An attacker with authenticated access to VICIdial as an “agent” can execute arbitrary shell commands as the “root” user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
This repository contains a combined exploit for two critical vulnerabilities discovered in VICIdial by KoreLogic:
- CVE-2024-8503: Unauthenticated SQL Injection (SQLi)
- CVE-2024-8504: SQLi leading to Remote Code Execution (RCE)
These vulnerabilities allow an attacker to retrieve administrative credentials through SQLi and ultimately execute arbitrary code on the target server via an RCE attack.
This exploit tool allows you to either:
- Retrieve administrator credentials via SQLi (CVE-2024-8503)
- Achieve RCE via SQLi and poisoned recording files (CVE-2024-8504)
The tool is based on KoreLogic’s original research, with enhancements made to:
- Separate the SQLi and RCE functionalities for more flexibility.
- Improve the user experience by simplifying execution and error handling.
- Provide a cleaner and more aesthetic output using
rich_click
.
What do you think?
It is nice to know your opinion. Leave a comment.