metasploit-framework
metasploit-framework copied to clipboard
rapid7
VICIdial Multiple SQLi (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878)
This PR adds a module which exploits several authenticated sqli in VICIdial. Of note, two of the modules require a permissions change (vicibox sets admin permissions to near nothing, other than the ability to change permissions).
Verification
- [ ] install vicibox (which includes vicidial and OS) per markdown instructions
- [ ] Start
msfconsole - [ ]
use auxiliary/scanner/http/vicidial_multiple_sqli - [ ]
set rhosts and password - [ ]
run - [ ] Verify you get cleartext creds
- [ ] Document looks good
Setting up this software was.... an exercise in frustration. I know I kept step by step notes and module docs, but I can't seem to find them. I'm going to take a little time to find it again before making this ready for review
Setting up this software was.... an exercise in frustration. I know I kept step by step notes and module docs, but I can't seem to find them. I'm going to take a little time to find it again before making this ready for review
Maybe this will help:
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md
Also, GOautodial and VICIbox are available as an ISO and come with VICIdial installed by default. This makes testing much easier. Also, it would be worth testing the module on VICIbox and GOautodial anyway, as this is probably one of the most common methods of VICIdial deployment [citation needed].
Hey @h00die, thanks for the contribution. Just wondering if you have any update on this? No worries if not. I might spin up one of the ISOs bcoles mentioned and give it a test if you think it's almost ready.
I don't, been busy with life and prioritizing the VMware post module work over my own module stuff. If you want to try, go for it! If not it's ok to sit here another week or two so I can get VMware buttoned up and then write this up
Setting up this software was.... an exercise in frustration. I know I kept step by step notes and module docs, but I can't seem to find them. I'm going to take a little time to find it again before making this ready for review
Maybe this will help:
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md
Also, GOautodial and VICIbox are available as an ISO and come with VICIdial installed by default. This makes testing much easier. Also, it would be worth testing the module on VICIbox and GOautodial anyway, as this is probably one of the most common methods of VICIdial deployment [citation needed].
Thanks for mentioning this bcoles. @h00die for transparency I installed and setup GOautodial and the module as it's written is unable to authenticate with the application. The login URI's and authentication requirements are a bit different.
Edit: Not sure if you'll want to investigate this further. If you do, when installing GOautodial this link is useful. If not, outlining what this module has been tested on and what it is intended to work on might be sufficient.
not surprising about GOautodial using a different url structure. My schedule is freeing up, hoping to restart this and get it finished soon.
I used ViciBox_v10.x86_64-10.0.0.iso, not 9, so that may account for some of the modules not working as new features may have been added. When I work on the doc, i'll do 9 and 10 at the same time.
I think I remember vicidial being a pain because I was testing each page and API endpoint. The exploitable ones in here actually required little to nothing to setup and exploit.
Tested against 9.0.3 and 10.0.0, added docs, ready for real review! Also did a rebase
ping @jheysel-r7 just wanted to check if youd have time to get back around to this one
Release Notes
This PR adds a module which exploits several authenticated sqli in VICIdial (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878)