Trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
- Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
- Credits to: (Author of the link above: Sachin Wagh; Twitter: @tiger_tigerboy)
- Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
- Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
- Version: 2.8.0.4
- Tested on: Xubuntu 20.04
python3 exploit.py [target_IP] [Target_Port] [Listen_IP] [Listen_Port]
