POC详情: 52481a91b39c0a966f326f1c469138cba3dea8a9

来源
https://github.com/xV4nd3Rx/CVE-2025-57819_FreePBX-PoC
关联漏洞
标题: FreePBX 安全漏洞 (CVE-2025-57819)
描述:FreePBX(前称Asterisk Management Portal)是FreePBX项目的一套通过GUI(基于网页的图形化接口)配置Asterisk(IP电话系统)的工具。 FreePBX 15.0.66版本和17.0.3之前版本存在安全漏洞,该漏洞源于用户数据清理不足,可能导致未经验证访问管理员界面及远程代码执行。
描述
Safe, read-only SQL Injection checker for FreePBX (CVE-2025-57819), using error/boolean/time-based techniques with per-parameter verdicts and JSON reporting.
介绍
# FreePBX SQL Injection Checker

![Status](https://img.shields.io/badge/status-read--only-blue)
![Target](https://img.shields.io/badge/target-FreePBX-orange)
![CVE](https://img.shields.io/badge/CVE-2025--57819-critical)
![Python](https://img.shields.io/badge/python-3.8%2B-informational)
![License](https://img.shields.io/badge/license-MIT-green)

> 🔍 **Safe, read-only SQLi detector** for FreePBX’s `/admin/ajax.php` focused on `template`, `model`, and `brand` parameters.  
> 🛡️ Uses **error-based**, **boolean-based**, and **time-based** techniques to flag potential injection **without modifying the database**.  
> ✍️ Per-parameter verdicts + clean **JSON report** for CI, alerting, or incident response.

---

## 🔗 About CVE-2025-57819

- **NVD:** [CVE-2025-57819](https://nvd.nist.gov/vuln/detail/CVE-2025-57819)
- **CVE Record:** [CVE-2025-57819](https://www.cve.org/CVERecord?id=CVE-2025-57819)
- **FreePBX Security Advisory:** [GHSA-m42g-xg4c-5f3h](https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h)

---

## ✨ Highlights

- 🧪 **Three techniques**: error, boolean, time (SLEEP)  
- 🧷 **Read-only by design**: no `INSERT/DELETE/UPDATE`  
- 🧭 **Per-parameter results**: `template`, `model`, `brand`  
- ⏱️ **Baseline latency & deltas** for reliable timing checks  
- 🧰 **Proxy-friendly** (Burp/ZAP) & **CI-ready** output  
- 🧾 **JSON** summary for automation & dashboards

---

## 🔒 Safety & Ethics

- ✅ Intended for **your own systems** or systems you’re **authorized** to test  
- ✅ **No data writes**; diagnostics only  
- ⚠️ Check **local law** and **organizational policy** before use

---

## 🚀 Quick Start

```bash
python3 freepbx_sqli_checker.py -H https://your-freepbx.example
文件快照

 [4.0K]  /data/pocs/52481a91b39c0a966f326f1c469138cba3dea8a9
├── [ 11K]  freepbx_sqli_checker.py
├── [1.0K]  LICENSE
├── [1.7K]  README.md
└── [2.5K]  SECURITY.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。