Add glpi exploit

modules/vulnerabilities/unix/http/glpi_php_injection/files/mysql_secure.sh

@@ -0,0 +1,71 @@
+#! /bin/sh
+#
+# Author: Bert Van Vreckem <bert.vanvreckem@gmail.com>
+#
+# A non-interactive replacement for mysql_secure_installation
+#
+# Tested on CentOS 6, CentOS 7, Ubuntu 12.04 LTS (Precise Pangolin), Ubuntu
+# 14.04 LTS (Trusty Tahr).
+
+set -o errexit # abort on nonzero exitstatus
+set -o nounset # abort on unbound variable
+
+#{{{ Functions
+
+usage() {
+cat << _EOF_
+
+Usage: ${0} "ROOT PASSWORD"
+
+  with "ROOT PASSWORD" the desired password for the database root user.
+
+Use quotes if your password contains spaces or other special characters.
+_EOF_
+}
+
+# Predicate that returns exit status 0 if the database root password
+# is set, a nonzero exit status otherwise.
+is_mysql_root_password_set() {
+  ! mysqladmin --user=root status > /dev/null 2>&1
+}
+
+# Predicate that returns exit status 0 if the mysql(1) command is available,
+# nonzero exit status otherwise.
+is_mysql_command_available() {
+  which mysql > /dev/null 2>&1
+}
+
+#}}}
+#{{{ Command line parsing
+
+if [ "$#" -ne "1" ]; then
+  echo "Expected 1 argument, got $#" >&2
+  usage
+  exit 2
+fi
+
+#}}}
+#{{{ Variables
+db_root_password="${1}"
+#}}}
+
+# Script proper
+
+if ! is_mysql_command_available; then
+  echo "The MySQL/MariaDB client mysql(1) is not installed."
+  exit 1
+fi
+
+if is_mysql_root_password_set; then
+  echo "Database root password already set"
+  exit 0
+fi
+
+mysql --user=root <<_EOF_
+  UPDATE mysql.user SET Password=PASSWORD('${db_root_password}') WHERE User='root';
+  DELETE FROM mysql.user WHERE User='';
+  DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+  DROP DATABASE IF EXISTS test;
+  DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+  FLUSH PRIVILEGES;
+_EOF_

modules/vulnerabilities/unix/http/glpi_php_injection/glpi_php_injection.pp

@@ -0,0 +1,8 @@
+contain glpi_php_injection::install
+contain glpi_php_injection::apache
+contain glpi_php_injection::maria
+contain glpi_php_injection::configure
+Class['glpi_php_injection::install']
+-> Class['glpi_php_injection::apache']
+-> Class['glpi_php_injection::maria']
+-> Class['glpi_php_injection::configure']

modules/vulnerabilities/unix/http/glpi_php_injection/manifests/apache.pp

@@ -0,0 +1,30 @@
+# Class: glpi_php_injection::apache
+# Apache configuration
+#
+class glpi_php_injection::apache {
+  $port = '80'
+  $docroot = '/var/www/html/glpi'
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  class { '::apache':
+    default_vhost   => false,
+  }
+
+  ::apache::vhost { 'glpi':
+    port       => $port,
+    docroot    => $docroot,
+    options    => ['FollowSymLinks'],
+    override   => ['All'],
+    error_log  => true,
+    access_log => true,
+  }
+
+  file { '/etc/apache2/sites-enabled/000-default.conf':
+    ensure => 'absent',
+  }
+  -> exec { 'service-restart-apache2':
+    command   => 'service apache2 restart',
+    logoutput => true,
+  }
+}

modules/vulnerabilities/unix/http/glpi_php_injection/manifests/configure.pp

@@ -0,0 +1,20 @@
+# Class: glpi_php_injection::configure
+# Configuration for glpi/ Secgen
+#
+class glpi_php_injection::configure {
+  $leaked_filenames = ['flagtest']
+  $strings_to_leak = ['this is a list of strings that are secrets / flags','another secret'] ##$secgen_parameters['strings_to_leak']
+  $known_username = 'admin' ##$secgen_parameters['known_username'][0]
+  $known_password = 'password' ##$secgen_parameters['known_password'][0]
+  $strings_to_pre_leak =  ['The username is admin', 'The password is password'] ##$secgen_parameters['strings_to_pre_leak']
+  $web_pre_leak_filename = 'TODO' ##$secgen_parameters['web_pre_leak_filename'][0]
+
+  ::secgen_functions::leak_files { 'glpi-flag-leak':
+    storage_directory => '/var/www/html/glpi/',
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => 'www-data',
+    mode              => '0750',
+    leaked_from       => 'glpi_php_injection',
+  }
+}

