| عنوان | Aster Telecom Azcall 2014 - 2026 SQL Injection |
|---|
| الوصف | A critical SQL Injection (SQLi) vulnerability was identified in the Aster Telecom Azcall system (versions 10 and 11). The flaw exists in the /azcall/adm/gestao_loja/sis.php endpoint due to improper sanitization of user-supplied input in HTTP POST requests. This allows an unauthenticated or low-privileged attacker to inject arbitrary SQL queries directly into the backend MySQL/MariaDB database.
The endpoint /azcall/adm/gestao_loja/sis.php?t=consultar processes POST requests containing parameters such as nome, perfil, and status. The application fails to use prepared statements or adequate input validation for these parameters before concatenating them into SQL queries.
Vulnerable Endpoint: /azcall/adm/gestao_loja/sis.php?t=consultar
Vulnerable Parameters: POST body parameters (nome, perfil, status)
Attack Vector: Remote / Network
Backend Environment: Debian 10 (Buster), Apache 2.4.38, MySQL (MariaDB >= 5.0.0)
An attacker can exploit this vulnerability by sending a maliciously crafted HTTP POST request.
POST /azcall/adm/gestao_loja/sis.php?t=consultar HTTP/1.1
Host: x.x.x.x:19845
Content-Length: 33
X-Requested-With: XMLHttpRequest
Accept-Language: pt-BR,pt;q=0.9
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Origin: http://x.x.x.x:19845
Referer: http://x.x.x.x:19845/azcall/pages/gu.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=kvn4nufv6nvkgcmhvch2fe0v8s
Connection: keep-alive
nome=WESLEY&perfil=%25&status=%25
Automated exploitation via sqlmap confirms the vulnerability, allowing the extraction of the backend database schema. For instance, an attacker can dump the usuarios table within the azcall database, which contains 34 columns including sensitive fields such as login, senha, email, and nivel.
The exploitation of this vulnerability results in a total compromise of the application's data.
Confidentiality: Complete loss. Attackers can read all data within the database, including plaintext or hashed credentials, personal information, and application configurations.
Integrity: Complete loss. Attackers can modify, insert, or delete database records, potentially altering system behavior or escalating privileges.
Availability: High impact. Attackers could drop tables or the entire database, rendering the application inoperable. |
|---|
| المصدر | ⚠️ http://x.x.x.x:19845/azcall/adm/gestao_loja/sis.php?t=consultar |
|---|
| المستخدم | r1cm4rInh0 (UID 98596) |
|---|
| ارسال | 28/05/2026 07:56 PM (1 شهر منذ) |
|---|
| الاعتدال | 11/07/2026 12:05 PM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 377789 [Aster Telecom Azcall 10/11 HTTP sis.php?t=consultar nome/perfil/status حقن SQL] |
|---|
| النقاط | 20 |
|---|