提出 #841457: Aster Telecom Azcall 2014 - 2026 SQL Injection情報

タイトルAster Telecom Azcall 2014 - 2026 SQL Injection
説明A critical SQL Injection (SQLi) vulnerability was identified in the Aster Telecom Azcall system (versions 10 and 11). The flaw exists in the /azcall/adm/gestao_loja/sis.php endpoint due to improper sanitization of user-supplied input in HTTP POST requests. This allows an unauthenticated or low-privileged attacker to inject arbitrary SQL queries directly into the backend MySQL/MariaDB database. The endpoint /azcall/adm/gestao_loja/sis.php?t=consultar processes POST requests containing parameters such as nome, perfil, and status. The application fails to use prepared statements or adequate input validation for these parameters before concatenating them into SQL queries. Vulnerable Endpoint: /azcall/adm/gestao_loja/sis.php?t=consultar Vulnerable Parameters: POST body parameters (nome, perfil, status) Attack Vector: Remote / Network Backend Environment: Debian 10 (Buster), Apache 2.4.38, MySQL (MariaDB >= 5.0.0) An attacker can exploit this vulnerability by sending a maliciously crafted HTTP POST request. POST /azcall/adm/gestao_loja/sis.php?t=consultar HTTP/1.1 Host: x.x.x.x:19845 Content-Length: 33 X-Requested-With: XMLHttpRequest Accept-Language: pt-BR,pt;q=0.9 Accept: text/html, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Origin: http://x.x.x.x:19845 Referer: http://x.x.x.x:19845/azcall/pages/gu.php Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=kvn4nufv6nvkgcmhvch2fe0v8s Connection: keep-alive nome=WESLEY&perfil=%25&status=%25 Automated exploitation via sqlmap confirms the vulnerability, allowing the extraction of the backend database schema. For instance, an attacker can dump the usuarios table within the azcall database, which contains 34 columns including sensitive fields such as login, senha, email, and nivel. The exploitation of this vulnerability results in a total compromise of the application's data. Confidentiality: Complete loss. Attackers can read all data within the database, including plaintext or hashed credentials, personal information, and application configurations. Integrity: Complete loss. Attackers can modify, insert, or delete database records, potentially altering system behavior or escalating privileges. Availability: High impact. Attackers could drop tables or the entire database, rendering the application inoperable.
ソース⚠️ http://x.x.x.x:19845/azcall/adm/gestao_loja/sis.php?t=consultar
ユーザー
 r1cm4rInh0 (UID 98596)
送信2026年05月28日 19:56 (1 月 ago)
モデレーション2026年07月11日 12:05 (1 month later)
ステータス承諾済み
VulDBエントリ377789 [Aster Telecom Azcall 10/11 HTTP sis.php?t=consultar nome/perfil/status SQLインジェクション]
ポイント20

Want to know what is going to be exploited?

We predict KEV entries!