modules/vulnerabilities/unix/http/glpi_php_injection/manifests/install.pp

@@ -0,0 +1,42 @@
+# Class: glpi_php_injection::install
+# Install process for GLPI
+# https://github.com/glpi-project/glpi/releases/ - v9.5.8 is used here
+class glpi_php_injection::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  ensure_packages(['mariadb-server', 'php',
+  'php-curl',
+  'php-gd',
+  'php-intl',
+  'php-mysql',
+  'php-mbstring',
+  'php-xml',
+  'php-ldap',
+  'php-apcu',
+  'php-xmlrpc',
+  'php-zip',
+  'php-bz2'], { ensure => 'installed'})
+
+  $releasename = 'glpi-9.5.8.tgz'
+  file { "/tmp/${releasename}":
+    ensure => file,
+    source => "puppet:///modules/glpi_php_injection/${releasename}",
+  }
+  -> exec { 'extract-glpi':
+    cwd     => '/tmp',
+    command => "tar -xf ${releasename}",
+    creates => '/tmp/glpi'
+  }
+  -> exec { 'move-glpi':
+    cwd     => '/tmp',
+    command => 'mv glpi/ /var/www/html',
+    creates => '/var/www/html/glpi/',
+  }
+  -> exec { 'chmod-glpi':
+    command => 'chmod 755 -R /var/www/html/glpi/',
+  }
+  -> exec { 'chown-glpi':
+    command => 'chown www-data:www-data -R /var/www/html/glpi/',
+  }
+
+}

modules/vulnerabilities/unix/http/glpi_php_injection/manifests/maria.pp

@@ -0,0 +1,42 @@
+# Class: glpi_php_injection::maria
+# maria db install and configuration
+#
+class glpi_php_injection::maria {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  $db_name = 'glpidb'
+  $db_user = 'user'
+  # maybe change this soon?
+  $db_pass = 'demo'
+
+  file { '/tmp/mysql_secure.sh':
+    ensure => file,
+    source => 'puppet:///modules/glpi_php_injection/mysql_secure.sh',
+  }
+  -> exec { 'chmod-mysql-secure':
+    cwd     => '/tmp',
+    command => 'chmod +x mysql_secure.sh',
+  }
+  # we need provider here. puppet doesnt discover platform...?
+  -> exec { 'mysql-secure-install':
+    provider => 'shell',
+    cwd      => '/tmp',
+    command  => "./mysql_secure.sh ${db_pass}",
+  }
+
+  mysql::db {  'glpidb':
+    user     => $db_user,
+    password => $db_pass,
+    dbname   => $db_name,
+    host     => 'localhost',
+    grant    => ['ALL'],
+  }
+
+  # glpi provides a cli installer - we can utilise this to set it up.
+  # See: https://glpi-install.readthedocs.io/en/latest/command-line.html#cdline-install
+  -> exec { 'glpi-cli-install':
+    cwd       => '/var/www/html/glpi/bin/',
+    command   => "php console db:install -f -H localhost -P 80 -d ${db_name} -u ${db_user} -p ${db_pass}",
+    logoutput => true,
+  }
+}

modules/vulnerabilities/unix/http/glpi_php_injection/secgen_metadata.xml

@@ -0,0 +1,96 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>GLPI htmLawed php command injection - GLPI versions 10.0.2 and below</name>
+  <author>James Davis</author>
+  <module_license>MIT</module_license>
+  <description>This
+    exploit takes advantage of a unauthenticated php command injection available
+    from GLPI versions 10.0.2 and below to execute a command.</description>
+
+  <type>http</type>
+  <type>bruteforceable</type>
+  <type>in_the_wild</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>organisation</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+  <read_fact>known_username</read_fact>
+  <read_fact>known_password</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+  <read_fact>web_pre_leak_filename</read_fact>
+
+  <default_input into="port">
+    <value>80</value>
+  </default_input>
+
+  <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator" />
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator" />
+  </default_input>
+
+  <!-- these details need to be known or bruteforced to successful exploit the service -->
+  <!-- By default the username is admin, but it can be something else, so long as they can easily
+  guess it (for example leak it to them) -->
+  <default_input into="known_username">
+    <!-- <generator type="random_sanitised_word">
+			<input into="wordlist">
+    <value>admin_name</value>
+			</input>
+		</generator> -->
+    <value>admin</value>
+  </default_input>
+
+  <default_input into="known_password">
+    <generator type="weak_password_generator" />
+  </default_input>
+
+  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden
+  content or hosted files -->
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator" />
+  </default_input>
+
+  <!-- ideally something found by dirbuster -->
+  <default_input into="web_pre_leak_filename">
+    <generator type="random_sanitised_word">
+      <input into="wordlist">
+        <value></value>
+      </input>
+    </generator>
+  </default_input>
+
+  <!--optional vulnerability details-->
+  <cve>CVE-2022-35914</cve>
+  <cvss_base_score>9.8</cvss_base_score>
+  <cvss_vector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
+  <software_name>GLPI Management Suite</software_name>
+  <software_license>GNU GPLv3</software_license>
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb</reference>
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/glpi_htmlawed_php_injection.md</reference>
+
+  <!--optional hints-->
+  <hint></hint>
+
+  <requires>
+    <module_path>services/unix/http/apache_stretch_compatible/apache</module_path>
+  </requires>
+
+  <requires>
+    <module_path>services/unix/database/mysql_stretch_compatible/mysql</module_path>
+  </requires>
+
+</vulnerability>