a32e028b88
17 changes to exploits/shellcodes VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow Linux - Use-After-Free Reads in show_numa_stats() WebKit - UXSS via XSLT and Nested Document Replacements Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit) ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit) ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit) Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting Cisco Adaptive Security Appliance - Path Traversal (Metasploit) UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion osTicket 1.12 - Persistent Cross-Site Scripting via File Upload osTicket 1.12 - Formula Injection osTicket 1.12 - Persistent Cross-Site Scripting Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)
42 lines
No EOL
1.7 KiB
Text
42 lines
No EOL
1.7 KiB
Text
# Exploit Title: osTicket-v1.12 Stored XSS
|
|
# Vendor Homepage: https://osticket.com/
|
|
# Software Link: https://osticket.com/download/
|
|
# Exploit Author: Aishwarya Iyer
|
|
# Contact: https://twitter.com/aish_9524
|
|
# Website: https://about.me/aish_iyer
|
|
# Category: webapps
|
|
# CVE: CVE-2019-14750
|
|
|
|
1. Description
|
|
|
|
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
|
|
Stored XSS exists in setup/install.php. It was observed that no input
|
|
sanitization was provided in the firstname and lastname fields of the
|
|
application. The insertion of malicious queries in those fields leads to
|
|
the execution of those queries. This can further lead to cookie stealing or
|
|
other malicious actions.
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14750
|
|
|
|
2. Proof of Concept
|
|
|
|
Steps to Reproduce:
|
|
- While setting up the osTicket application in the setup/install.php page
|
|
insert the XSS payload into the first name and last name field.
|
|
- After filling in all the other details and clicking on 'continue', it is
|
|
observed that there is no validation for the first name and last name field
|
|
and the malicious payload is stored and a new agent is created.
|
|
- Login as that agent and navigate to "agents" tab where we will find the
|
|
inserted payload in the firstname and Lastname field.
|
|
- Click on the firstname value and see the payload gets executed
|
|
|
|
3. Reference
|
|
|
|
https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12
|
|
https://github.com/osTicket/osTicket/releases/tag/v1.12.1
|
|
https://github.com/osTicket/osTicket/releases/tag/v1.10.7
|
|
|
|
4. Solution
|
|
|
|
The vulnerability has been patched by the vendor in the next release which
|
|
is osTicket v1.10.7. |