Update of the Credential brute-force mechanism for default accounts

Implementation of AjaxTelemetry class in order to retrieve information on the scanned GLPI
GLPIScan now have a README.md :)

GLPIScan.py

@@ -10,13 +10,14 @@
 print(chalk.white("\\ \\ \\__ \\  \\ \\ \\____  \\ \\  __/ \\ \\ \\  \\ \\___  \\  \\ \\ \\____  \\ \\  __ \\  \\ \\ \\-.  \\ ", bold=True))
 print(chalk.white(" \\ \\_____\\  \\ \\_____\\  \\ \\_\\    \\ \\_\\  \\/\\_____\\  \\ \\_____\\  \\ \\_\\ \\_\\  \\ \\_\\\"\\_\\", bold=True))
 print(chalk.white("  \\/_____/   \\/_____/   \\/_/     \\/_/   \\/_____/   \\/_____/   \\/_/\\/_/   \\/_/ \\/_/", bold=True))
-print(chalk.white("                                                      v1.0 contact[@]digitemis.com\n\n\n", bold=True))
+print(chalk.white("                                                      v1.1 contact[@]digitemis.com\n\n\n", bold=True))
 
 def parsing():
 	parser = argparse.ArgumentParser(description='GLPI Vulnerability Scanner.')
 	parser.add_argument('-u', dest='url', metavar="url", required=True, help='URL of GLPI application')
 	parser.add_argument('-a', dest='allcheck', action='store_true', default=False, help='Perform allcheck')
 	parser.add_argument('-c', dest='credscheck', action='store_true', default=False, help='Perform Credential Check')
+	parser.add_argument('-C', dest='credsfile', action='store_true', default=False, help='Perform Credential Check with specific wordlist (user:password)')
 	parser.add_argument('-f', dest='filescheck', action='store_true', default=False, help='Perform Files Check')
 	parser.add_argument('-p', dest='pluginscheck', action='store_true', default=False, help='Perform Plugin Check')
 	parser.add_argument('-d', dest='debug', action='store_true', default=False, help='Debug mode')
@@ -26,6 +27,7 @@ def parsing():
 	Config.BASE_URL = args.url
 	Config.ALLCHECK = args.allcheck
 	Config.CREDSCHECK = args.credscheck
+	Config.CREDSFILE = args.credsfile
 	Config.FILESCHECK = args.filescheck
 	Config.PLUGINSCHECK = args.pluginscheck
 

README.md

@@ -1,2 +1,67 @@
 # GLPIScan
+
 GLPIScan is a vulnerability scanner for GLPI.
+
+## Prerequisites
+
+* pychalk >= 2.0.1 - Recommended: latest 
+* requests >= 2.18.4 - Recommended: latest 
+* urllib3 >= 1.22 - Recommended: latest 
+* packaging >= 19.0 - Recommended: latest 
+
+## Installation
+
+In order to install GLPIScan, you only need to clone the repository, and install the python dependencies using the requirements.txt
+
+
+```bash
+$ pip install -r requirements.txt
+```
+
+## Usage
+
+List of options :
+
+```
+usage: GLPIScan.py [-h] -u url [-a] [-c] [-f] [-p] [-d]
+
+GLPI Vulnerability Scanner.
+
+optional arguments:
+  -h, --help  show this help message and exit
+  -u url      URL of GLPI application
+  -a          Perform allcheck
+  -c          Perform Credential Check
+  -f          Perform Files Check
+  -p          Perform Plugin Check
+  -d          Debug mode
+```
+
+Most common usage :
+
+```bash
+$ python GLPIScan.py -u http://glpi/ -a
+```
+
+## Further configuration
+
+The inc/Config.py file contain addiditional parameters.
+
+The parameter "PROXY" allow you to configure a proxy :
+```python
+PROXY = {"http"  : "http://127.0.0.1:8080", "https" : "https://127.0.0.1:8080"}
+```
+
+The parameter "HEADER" allow you yo add custom header to each request
+```python
+HEADERS = {"X-FORWARDED-FOR" : "127.0.0.1"}
+```
+The parameter "VERSION" allow you force the version of the scanned GLPI (if you already know the version) :
+```python
+VERSION = "9.4.0" # for GLPI version 9.4.0
+```
+
+## Authors
+
+* **David CARNOT** - [Digitemis](https://www.digitemis.com/)
+* **Erwan R.** - [Digitemis](https://www.digitemis.com/)

