poniedziałek, 29 stycznia 2018

Post-auth SQL injection in FreePBX

Last time I found new cool CTF (you will find it at VulnHub) I would like to play. This time it will be something related to some Voip-scenario... Ok. I decided that it will be a good idea to take break for a moment and check the 'latest' available ISO for FreePBX ;]

Because of some problems (VirtualBox and SNG7-PBX-64bit-1712-2) I tried the 'historical' version: 10.13.66-32bit. Below you will find results (related only to the SQL injection bug I found...

...because describing all of those XSS's is pointless).

TL;DR: ;]


(By the way, this one is cool too:

...)

Maybe I will find something else/more (as soon as I will finaly finish the updates for modus.py... ;)).

In case of any questions/comments - feel free to ping me.

Cheers

P.S.

Thanks to CVE Team bug is now described as CVE-2018-6393.


P.S.2 - updated 31.01.2018:

It looks like the 64bit version (SNG7-PBX-64bit-1712-2) is also vulnerable:

TL;DR - FYI

Request:


Response:



Cheers


5 komentarzy:

  1. thanks for your findings
    does it need auth before doing the sql injection

    OdpowiedzUsuń
    Odpowiedzi
    1. @Salim: yes (both versions 32 and 64bit).

      btw thanks for watching ;)

      Usuń
  2. Ten komentarz został usunięty przez autora.

    OdpowiedzUsuń