This Metasploit module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable). Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter. Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter. Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter. Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter. Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter. VICIdial does not encrypt passwords by default.
ee13ad5d4ae7546320169435916f3c9bac21c75f6a3c00a761a80c9d13b3d3b5