TicketPlus – Arbitrary File Upload - 体验盒子

作者： Ihsan Sencan

日期： 2017-09-26

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/42796/

# # # # # 
# Exploit Title: TicketPlus - Support Ticket Management System - Arbitrary File Upload
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://teamworktec.com/
# Software Link: https://codecanyon.net/item/ticketplus-support-ticket-management-system/20221316
# Demo: http://sportsgrand.com/demo/ticket_plus/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an users upload arbitrary file....
# 
# Vulnerable Source:
# 
# public function updateProfile(Request $request) {
# $this->validate($request, [
# 'name' => 'required|max:32',
# 'username' => 'required|max:32|unique:users,username,'.Auth::id(),
# 'email' => 'email|max:40|unique:users,email,'.Auth::id()
# ]);
# 
# $user = User::find(Auth::id());
# $user->name = $request->name;
# $user->username = $request->username;
# $user->email = $request->email;
# if(!empty($request->file)){
# $request->file->move('uploads', $request->file->getClientOriginalName());
# $user->avatar = $request->file->getClientOriginalName();
# }
# $user->save();
# return redirect()->back()->withMessage('Profile updated successfully');
# }
# 	
# Proof of Concept: 
# 
# http://localhost/[PATH]/profile/settings
# http://localhost/[PATH]/uploads/[FILE]
# 
# Etc..
# # # # #