关联漏洞
标题:Fortinet FortiWeb 安全漏洞 (CVE-2025-64446)描述:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 8.0.0版本至8.0.1版本、7.6.0版本至7.6.4版本、7.4.0版本至7.4.9版本、7.2.0版本至7.2.11版本和7.0.0版本至7.0.11版本存在安全漏洞,该漏洞源于相对路径遍历,可能导致执行管理命令。
描述
A scanner for the FortiNet vulnerability CVE-2025-64446
介绍
# FortiWeb Auth Bypass Scanner
Simple Python helper to probe Fortinet/FortiWeb targets for the `fwbcgi` authentication bypass pattern reported by watchTowr Labs. Intelligence and request details came from: https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
## Usage
```
python3 scanner.py http://192.168.9.1:80
python3 scanner.py -f targets.txt --find-forti --follow-redirects
```
Targets must include their scheme explicitly (`http://` or `https://`). If the port is omitted, the scanner assumes `80` for HTTP or `443` for HTTPS. Outputs one line per target with `[+] VULNERABLE`, `[+] MAY BE VULNERABLE`, `[+] PATCHED`, `[+] POSSIBLY PATCHED`, or `[-] INDETERMINATE`; optionally highlights words containing “forti”.
## Options
- `targets`: one or more `<scheme>://<host>[:<port>]` entries on the command line (ports default to `80` for HTTP or `443` for HTTPS).
- `-f/--targets-file`: read additional targets from file(s); same `<scheme>://<host>[:<port>]` format.
- `--timeout`: socket timeout in seconds (default `5`).
- `--find-forti`: print unique tokens containing “forti” that appeared in the response body.
- `--follow-redirects`: opt-in redirect handling for targets that issue 30x responses.
- `--max-redirects`: limit for redirect hops when `--follow-redirects` is active (default `3`, `0` disables following even if the flag is present).
- `--validate-tls`: force certificate validation for HTTPS targets and redirects (default behavior skips validation to avoid blocking on self-signed certs).
- `--workers`: number of concurrent scans to run via asyncio (default `10`).
- `--user-agent`: custom HTTP User-Agent header (default `fwbcgi-scanner/1.0`).
- `--csv-output`: write `<target>,<classification>` rows to the given CSV file in addition to console output.
## Testing
Due to a lack of decent testing infra, here's the naive test suite I used.
`PYTHONPYCACHEPREFIX=./.pycache python3 -m unittest discover -s tests`
## Python/OpenSSL Notes
The scanner relies on TLS 1.2+ support to talk to modern Fortinet or Cloudflare-fronted sites. Make sure the `python3` you run is linked against a recent OpenSSL build:
- **macOS:** The system Python (`/usr/bin/python3`) is tied to LibreSSL 2.8 and cannot negotiate TLS 1.3, causing `TLSV1_ALERT_PROTOCOL_VERSION` errors. Install a modern interpreter via Homebrew (`brew install python`) or pyenv and run the scanner with that binary (e.g., `/opt/homebrew/bin/python3`).
- **Linux:** Most distro-supplied Pythons are already linked to OpenSSL ≥ 1.1.1. Verify with `python3 - <<'PY'\nimport ssl; print(ssl.OPENSSL_VERSION)\nPY`. If it reports something older, install an updated python (pyenv, distro backports, etc.).
- **Windows:** Use the official python.org downloads (3.11+) which bundle OpenSSL 3.x. Double-check via the same `ssl.OPENSSL_VERSION` snippet if you’re running inside WSL or an older virtual environment.
If you must run on an older interpreter, expect HTTPS targets that require TLS 1.3 to fail; HTTP targets continue to work regardless.
文件快照
[4.0K] /data/pocs/2a03f8be6728f2c0e9d02b8d754abbfb2951ecbd
├── [3.0K] README.md
├── [ 15K] scanner.py
├── [4.0K] tests
│ └── [5.7K] test_scanner.py
└── [7.2K] test_server.py
2 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。