POC for CVE 2023 41320 on GLPI
| Vulnerability | Condition | Score CVSS | Vulnerable versions |
|---|---|---|---|
| SQL Injection | Authenticated User | 8.1 | 10.0.0 |
Impact:
- SQL Injection in an update clause (be careful, do not forget the "WHERE" thanks Issam for the test 😄)
- Account Takeover (or privesc on the webapp)
- Remote Code Execution (in some cases, uses the check module to verify)
This exploit has been tested on glpi 10.0.0 and glpi 10.0.9 (linux only), it might requires modification in order to work on other version. Mostly both function extract_val_from_pref and set_user_val might requires some changes. set_user_val stores the result of the sql injection in the realname field of the glpi_users table.
To achieve RCE you must allow the upload of extension .php (piece of cake when you are an Administrator)
Report link: Huntr report
NOTE: Thanks to GLPI for the quick answer and the version patched here