poniedziałek, 29 stycznia 2018

Post-auth SQL injection in FreePBX

Last time I found new cool CTF (you will find it at VulnHub) I would like to play. This time it will be something related to some Voip-scenario... Ok. I decided that it will be a good idea to take break for a moment and check the 'latest' available ISO for FreePBX ;]

Because of some problems (VirtualBox and SNG7-PBX-64bit-1712-2) I tried the 'historical' version: 10.13.66-32bit. Below you will find results (related only to the SQL injection bug I found...

...because describing all of those XSS's is pointless).

TL;DR: ;]

(By the way, this one is cool too:


Maybe I will find something else/more (as soon as I will finaly finish the updates for modus.py... ;)).

In case of any questions/comments - feel free to ping me.



Thanks to CVE Team bug is now described as CVE-2018-6393.

P.S.2 - updated 31.01.2018:

It looks like the 64bit version (SNG7-PBX-64bit-1712-2) is also vulnerable:





4 komentarze:

  1. thanks for your findings
    does it need auth before doing the sql injection

    1. @Salim: yes (both versions 32 and 64bit).

      btw thanks for watching ;)

  2. Hello sir just would like to ask you about the way to inject it using sqlmap i have tried many times it did not work even i found the vurln useing theburp suite got the post from there
    Can you help plz
    Thak you in advace