Add module for Pre-auth SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801)

[jheysel-r7]

Summary

There exists a pre-auth SQL injection which allows an attacker to read an api_token from the database if one exists. This then gives the attacker the ability to exploit an authenticated RCE.

Basic example

https://blog.lexfo.fr/glpi-sql-to-rce.html

[jvoisin]

CVE-2025-24799 was implemented in #19974

[jvoisin]

@jheysel-r7 while you're looking at GLPI, you might be interested in https://github.com/Orange-Cyberdefense/glpwnme