Unauthenticated SQL Injection in GLPI Inventory Endpoint

This repository is a proof-of-concept (PoC) exploit for CVE-2025-24799, targeting the GLPI IT asset management software. The exploit demonstrates an unauthenticated time-based blind SQL injection vulnerability, allowing an attacker to extract usernames and password hashes from the 'glpi_users' table. The main exploit logic is stored in an encrypted binary file ('main.bin'), which is decrypted at runtime by 'main.py' using a key from the '.key' file. The Python script requires the user to specify a target URL (e.g., http://target.com/index.php/ajax), which is likely the vulnerable endpoint. The repository includes a README with detailed usage instructions, requirements (requests, colorama, beautifulsoup4), and example output. The attack vector is network-based, exploiting a web endpoint without authentication. No hardcoded IPs or domains are present, but the exploit is fingerprintable by its use of the '/index.php/ajax' endpoint and its focus on the 'glpi_users' table. The code is operational as a PoC, with the actual exploit logic obfuscated in the encrypted payload.

This repository contains a Python exploit script (exploit.py) targeting CVE-2025-24799, an unauthenticated time-based blind SQL injection vulnerability in GLPI. The exploit works by sending specially crafted XML payloads via HTTP POST requests to a GLPI endpoint (e.g., /index.php/ajax). It leverages time delays (SLEEP) to infer database content, specifically extracting usernames and password hashes from the glpi_users table. The script is operational, automating the extraction process and providing clear output for each credential found. The repository includes a README with usage instructions, a requirements.txt for dependencies (requests, colorama), and a standard MIT license. No hardcoded endpoints are present; the user must supply the target URL. The exploit does not require authentication and is designed for remote, unauthenticated attacks against vulnerable GLPI instances.