPwn
关联漏洞
标题:GLPI 安全漏洞 (CVE-2020-15175)
Description:GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口,你可以用它来建立数据库全面管理IT的电脑,显示器,服务器,打印机,网络设备,电话,甚至硒鼓和墨盒等。 GLPI 9.5.2之前版本存在安全漏洞,该漏洞源于?pluginimage.send.php?端点允许用户指定一个图像从一个插件。可以恶意构造的参数而不是删除的。htaccess文件文件目录。任何用户就能够阅读所有的文件和文件夹包含在文件“/ /”。一些敏感信息的泄露用户会话,日志等等。攻击者可利用该漏洞能够获得管理
Description
GLPI automatic exploitation tool for CVE-2020-15175
介绍
# GLPwn
 A GLPI hack tool, using Apache directory listing and / or CVE-2020-15175 to dump files and valid sessions.

### Who is vulnerable?
- Any GLPI instance that has Apache directory listing already enabled on the `/files` folder
- All GLPI instances prior to 9.5.1 running on a default Apache2 server.

### What can it do?
GLPwn is able to dump all files inside the GLPI `/files` folder, which includes adminitrator sessions, logs, database dumps, and ticket attachments.

GLPwn is also able to automaticaly detect which session is valid, has the most rights on the platform, and the sessions user's name.

## Disclaimer
**This tool leverages a vulnerability inside GLPI that permanently erases a critical configuration file. Once exploited, the private data inside GLPI will be exposed publicly.**

**This tool shall not be used outside of educationnal purposes and/or penetration tests.**

**Just like with sex, please use with consent of both parties.**

## Installation
### Pre-requisites
- Python 3.9 or later

First clone the repository from the `master` branch, or download one of the releases from the repository.

Use `pip install -r requirements.txt` to install all the required dependencies.

Use `python3 GLPwn.py -h` to run the script and get the help menu.

## Usage
The `--url` parameter is required for the script to work. 

`python3 GLPwn.py --url [GLPI_URL]`, e.g. `http://127.0.0.1/glpi`

Optionnal parameters : 

 - `--check` Performs version check to determine if the GLPI instance is vulnerable or not.
 - `--exploit` Attempts to use a CVE-2020-15175 expoit to enable directory listing on `/files`.
 - `--sessions` Attempts to retrieve valid session tokens.
 - `--dumpfiles` Attempts to dump the whole content of the `/files` folder.

## License
The Software is provided “as is”, without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the Software.
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →