Skip to main content

osTicket

osTicket is an open-source help desk and ticketing system used for managing customer support requests. It provides a web-based interface for handling tickets, automation workflows, and user management. osTicket supports email integration, role-based access, and custom fields for better ticket tracking.

Tech Stack of osTicket

  • Backend: PHP (Uses MySQLi for database interaction)
  • Frontend: HTML, CSS, JavaScript (jQuery, Bootstrap)
  • Database: MySQL or MariaDB
  • Server: Apache, Nginx, or IIS (with PHP and MySQL support)

File Structure

/osticket-root
│── setup/              # Installation scripts (should be removed after setup)  
│── include/            # Core PHP files and libraries  
│   ├── class.ticket.php # Main ticket handling logic  
│   ├── class.user.php   # User management functions  
│   ├── config.php       # Database connection and security settings (critical)  
│── scp/                # Staff Control Panel (Admin and Agent Dashboard)  
│── api/                # API endpoints for external integrations  
│── attach/             # File attachments uploaded via tickets  
│── images/             # Image assets (logos, icons, etc.)  
│── css/                # Stylesheets for osTicket UI  
│── js/                 # JavaScript files (jQuery, custom scripts)  
│── fonts/              # Font files used in UI  
│── locale/             # Language packs for multilingual support  
│── plugins/            # Installed plugins to extend functionality  
│── uploads/            # User uploads (must be secured against malicious files)  
│── config.php          # Main configuration file (should have strict permissions)  
│── index.php           # Main entry point for the application  
│── portal/             # Client-side ticket submission and tracking interface  
│── LICENSE.txt         # osTicket license information  
│── README.txt          # Basic information about osTicket

Enumeration

  • The Google dork "Helpdesk software - powered by osTicket" can help locate externally facing osTicket applications.
  • For a more targeted approach, refine the search using queries like site:company.com to focus on a specific domain.
  • The ticketing feature can be used to target support staff for a social engineering attack.

Exploitation

We can use SearchSploit to locate publicly known exploits for osTicket.