inc/AjaxTelemetry.py

@@ -0,0 +1,23 @@
+#!/usr/bin/python
+
+import Config
+
+import chalk
+
+class AjaxTelemetry:
+
+	def getPluginVersion(self, info, name):
+		try:
+			for plugin in Config.AJAX_TELEMETRY['glpi']['plugins']:
+				if plugin['key'] == name:
+					print(chalk.white('\t[+] Version of [', bold=True) + chalk.yellow(info[1], bold=True) + chalk.white('] : [', bold=True) + chalk.yellow(plugin['version'], bold=True) + chalk.white(']', bold=True))
+					return plugin['version']
+		except:
+			return False
+
+	def getGLPIVersion(self):
+		try:
+			Config.VERSION = Config.AJAX_TELEMETRY['glpi']['version']
+			return True
+		except:
+			return False

inc/Config.py

@@ -13,6 +13,9 @@
 # Version of the scanned GLPI
 VERSION = ""
 
+# Default value of JSON Telemetry page
+AJAX_TELEMETRY = {}
+
 # By default do not perfom all checks on GLPI
 ALLCHECK = False
 
@@ -25,6 +28,12 @@
 # By default do not perfom plugins checks on GLPI
 PLUGINSCHECK = False
 
+# Proxy configuration
+PROXY = {"http"  : "", "https" : ""}
+
+# Custom header configuration {"header" : "value"}
+HEADERS = {}
+
 COOKIE = ""
 
 FILES = ['/ajax/telemetry.php',
@@ -45,54 +54,54 @@
 		 ['normal', 'normal']]
 
