GLPi IT Management
GLPi is a popular open-source it management platform. It can be used for a variety of use cases going from host management to ticketing.
- Official website (4.2k β)
- Github (4.2k β)
- MySQL/MariaDB and PHP
GLPi is commonly found in enterprises even if they have another solutions globally, often for a specific use case.
It often had critical vulnerabilities. Refer to the release notes. Default credentials may not have been changed/disabled:
glpi:glpi(Super Admin)post-only:post-only(Self-Service)tech:tech(Technician)normal:normal(Observer)
GLPi Pentester Notes β οΈ
GLPi Enumeration
When properly configured, only the /public/ route was exposed. Otherwise, you can navigate to /version/ to find the GLPI version.
Once logged, you can also find the version in "about" or in the code.
GLPi Foothold
Try default accounts/credentials.
GLPi Exploitation
This article tackles a few CVEs in GLPI < 10.0.16 to get a RCE.