漏洞平台

POC详情： 6d97171074c0b18ceac933b9609d3aa4c99f2cd3

来源

https://github.com/AN5I/cve-2025-64446-fortiweb-exploit

关联漏洞

标题：Fortinet FortiWeb 安全漏洞 (CVE-2025-64446)
描述：Fortinet FortiWeb是美国飞塔（Fortinet）公司的一款Web应用层防火墙，它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁，保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 8.0.0版本至8.0.1版本、7.6.0版本至7.6.4版本、7.4.0版本至7.4.9版本、7.2.0版本至7.2.11版本和7.0.0版本至7.0.11版本存在安全漏洞，该漏洞源于相对路径遍历，可能导致执行管理命令。

描述

Security research tool for detecting and testing CVE-2025-64446 (FortiWeb Path Traversal RCE vulnerability)

介绍

# CVE-2025-64446 Fortinet FortiWeb Path Traversal RCE Exploit

A security research tool for detecting and testing the CVE-2025-64446 vulnerability in Fortinet FortiWeb Web Application Firewall (WAF). This critical zero-day path traversal vulnerability has been actively exploited in the wild and allows unauthenticated attackers to bypass security controls and execute arbitrary code.

## ⚠️ Disclaimer

This tool is for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Only use this tool on systems you own or have explicit written permission to test.

## 📋 Overview

CVE-2025-64446 is a critical zero-day path traversal vulnerability in Fortinet FortiWeb WAF that has been actively exploited in the wild. This vulnerability allows unauthenticated attackers to bypass security controls through path traversal attacks, potentially leading to remote code execution, configuration file access, and complete system compromise.

**CVSS Score:** 9.8 (Critical)  
**Status:** Actively Exploited in the Wild  
**CISA KEV:** Added to Known Exploited Vulnerabilities catalog  
**Patch:** FG-IR-25-910  
**Affected Product:** Fortinet FortiWeb WAF

## 🔍 Features

- **Automated FortiWeb Detection:** Identifies FortiWeb WAF deployments
- **Path Traversal Testing:** Tests multiple path traversal payload variations
- **Vulnerability Confirmation:** Verifies CVE-2025-64446 vulnerability
- **Configuration File Access:** Attempts to read FortiWeb configuration files
- **Webshell Deployment:** Demonstrates webshell upload capability
- **Command Execution:** Executes arbitrary commands (for authorized testing)
- **Multi-threading Support:** Scan multiple targets in parallel
- **Proxy Support:** Bypass additional security restrictions
- **JSON Export:** Detailed results in JSON format
- **POC Script Included:** Simple proof-of-concept demonstration

## 📦 Installation

### Prerequisites

- Python 3.6 or higher
- pip (Python package manager)

### Quick Install

```bash
# Clone the repository
git clone https://github.com/AN5I/cve-2025-64446-fortiweb-exploit.git
cd cve-2025-64446-fortiweb-exploit

# Install dependencies
pip install -r requirements.txt

# Make scripts executable (optional)
chmod +x cve_2025_64446_fortiweb_exploit.py
chmod +x cve_2025_64446_poc.py
```

### Alternative: Direct Download

```bash
# Download the scripts
wget https://raw.githubusercontent.com/AN5I/cve-2025-64446-fortiweb-exploit/main/cve_2025_64446_fortiweb_exploit.py
wget https://raw.githubusercontent.com/AN5I/cve-2025-64446-fortiweb-exploit/main/cve_2025_64446_poc.py

# Install dependencies
pip install requests
```

## 🚀 Usage

### Basic Usage

```bash
# Single target
python3 cve_2025_64446_fortiweb_exploit.py -u http://target.com

# Execute custom command
python3 cve_2025_64446_fortiweb_exploit.py -u http://target.com -c "whoami"

# Multiple targets from file
python3 cve_2025_64446_fortiweb_exploit.py -f targets.txt -o results.json

# With threading for faster scanning
python3 cve_2025_64446_fortiweb_exploit.py -u http://target.com -t 5

# Verbose output for debugging
python3 cve_2025_64446_fortiweb_exploit.py -u http://target.com -v
```

### Using Proxies

```bash
# Single proxy
python3 cve_2025_64446_fortiweb_exploit.py -u http://target.com --proxy http://proxy:port

# Multiple proxies from file
python3 cve_2025_64446_fortiweb_exploit.py -f targets.txt --proxy-list proxies.txt
```

### POC Script

```bash
# Basic POC test
python3 cve_2025_64446_poc.py -u http://target.com

# Test specific file
python3 cve_2025_64446_poc.py -u http://target.com -f etc/passwd

# Verbose output
python3 cve_2025_64446_poc.py -u http://target.com -v
```

### Command Line Options

```
-u, --url          Target URL
-f, --file         File containing target URLs (one per line)
-c, --command      Command to execute (default: id)
-t, --threads      Number of threads (default: 1)
-o, --output       Output file (default: uknf_fortiweb_results.json)
-v, --verbose      Enable verbose logging
--proxy            Proxy URL (e.g., http://127.0.0.1:8080)
--proxy-list       File containing proxy URLs (one per line)
```