 # ['URL_VERIFY', 'PLUGIN_NAME', 'PLUGIN_URL', 'PLUGIN_CLASS']
-PLUGINS = [['/plugins/addressing/LICENSE', 'IP Report', 'https://plugins.glpi-project.org/#/plugin/addressing', False],
+PLUGINS = [['/plugins/addressing/LICENSE', 'IP Report', 'https://plugins.glpi-project.org/#/plugin/addressing', 'PluginAddressing'],
 		   ['/plugins/fusioninventory/js/footer.js', 'FusionInventory', 'https://plugins.glpi-project.org/#/plugin/fusioninventory', 'PluginFusionInventory'],
 		   ['/plugins/dashboard/changelog.txt', 'Dashboard', 'https://plugins.glpi-project.org/#/plugin/dashboard', 'PluginDashboard'],
 		   ['/plugins/datainjection/datainjection.xml', 'Data Injection', 'https://plugins.glpi-project.org/#/plugin/datainjection', 'PluginDataInjection'],
 		   ['/plugins/fields/plugin.xml', 'Fields', 'https://plugins.glpi-project.org/#/plugin/field', 'PluginFields'],
 		   ['/plugins/formcreator/package.json', 'FormCreator', 'https://plugins.glpi-project.org/#/plugin/formcreator', 'PluginFormCreator'],
 		   ['/plugins/genericobject/genericobject.xml', 'Generic Objects Management', 'https://plugins.glpi-project.org/#/plugin/genericobject', 'PluginGenericObjectsManagement'],
 		   ['/plugins/mreporting/mreporting.xml', 'More Reporting', 'https://plugins.glpi-project.org/#/plugin/mreporting', 'PluginMoreReporting'],
-		   ['/plugins/ocsinventoryng/docs/CHANGELOG.txt', 'OCS Inventory NG', 'https://plugins.glpi-project.org/#/plugin/ocsinventoryng', False],
-		   ['/plugins/reports/LICENSE', 'Reports', 'https://plugins.glpi-project.org/#/plugin/reports', False],
+		   ['/plugins/ocsinventoryng/docs/CHANGELOG.txt', 'OCS Inventory NG', 'https://plugins.glpi-project.org/#/plugin/ocsinventoryng', 'PluginOCSInventoryng'],
+		   ['/plugins/reports/LICENSE', 'Reports', 'https://plugins.glpi-project.org/#/plugin/reports', 'PluginReports'],
 		   ['/plugins/pdf/LICENSE', 'PDF', 'https://plugins.glpi-project.org/#/plugin/pdf', False],
-		   ['/plugins/archires/LICENSE', 'Network Architecture', 'https://plugins.glpi-project.org/#/plugin/archires', False],
+		   ['/plugins/archires/LICENSE', 'Network Architecture', 'https://plugins.glpi-project.org/#/plugin/archires', 'PluginArchires'],
 		   ['/plugins/room/room.xml', 'Room Management', 'https://plugins.glpi-project.org/#/plugin/room', 'PluginRoom'],
 		   ['/plugins/racks/locales/glpi.pot', 'Racks / Bays Management', 'https://plugins.glpi-project.org/#/plugin/racks', 'PluginRacks'],
 		   ['/plugins/manageentities/LICENSE', 'Entities Management', 'https://plugins.glpi-project.org/#/plugin/manageentities', False],
 		   ['/plugins/accounts/LICENSE', 'Accounts Inventory', 'https://plugins.glpi-project.org/#/plugin/accounts', False],
-		   ['/plugins/appliances/LICENSE', 'Appliances Inventory', 'https://plugins.glpi-project.org/#/plugin/appliances', False],
+		   ['/plugins/appliances/LICENSE', 'Appliances Inventory', 'https://plugins.glpi-project.org/#/plugin/appliances', 'PluginAppliances'],
 		   ['/plugins/badges/locales/glpi.pot', 'Badges Inventory', 'https://plugins.glpi-project.org/#/plugin/badges', 'PluginBadgesInventory'],
 		   ['/plugins/certificates/LICENSE', 'Certificates Inventory', 'https://plugins.glpi-project.org/#/plugin/certificates', False],
-		   ['/plugins/databases/LICENSE', 'Databases Inventory', 'https://plugins.glpi-project.org/#/plugin/databases', False],
+		   ['/plugins/databases/LICENSE', 'Databases Inventory', 'https://plugins.glpi-project.org/#/plugin/databases', 'PluginDatabases'],
 		   ['/plugins/domains/locales/glpi.pot', 'Domains Inventory', 'https://plugins.glpi-project.org/#/plugin/domains', 'PluginDomainsInventory'],
 		   ['/plugins/financialreports/LICENSE', 'Financial Reports', 'https://plugins.glpi-project.org/#/plugin/financialreports', False],
 		   ['/plugins/environment/LICENSE', 'Meta-Plugin Environment', 'https://plugins.glpi-project.org/#/plugin/environment', False],
