漏洞平台

POC详情： 6493292ede5219bf5e17b384012ab5171ec00052

来源

https://github.com/TheStingR/CVE-2025-25257

关联漏洞

标题： Fortinet FortiWeb SQL注入漏洞 (CVE-2025-25257)
描述：Fortinet FortiWeb是美国飞塔（Fortinet）公司的一款Web应用层防火墙，它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁，保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞，该漏洞源于对SQL命令中特殊元素中和不当，可能导致SQL注入攻击。

描述

Public PoC for CVE-2025-25257: FortiWeb pre-auth SQLi to RCE

介绍

# CVE-2025-25257 - FortiWeb Pre-Auth SQL Injection to RCE

## 07/09/2025 by TheStingR

<div align="center">
  <img src="https://img.shields.io/badge/Language-Python-blue?style=for-the-badge&logo=python&logoColor=white" alt="Language: Python">
  <img src="https://img.shields.io/badge/CVSS-9.6--9.8%20Critical-red?style=for-the-badge" alt="CVSS Score: 9.6-9.8 Critical">
  <img src="https://img.shields.io/badge/Exploit-PoC%20Available-orange?style=for-the-badge" alt="Exploit Status: Proof of Concept Available">
  <img src="https://img.shields.io/badge/CVE_2025_25257-Disclosed-green?style=for-the-badge" alt="CVE Status: CVE-2025-25257 Disclosed">
  <img src="https://img.shields.io/badge/Version-v1.0.0-brightgreen?style=for-the-badge" alt="Version: v1.0.0">
  <img src="https://img.shields.io/badge/Target-FortiWeb-purple?style=for-the-badge" alt="Target Platform: FortiWeb">
</div>

> **Disclaimer:** This proof-of-concept (PoC) is provided for authorized security testing and research purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. Users are responsible for complying with all applicable laws and regulations.

**CVE-2025-25257** is a critical vulnerability in Fortinet FortiWeb, a web application firewall, within its Fabric Connector component. It allows attackers to execute arbitrary system commands without authentication, posing a severe risk of full system compromise.

## Affected Versions

| Version Range | Status |
|---------------------|--------------|
| 7.6.0 – 7.6.3 | Vulnerable |
| 7.4.0 – 7.4.7 | Vulnerable |
| 7.2.0 – 7.2.10 | Vulnerable |
| 7.0.10 and earlier | Vulnerable |

## Vulnerability Overview

This vulnerability stems from insecure handling of the `Authorization: Bearer <token>` HTTP header in the `get_fabric_user_by_token()` function. Due to insufficient input sanitization, attackers can inject malicious SQL commands (SQL Injection, CWE-89).

**Impact:**

- **Authentication Bypass:** Attackers can execute arbitrary SQL queries without credentials.
- **Remote Code Execution (RCE):** Using MySQL's `SELECT ... INTO OUTFILE`, attackers can write malicious files (e.g., webshells or Python scripts) to the server, enabling full system control.

## Download

📥 **[Download Latest Release (v1.0.0)](https://github.com/TheStingR/CVE-2025-25257/releases/tag/v1.0.0)**

**Files included:**

- `CVE-2025-25257.py` - Python exploit script
- `README.md` - Complete documentation
- `exploit_workflow.svg` - Attack workflow diagram

## Exploit Workflow

The exploit follows these steps, as illustrated in the Mermaid diagram below (rendered natively on GitHub) and the static image `exploit_workflow.svg`:

```mermaid
graph TD
    A[Attacker] --> B[Target Endpoint]
    B --> C[SQL Injection]
    C --> D[Webshell Creation]
    D --> E[Command Execution]
    E --> F[System Compromise]
```

<div align="center">
  <img src="exploit_workflow.svg" alt="Exploit Workflow" width="25%">
</div>

1. **SQL Injection:** The attacker sends a crafted HTTP request to the vulnerable `/api/fabric/device/status` endpoint.
1. **File Creation:** The SQL injection writes a webshell (e.g., `webshell.php`) to the server.
1. **Command Execution:** The attacker sends commands via the `User-Agent` header to the webshell, executing arbitrary system commands.

## Why This Is Critical

- **CVSS Score:** 9.6–9.8 (Critical)
- **Unauthenticated Access:** No credentials are required for exploitation.
- **Full System Compromise:** Attackers can gain complete control of the affected FortiWeb device.
- **Active Exploitation:** Public proof-of-concept (PoC) exploits are available and being used in the wild.

## Remediation

| Action | Details |
|-----------------------|-------------------------------------------------------------------------|
| **Patch Immediately** | Upgrade to a fixed version: 7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+ |
| **Temporary Mitigation** | Restrict or disable HTTP/HTTPS admin interface access |
| **Detection** | - Monitor `Authorization` headers for SQL syntax<br>- Use IDS/IPS to detect SQL injection attempts on `/api/fabric/device/status`<br>- Check for unexpected files (e.g., `.php`, `.py`, or CGI scripts) |

**References:**

- [Fortinet PSIRT Advisory](https://www.fortinet.com/support/product-security) (Check for FG-IR-25-XXX when published)
- Community write-ups: [Exploit-DB](https://www.exploit-db.com/), [HackerOne](https://hackerone.com/)

## PoC Usage (Authorized Testing Only)

**This tool is for authorized security testing and research purposes only. Ensure you have explicit permission to test the target system.**

### Prerequisites

- Python 3.8 or later
- Required libraries: `requests`, `argparse`
- Install dependencies: `pip install requests`

### Usage

```bash
python3 cve_2025_25257.py -t https://target-ip
```

| Option | Description |
|--------------|------------------------------------------------|
| `-t` | Target URL (e.g., `https://target-ip`) |
| `-T` | File containing multiple target URLs |
| `--proxy` | Route traffic through a proxy (e.g., `http://127.0.0.1:8080`) |

**Post-Exploitation:** After successful exploitation, the script outputs the webshell URL (e.g., `https://target-ip/webshell.php`). Commands can be sent to the webshell via the `User-Agent` header using tools like `curl` or a browser.

### Example

```bash
python3 cve_2025_25257.py -t https://192.168.1.100 --proxy http://127.0.0.1:8080
```

**Output:** If successful, the script will display:

```
[+] Webshell deployed at: https://192.168.1.100/webshell.php
[+] Send commands via User-Agent header, e.g., `curl -A "whoami" https://192.168.1.100/webshell.php`
```

## Summary

CVE-2025-25257 is a severe, easily exploitable vulnerability in FortiWeb, enabling unauthenticated attackers to achieve full system control. Immediate patching is critical, and organizations should monitor for signs of exploitation.

**Visual Aids:** The Mermaid diagram above renders natively on GitHub. The static `exploit_workflow.svg` (included in the repository) provides the same workflow for offline viewing or presentations, with scalable vector graphics for high-quality rendering.

文件快照


 [4.0K]  /data/pocs/6493292ede5219bf5e17b384012ab5171ec00052
├── [6.9K]  CVE-2025-25257.py
├── [ 12K]  exploit_workflow.svg
└── [6.0K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。