| 제목 | For IP Tecnologia Ltda monitcallcenter 1.x SQL Injection |
|---|
| 설명 | A SQL injection vulnerability was found in the "user" parameter sent to the application through a JSON file. Due to the lack of server-side sanitization, it is possible to inject the payload ' OR 1=1 -- , granting access to the administrative system of VOIP calls. Through the graphical interface, authenticated in the system, it is possible to download and listen to the calls saved in the call center management system's database.
Through Google, it is possible to find some exposed systems containing the vulnerability. These systems include: http://x.x.x.x:84/ and http://x.x.x.x:84/. To find them, as I had previously reported other vulnerabilities in the "ForIP Tecnologia - Administração PABX" system, I simply searched on Google for "forip tecnologia administração pabx" and changed the port from 8443 (where I found and registered the vulnerability with vuldb as CVE-2024-7101) to port 84, making access to the "monitcallcenter" system possible. |
|---|
| 원천 | ⚠️ https://docs.google.com/document/d/1mlEC73Tdqr8L39ogilAbWSj4ZvCRmprtI82zvawWCzE/edit?usp=sharing |
|---|
| 사용자 | gabriel (UID 72007) |
|---|
| 제출 | 2024. 07. 26. PM 09:26 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 08. 04. AM 08:26 (8 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 273554 [ForIP Tecnologia Administração PABX 1.x monitcallcenter /authMonitCallcenter 사용자 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|