 		   ['/plugins/shellcommands/locales/glpi.pot', 'Launch Shell Commands', 'https://plugins.glpi-project.org/#/plugin/shellcommands', 'PluginLaunchShellCommands'],
-		   ['/plugins/webapplications/LICENSE', 'Web Applications Inventory', 'https://plugins.glpi-project.org/#/plugin/webapplications', False],
+		   ['/plugins/webapplications/LICENSE', 'Web Applications Inventory', 'https://plugins.glpi-project.org/#/plugin/webapplications', 'PluginWebApplications'],
 		   ['/plugins/order/plugin.xml', 'Order Management', 'https://plugins.glpi-project.org/#/plugin/order', 'PluginOrderManagement'],
 		   ['/plugins/uninstall/uninstall.xml', 'Uninstall', 'https://plugins.glpi-project.org/#/plugin/uninstall', 'PluginUninstall'],
 		   ['/plugins/geninventorynumber/plugin.xml', 'Inventory Number Generation', 'https://plugins.glpi-project.org/#/plugin/geninventorynumber', 'PluginInventoryNumberGeneration'],
-		   ['/plugins/behaviors/LICENSE', 'Behaviors', 'https://plugins.glpi-project.org/#/plugin/behaviors', False],
+		   ['/plugins/behaviors/LICENSE', 'Behaviors', 'https://plugins.glpi-project.org/#/plugin/behaviors', 'PluginBehaviors'],
 		   ['/plugins/barcode/barcode.xml', 'Barcode', 'https://plugins.glpi-project.org/#/plugin/barcode', 'PluginBarcode'],
 		   ['/plugins/positions/locales/glpi.pot', 'Cartography', 'https://plugins.glpi-project.org/#/plugin/positions', 'PluginCartography'],
 		   ['/plugins/typology/locales/glpi.pot', 'Typology', 'https://plugins.glpi-project.org/#/plugin/typology', 'PluginTypology'],
 		   ['/plugins/mask/mask.xml', 'Mask', 'https://plugins.glpi-project.org/#/plugin/mask', 'PluginMask'],
-		   ['/plugins/surveyticket/LICENSE', 'SurveyTicket', 'https://plugins.glpi-project.org/#/plugin/surveyticket', False],
+		   ['/plugins/surveyticket/LICENSE', 'SurveyTicket', 'https://plugins.glpi-project.org/#/plugin/surveyticket', 'PluginSurveyTicket'],
 		   ['/plugins/mantis/mantis.xml', 'MantisBT synchronization', 'https://plugins.glpi-project.org/#/plugin/mantis', 'PluginMantis'],
-		   ['/plugins/reservation/LICENCE', 'Reservation', 'https://plugins.glpi-project.org/#/plugin/reservation', False],
+		   ['/plugins/reservation/LICENCE', 'Reservation', 'https://plugins.glpi-project.org/#/plugin/reservation', 'PluginReservation'],
 		   ['/plugins/timezones/timezones.xml', 'Timezones', 'https://plugins.glpi-project.org/#/plugin/timezones', 'PluginTimezones'],
 		   ['/plugins/sccm/sccm.xml', 'SCCM', 'https://plugins.glpi-project.org/#/plugin/sccm', 'PluginSCCM'],
 		   ['/plugins/tag/plugin.xml', 'Tag', 'https://plugins.glpi-project.org/#/plugin/tag', 'PluginTag'],
 		   ['/plugins/news/plugin.xml', 'News', 'https://plugins.glpi-project.org/#/plugin/news', 'PluginNews'],
 		   ['/plugins/purgelogs/plugin.xml', 'Historical purge', 'https://plugins.glpi-project.org/#/plugin/purgelogs', 'PluginHistoricalPurge'],
 		   ['/plugins/escalade/escalade.xml', 'Escalade', 'https://plugins.glpi-project.org/#/plugin/escalade', 'PluginEscalade'],
-		   ['/plugins/moreticket/LICENSE', 'Moreticket', 'https://plugins.glpi-project.org/#/plugin/moreticket', False],
+		   ['/plugins/moreticket/LICENSE', 'Moreticket', 'https://plugins.glpi-project.org/#/plugin/moreticket', 'PluginMoreTicket'],
 		   ['/plugins/itilcategorygroups/itilcategorygroups.xm	l', 'ItilCategory Groups', 'https://plugins.glpi-project.org/#/plugin/itilcategorygroups', 'PluginItilCategoryGroups'],
-		   ['/plugins/consumables/LICENSE', 'Consumables', 'https://plugins.glpi-project.org/#/plugin/consumables', False],
-		   ['/plugins/printercounters/LICENSE', 'PrinterCounters', 'https://plugins.glpi-project.org/#/plugin/printercounters', False],
+		   ['/plugins/consumables/LICENSE', 'Consumables', 'https://plugins.glpi-project.org/#/plugin/consumables', 'PluginConsumables'],
