port and complete exploit

2026-02-21 11:18:06 +00:00 · 2023-04-17 03:54:09 +01:00
parent cde9ad16ca
commit a71d09d69f
4 changed files with 17 additions and 50 deletions
--- a/modules/vulnerabilities/unix/http/glpi_php_injection/manifests/apache.pp
+++ b/modules/vulnerabilities/unix/http/glpi_php_injection/manifests/apache.pp
@@ -2,8 +2,9 @@
 # Apache configuration
 #
 class glpi_php_injection::apache {
-  $port = '80'
-  $docroot = '/var/www/html/glpi'
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $port = $secgen_parameters['port'][0]
+  $docroot = '/var/www/html/'

  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }

--- a/modules/vulnerabilities/unix/http/glpi_php_injection/manifests/configure.pp
+++ b/modules/vulnerabilities/unix/http/glpi_php_injection/manifests/configure.pp
@@ -2,12 +2,9 @@
 # Configuration for glpi/ Secgen
 #
 class glpi_php_injection::configure {
-  $leaked_filenames = ['flagtest']
-  $strings_to_leak = ['this is a list of strings that are secrets / flags','another secret'] ##$secgen_parameters['strings_to_leak']
-  $known_username = 'admin' ##$secgen_parameters['known_username'][0]
-  $known_password = 'password' ##$secgen_parameters['known_password'][0]
-  $strings_to_pre_leak =  ['The username is admin', 'The password is password'] ##$secgen_parameters['strings_to_pre_leak']
-  $web_pre_leak_filename = 'TODO' ##$secgen_parameters['web_pre_leak_filename'][0]
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']

  ::secgen_functions::leak_files { 'glpi-flag-leak':
    storage_directory => '/var/www/html/glpi/',
--- a/modules/vulnerabilities/unix/http/glpi_php_injection/manifests/maria.pp
+++ b/modules/vulnerabilities/unix/http/glpi_php_injection/manifests/maria.pp
@@ -2,6 +2,8 @@
 # maria db install and configuration
 #
 class glpi_php_injection::maria {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $port = $secgen_parameters['port'][0]
  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }

  $db_name = 'glpidb'
@@ -36,7 +38,7 @@ class glpi_php_injection::maria {
  # See: https://glpi-install.readthedocs.io/en/latest/command-line.html#cdline-install
  -> exec { 'glpi-cli-install':
    cwd       => '/var/www/html/glpi/bin/',
-    command   => "php console db:install -f -H localhost -P 80 -d ${db_name} -u ${db_user} -p ${db_pass}",
+    command   => "php console db:install -f -H localhost -P ${port} -d ${db_name} -u ${db_user} -p ${db_pass}",
    logoutput => true,
  }
 }
--- a/modules/vulnerabilities/unix/http/glpi_php_injection/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/http/glpi_php_injection/secgen_metadata.xml
@@ -28,7 +28,7 @@
  <read_fact>web_pre_leak_filename</read_fact>

  <default_input into="port">
-    <value>80</value>
+    <generator module_path=".*/random_unregistered_port" />
  </default_input>

  <!-- flags or other secrets exposed after exploitation -->
@@ -40,57 +40,24 @@
    <generator type="filename_generator" />
  </default_input>

-  <!-- these details need to be known or bruteforced to successful exploit the service -->
-  <!-- By default the username is admin, but it can be something else, so long as they can easily
-  guess it (for example leak it to them) -->
-  <default_input into="known_username">
-    <!-- <generator type="random_sanitised_word">
-			<input into="wordlist">
-    <value>admin_name</value>
-			</input>
-		</generator> -->
-    <value>admin</value>
-  </default_input>
-
-  <default_input into="known_password">
-    <generator type="weak_password_generator" />
-  </default_input>
-
-  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden
-  content or hosted files -->
-  <default_input into="strings_to_pre_leak">
-    <generator type="message_generator" />
-  </default_input>
-
-  <!-- ideally something found by dirbuster -->
-  <default_input into="web_pre_leak_filename">
-    <generator type="random_sanitised_word">
-      <input into="wordlist">
-        <value></value>
-      </input>
-    </generator>
-  </default_input>
-
-  <!--optional vulnerability details-->
+  <!--optional
+  vulnerability details-->
  <cve>CVE-2022-35914</cve>
  <cvss_base_score>9.8</cvss_base_score>
-  <cvss_vector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
-  <software_name>GLPI Management Suite</software_name>
-  <software_license>GNU GPLv3</software_license>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
  <reference>
    https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb</reference>
  <reference>
    https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/glpi_htmlawed_php_injection.md</reference>
-
-  <!--optional hints-->
-  <hint></hint>
+  <software_name>GLPI Management Suite</software_name>
+  <software_license>GNU GPLv3</software_license>

  <requires>
-    <module_path>services/unix/http/apache_stretch_compatible/apache</module_path>
+    <module_path>.*apache.*compatible.*</module_path>
  </requires>

  <requires>
-    <module_path>services/unix/database/mysql_stretch_compatible/mysql</module_path>
+    <module_path>.*mysql.*compatible.*</module_path>
  </requires>

 </vulnerability>