TicketPlus - Arbitrary File Upload

2017-09-27
ID: 94279
CVE: None
Download vulnerable application: None
# # # # # 
# Exploit Title: TicketPlus - Support Ticket Management System - Arbitrary File Upload
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://teamworktec.com/
# Software Link: https://codecanyon.net/item/ticketplus-support-ticket-management-system/20221316
# Demo: http://sportsgrand.com/demo/ticket_plus/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an users upload arbitrary file....
# 
# Vulnerable Source:
# 
#     public function updateProfile(Request $request) {
#         $this->validate($request, [
#             'name' => 'required|max:32',
#             'username' => 'required|max:32|unique:users,username,'.Auth::id(),
#             'email' => 'email|max:40|unique:users,email,'.Auth::id()
#         ]);
# 
#         $user = User::find(Auth::id());
#         $user->name = $request->name;
#         $user->username = $request->username;
#         $user->email = $request->email;
#         if(!empty($request->file)){
#             $request->file->move('uploads', $request->file->getClientOriginalName());
#             $user->avatar = $request->file->getClientOriginalName();
#         }
#         $user->save();
#         return redirect()->back()->withMessage('Profile updated successfully');
#     }
# 	
# Proof of Concept: 
# 
# http://localhost/[PATH]/profile/settings
# http://localhost/[PATH]/uploads/[FILE]
# 
# Etc..
# # # # #
1-4-2 (www01)