+		   ['/plugins/printercounters/LICENSE', 'PrinterCounters', 'https://plugins.glpi-project.org/#/plugin/printercounters', 'PluginPrinterCounters'],
 		   ['/plugins/processmaker/processmaker.xml', 'Processmaker', 'https://plugins.glpi-project.org/#/plugin/processmaker', 'PluginProcessmaker'],
-		   ['/plugins/seasonality/README.md', 'Seasonality', 'https://plugins.glpi-project.org/#/plugin/seasonality', False],
+		   ['/plugins/seasonality/README.md', 'Seasonality', 'https://plugins.glpi-project.org/#/plugin/seasonality', 'PluginSeasonality'],
 		   ['/plugins/tasklists/locales/glpi.pot', 'Tasks List (Kanban)', 'https://plugins.glpi-project.org/#/plugin/tasklists', 'PluginTasksList'],
 		   ['/plugins/mailanalyzer/mailanalyzer.xml', 'Mail Analyzer', 'https://plugins.glpi-project.org/#/plugin/mailanalyzer', 'PluginMailAnalyzer'],
 		   ['/plugins/mydashboard/locales/glpi.pot', 'My Dashboard', 'https://plugins.glpi-project.org/#/plugin/mydashboard', 'PluginMyDashboard'],
@@ -108,18 +117,19 @@
 		   ['/plugins/glpi2mdt/glpi2mdt.xml', 'GLPI to MDT connector', 'https://plugins.glpi-project.org/#/plugin/glpi2mdt', 'PluginMDTConnector'],
 		   ['/plugins/telegrambot/telegrambot.xml', 'TelegramBot', 'https://plugins.glpi-project.org/#/plugin/telegrambot', 'PluginTelegramBot'],
 		   ['/plugins/cleanarchivedemails/cleanarchivedemails.xml', 'Clean Archived Emails', 'https://plugins.glpi-project.org/#/plugin/cleanarchivedemails', 'PluginCleanArchivedEmails'],
-		   ['/plugins/officeonline/js/officeonline.js', 'Office Online', 'https://plugins.glpi-project.org/#/plugin/officeonline', False],
-		   ['/plugins/satisfaction/satisfaction.js', 'More satisfaction', 'https://plugins.glpi-project.org/#/plugin/satisfaction', False],
-		   ['/plugins/gdrive/README.md', 'GDrive', 'https://plugins.glpi-project.org/#/plugin/GDrive', False],
+		   ['/plugins/officeonline/js/officeonline.js', 'Office Online', 'https://plugins.glpi-project.org/#/plugin/officeonline', 'PluginOfficeOnline'],
+		   ['/plugins/satisfaction/satisfaction.js', 'More satisfaction', 'https://plugins.glpi-project.org/#/plugin/satisfaction', 'PluginMoreSatisfaction'],
+		   ['/plugins/gdrive/README.md', 'GDrive', 'https://plugins.glpi-project.org/#/plugin/GDrive', 'PluginGDrive'],
 		   ['/plugins/archisw/archisw.xml', 'Apps structure inventory', 'https://plugins.glpi-project.org/#/plugin/archisw', 'PluginAppsStructureInventory'],
 		   ['/plugins/dataflows/dataflows.xml', 'Dataflows inventory', 'https://plugins.glpi-project.org/#/plugin/dataflows', 'PluginDataflowsInventory'],
 		   ['/plugins/statecheck/statecheck.xml', 'Statecheck', 'https://plugins.glpi-project.org/#/plugin/statecheck', 'PluginStatecheck'],
 		   ['/plugins/archimap/archimap.xml', 'Diagrams', 'https://plugins.glpi-project.org/#/plugin/archimap', 'PluginDiagrams'],
 		   ['/plugins/metabase/metabase.xml', 'Metabase', 'https://plugins.glpi-project.org/#/plugin/metabase', 'PluginMetabase'],
 		   ['/plugins/orderservice/orderservice.xml', 'Order Service', 'https://plugins.glpi-project.org/#/plugin/orderservice', 'PluginOrderService'],
 		   ['/plugins/glpicheckingversion/glpicheckingversion.xml', 'GLPI Checking Version', 'https://plugins.glpi-project.org/#/plugin/glpicheckingversion', 'PluginGLPICheckingVersion'],
-		   ['/plugins/taskdrop/LICENSE', 'Task n Drop', 'https://plugins.glpi-project.org/#/plugin/TaskDrop', False],
+		   ['/plugins/taskdrop/LICENSE', 'Task n Drop', 'https://plugins.glpi-project.org/#/plugin/TaskDrop', 'PluginTaskDrop'],
 		   ['/plugins/impacts/impacts.xml', 'Impacts', 'https://plugins.glpi-project.org/#/plugin/impacts', 'PluginImpacts'],
+		   ['/plugins/manufacturersimports/LICENSE', 'Manufacturers Web Imports', 'https://plugins.glpi-project.org/#/plugin/manufacturersimports', 'PluginManufacturersImports'],
 		   ]
 
