Support Ticket System CMS Webshell Upload& XSS

2019.04.16
ru QUIXSS (RU) ru
Risk: High
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

The Support Ticket System CMS have no input or file filters, so you can upload any PHP file u want + use input fields for XSS. PoC: go to the demo website http://support.deadlockinfotech.com/login.php and press the «Sign in» button, then go to the settings page http://support.deadlockinfotech.com/settings.php. Here u can see many unfiltered input fields and one file upload field. Choose any PHP file (WebShell, uploader or something u want) and scroll down to «Submit» button. By default developer disabled this button, but u can submit this form via jQuery in Developers Console or just simply delete the «disabled» attribute from the <button> element (final result must be <button class="btn btn-bold btn-primary" name="update" type="submit">Update</button>), so this button will be enabled and u can now submit this form. After that check out your avatar on the upper right corner and «inspect» this element in Console (uploaded PHP file will be inside this directory http://support.deadlockinfotech.com/assets/img/avatar/ ). XSS is less interesting but still, u can put any code u want inside input fields and this code will work («Website name» field data will work on each page u can go to) - no WAF or filtering over here, do whatever u want.

References:

https://codecanyon.net/item/support-ticket-system/23051838/comments


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top