CVE-2007-5488

Asterisk-Addons < 1.2.7 - SQL Injection via Source/Destination Numbers or SIP URI

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-5488. PoCs published by Humberto J. Abdelnur.

AI-analyzed exploit summary This exploit targets an SQL injection vulnerability in Asterisk's 'asterisk-addons' package by crafting a malicious SIP INVITE message with injected SQL payload. The payload includes a script injection to demonstrate the vulnerability.

Description

Multiple SQL injection vulnerabilities in cdr_addon_mysql in Asterisk-Addons before 1.2.8, and 1.4.x before 1.4.4, allow remote attackers to execute arbitrary SQL commands via the (1) source and (2) destination numbers, and probably (3) SIP URI, when inserting a record.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Humberto J. Abdelnur · perlremotelinux

https://www.exploit-db.com/exploits/30677

View Code ZIP pw:eip

This exploit targets an SQL injection vulnerability in Asterisk's 'asterisk-addons' package by crafting a malicious SIP INVITE message with injected SQL payload. The payload includes a script injection to demonstrate the vulnerability.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Asterisk 'asterisk-addons' prior to 1.2.8 (with Asterisk Open Source 1.2.x) and prior to 1.4.4 (with Asterisk Open Source 1.4.x)

No auth needed

Prerequisites: Network access to the target Asterisk server · Target must be running a vulnerable version of 'asterisk-addons'

MITRE ATT&CK