 # ['VENDOR', ['OPERANDE', 'VERSION'], 'DESC' ,'LINK', 'CVE']
@@ -148,6 +158,10 @@
 	   ['GLPI', [['<', '9.1.5.1']], 'SQL injection in front/rulesengine.test.php' ,'https://github.com/glpi-project/glpi/issues/2476', 'CVE-2017-11475'],
 	   ['GLPI', [['<=', '9.2.1']], 'Remote code execution' ,'https://github.com/bowline90/RemoteCodeUploadGLPI', 'CVE-2018-7562'],
 	   ['GLPI', [['<=', '9.3.3']], 'Pre-authenticated SQL injection' ,'https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf', 'CVE-2019-10232'],
-	   ['GLPI', [['<=', '9.4.1.1']], 'Type juggling authentication bypass', 'https://www.synacktiv.com/ressources/GLPI_9.4.0_Type_juggling_auth_bypass.pdf', 'CVE-2019-10231'],
-	   ['GLPI', [['<=', '9.4.1.1']], 'Timing attack user enumeration', 'https://www.synacktiv.com/ressources/GLPI_9.4.0_Timing_attack_user_enumeration.pdf', 'CVE-2019-10233'],
-	   ['FusionInventory', [['<=', '9.4.0']], 'Arbitrary PHP function call', 'https://www.synacktiv.com/ressources/GLPI_FusionInventory_9.4.0_Arbitrary_call_user_func_array.pdf', 'CVE-2019-10477']]
+	   ['GLPI', [['>=', '9.3'], ['<', ' 9.3.4']], 'Type juggling authentication bypass', 'https://www.synacktiv.com/ressources/GLPI_9.4.0_Type_juggling_auth_bypass.pdf', 'CVE-2019-10231'],
+	   ['GLPI', [['>=', '9.4'], ['<', ' 9.4.1.1']], 'Type juggling authentication bypass', 'https://www.synacktiv.com/ressources/GLPI_9.4.0_Type_juggling_auth_bypass.pdf', 'CVE-2019-10231'],
+	   ['GLPI', [['>=', '9.3'], ['<', ' 9.3.4']], 'Timing attack user enumeration', 'https://www.synacktiv.com/ressources/GLPI_9.4.0_Timing_attack_user_enumeration.pdf', 'CVE-2019-10233'],
+	   ['GLPI', [['>=', '9.4'], ['<', ' 9.4.1.1']], 'Timing attack user enumeration', 'https://www.synacktiv.com/ressources/GLPI_9.4.0_Timing_attack_user_enumeration.pdf', 'CVE-2019-10233'],
+	   ['FusionInventory', [['>=', '9.3'], ['<', ' 9.3+1.4']], 'Arbitrary PHP function call', 'https://www.synacktiv.com/ressources/GLPI_FusionInventory_9.4.0_Arbitrary_call_user_func_array.pdf', 'CVE-2019-10477'],
+	   ['FusionInventory', [['>=', '9.4'], ['<', ' 9.4+1.1']], 'Arbitrary PHP function call', 'https://www.synacktiv.com/ressources/GLPI_FusionInventory_9.4.0_Arbitrary_call_user_func_array.pdf', 'CVE-2019-10477'],
+	   ]