Skip to content

Latest commit

 

History

History

86165c

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
ostAgentDiscovery.py
ostAgentDiscovery.py
 
 
ostUserDiscovery.py
ostUserDiscovery.py
 
 

README.md

User Discovery (86165c)

Requirements

  • None

Description

osTicket versions < 1.14.8, 1.15.x < 1.15.4 are vulnerable to user discovery because inserting a username or email in pwreset.php tells the user whether or not the username or email exists. This allows anyone to brute force usernames or emails based on the response. This script automates the process - all it takes is the domain of the osTicket instance + a text file with possible usernames/emails to test. By default, it will only print out usernames/emails that are discovered. However, adding in the -v flag will also print out usernames/emails that are not discovered.

There are two PoCs made for this because normal users and agents/admins have two separate login portals. ostUserDiscovery.py will brute force usernames/emails for regular users, while ostAgentDiscovery.py will brute force usernames/emails for agents/admins.

The usage for ostUserDiscovery.py is:

usage: ostUserDiscovery.py [-h] -d DOMAIN -f FILE [-v]

options:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        osTicket domain, example - https://os.ticket.com
  -f FILE, --file FILE  Line-separated text file of usernames or emails to test
  -v, --verbose         Print out the results of each username/email

Example usage:

python3 ostUserDiscovery.py -d https://my.domain.com -f ~/usernames.txt

The usage for ostAgentDiscovery.py is:

usage: ostAgentDiscovery.py [-h] -d DOMAIN -f FILE [-v]

options:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        osTicket domain, example - https://os.ticket.com
  -f FILE, --file FILE  Line-separated text file of usernames or emails to test
  -v, --verbose         Print out the results of each username/email

Example usage:

python3 ostAgentDiscovery.py -d https://my.domain.com -f ~/usernames.txt

Notes

  • If a valid username or email is submitted, it will send an email to the account holder to reset their password. This may alert them that you are scanning for valid usernames.
  • No valid account is necessary.
  • Most regular users will not have a username, since they sign up with an email and have no option to add a username. Agents can assign users a username if they would like.

Credits

This GitHub commit details the vulnerability present, where user haxtron from huntr.dev reported it.