Associated Vulnerability
Title:GLPI 安全漏洞 (CVE-2020-15175)Description:GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口,你可以用它来建立数据库全面管理IT的电脑,显示器,服务器,打印机,网络设备,电话,甚至硒鼓和墨盒等。 GLPI 9.5.2之前版本存在安全漏洞,该漏洞源于?pluginimage.send.php?端点允许用户指定一个图像从一个插件。可以恶意构造的参数而不是删除的。htaccess文件文件目录。任何用户就能够阅读所有的文件和文件夹包含在文件“/ /”。一些敏感信息的泄露用户会话,日志等等。攻击者可利用该漏洞能够获得管理
Description
GLPI automatic exploitation tool for CVE-2020-15175
Readme
# GLPwn
A GLPI hack tool, using Apache directory listing and / or CVE-2020-15175 to dump files and valid sessions.
### Who is vulnerable?
- Any GLPI instance that has Apache directory listing already enabled on the `/files` folder
- All GLPI instances prior to 9.5.1 running on a default Apache2 server.
### What can it do?
GLPwn is able to dump all files inside the GLPI `/files` folder, which includes adminitrator sessions, logs, database dumps, and ticket attachments.
GLPwn is also able to automaticaly detect which session is valid, has the most rights on the platform, and the sessions user's name.
## Disclaimer
**This tool leverages a vulnerability inside GLPI that permanently erases a critical configuration file. Once exploited, the private data inside GLPI will be exposed publicly.**
**This tool shall not be used outside of educationnal purposes and/or penetration tests.**
**Just like with sex, please use with consent of both parties.**
## Installation
### Pre-requisites
- Python 3.9 or later
First clone the repository from the `master` branch, or download one of the releases from the repository.
Use `pip install -r requirements.txt` to install all the required dependencies.
Use `python3 GLPwn.py -h` to run the script and get the help menu.
## Usage
The `--url` parameter is required for the script to work.
`python3 GLPwn.py --url [GLPI_URL]`, e.g. `http://127.0.0.1/glpi`
Optionnal parameters :
- `--check` Performs version check to determine if the GLPI instance is vulnerable or not.
- `--exploit` Attempts to use a CVE-2020-15175 expoit to enable directory listing on `/files`.
- `--sessions` Attempts to retrieve valid session tokens.
- `--dumpfiles` Attempts to dump the whole content of the `/files` folder.
## License
The Software is provided “as is”, without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the Software.
File Snapshot
[4.0K] /data/pocs/ca75b476664e7d3b1d3189a8f99cba4f2a345fed
├── [ 209] asciiart.txt
├── [6.4K] GLPwn.py
├── [2.2K] README.md
└── [ 40] requirements.txt
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.