# # # # # # Exploit Title: TicketPlus - Support Ticket Management System - Arbitrary File Upload # Dork: N/A # Date: 26.09.2017 # Vendor Homepage: http://teamworktec.com/ # Software Link: https://codecanyon.net/item/ticketplus-support-ticket-management-system/20221316 # Demo: http://sportsgrand.com/demo/ticket_plus/ # Version: N/A # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # # public function updateProfile(Request $request) { # $this->validate($request, [ # 'name' => 'required|max:32', # 'username' => 'required|max:32|unique:users,username,'.Auth::id(), # 'email' => 'email|max:40|unique:users,email,'.Auth::id() # ]); # # $user = User::find(Auth::id()); # $user->name = $request->name; # $user->username = $request->username; # $user->email = $request->email; # if(!empty($request->file)){ # $request->file->move('uploads', $request->file->getClientOriginalName()); # $user->avatar = $request->file->getClientOriginalName(); # } # $user->save(); # return redirect()->back()->withMessage('Profile updated successfully'); # } # # Proof of Concept: # # http://localhost/[PATH]/profile/settings # http://localhost/[PATH]/uploads/[FILE] # # Etc.. # # # # #