## 📊 Output

The script generates a JSON file with detailed results:

```json
{
  "target": "http://target.com",
  "timestamp": "2025-11-21T00:25:40.123456",
  "fortiweb_detected": true,
  "vulnerable": true,
  "path_traversal_successful": true,
  "config_file_read": true,
  "webshell_uploaded": true,
  "command_executed": "id",
  "output": "uid=1000(user) gid=1000(user)...",
  "vulnerable_payload": "../../../../etc/passwd"
}
```

## 🔬 How It Works

1. **Detection Phase:** Scans for FortiWeb WAF indicators (headers, content, error pages)
2. **Vulnerability Testing:** Tests multiple path traversal payload variations
3. **Path Traversal Confirmation:** Verifies successful file access
4. **Configuration Access:** Attempts to read FortiWeb configuration files
5. **Exploitation:** If vulnerable, demonstrates RCE capability through webshell deployment

## 🛡️ Mitigation

If you're using FortiWeb WAF:

1. **Apply Security Updates Immediately:**
   ```bash
   # Check current version
   show system status
   
   # Update to latest version
   execute upgrade <firmware-file>
   ```
   - Reference: [FG-IR-25-910](https://fortiguard.fortinet.com/psirt/FG-IR-25-910)

2. **Network Segmentation:**
   - Restrict access to FortiWeb management interface
   - Implement network ACLs
   - Use VPN for administrative access

3. **Configuration Hardening:**
   - Disable unnecessary features
   - Implement strict access controls
   - Enable comprehensive logging and monitoring

4. **CISA Requirements:**
   - Federal agencies must patch within 7 days
   - Monitor CISA KEV catalog for updates

## 📚 References

- **CVE:** [CVE-2025-64446](https://www.cve.org/CVERecord?id=CVE-2025-64446)
- **Fortinet PSIRT:** [FG-IR-25-910](https://fortiguard.fortinet.com/psirt/FG-IR-25-910)
- **CISA KEV Catalog:** [CVE-2025-64446](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64446)
- **Tenable Blog:** [CVE-2025-64446 Analysis](https://www.tenable.com/blog/cve-2025-64446-fortinet-fortiweb-zero-day-path-traversal-vulnerability-exploited-in-the-wild)

## 📖 Examples

### Example 1: Single Target Scan

```bash
python3 cve_2025_64446_fortiweb_exploit.py -u https://example.com
```

### Example 2: Multiple Targets with Output

```bash
# Create targets file
echo "https://target1.com" > targets.txt
echo "https://target2.com" >> targets.txt

# Run scan
python3 cve_2025_64446_fortiweb_exploit.py -f targets.txt -o results.json
```

### Example 3: Custom Command Execution

```bash
python3 cve_2025_64446_fortiweb_exploit.py -u https://example.com -c "uname -a"
```

### Example 4: Using Proxies

```bash
# Single proxy
python3 cve_2025_64446_fortiweb_exploit.py -u https://example.com --proxy http://127.0.0.1:8080

# Multiple proxies from file
echo "http://proxy1:8080" > proxies.txt
echo "http://proxy2:8080" >> proxies.txt
python3 cve_2025_64446_fortiweb_exploit.py -f targets.txt --proxy-list proxies.txt
```

### Example 5: POC Testing

```bash
# Basic POC
python3 cve_2025_64446_poc.py -u https://example.com

# Test specific file
python3 cve_2025_64446_poc.py -u https://example.com -f etc/passwd
```

## 🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

1. Fork the repository
2. Create your feature branch (`git checkout -b feature/AmazingFeature`)
3. Commit your changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request

## 🐛 Issues

If you encounter any issues or have suggestions, please open an issue on GitHub.

## 📝 License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## ⭐ Star History

If you find this tool useful, please consider giving it a star on GitHub!

## ⚖️ Legal

This tool is provided for educational and authorized security testing purposes only. The authors are not responsible for any misuse or damage caused by this program. Users are responsible for ensuring they have proper authorization before testing any systems.

## 🙏 Acknowledgments

- Original vulnerability reporter and security researchers
- Fortinet PSIRT for vulnerability disclosure
- CISA for maintaining the KEV catalog
- Security community for ongoing research

## 💰 Donations

If you find this tool useful and would like to support the project:

**Bitcoin (BTC):**
```
bc1qj95y35w8r2mw0u28zrm3dmxtzjkq258xdv8tzv
```

**Ethereum (ETH):**
```
0x3DC302a3f35F6cD1A03FF4982EcE0dE8fE1cEba7
```

Thank you for your support! 🙏

文件快照


 [4.0K]  /data/pocs/6d97171074c0b18ceac933b9609d3aa4c99f2cd3
├── [ 21K]  cve_2025_64446_fortiweb_exploit.py
├── [3.6K]  cve_2025_64446_poc.py
├── [1.1K]  LICENSE
├── [8.5K]  README.md
└── [  18]  requirements.txt

1 directory, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。

支持本站 — 捐款将帮助我们持续运营

POC详情： 6d97171074c0b18ceac933b9609d3aa4c99f2cd3

来源

关联漏洞

描述

介绍

文件快照

备注