关联漏洞
标题:
FreePBX 安全漏洞
(CVE-2025-57819)
描述:FreePBX(前称Asterisk Management Portal)是FreePBX项目的一套通过GUI(基于网页的图形化接口)配置Asterisk(IP电话系统)的工具。 FreePBX 15.0.66版本和17.0.3之前版本存在安全漏洞,该漏洞源于用户数据清理不足,可能导致未经验证访问管理员界面及远程代码执行。
描述
FreePBX CVE-2025-57819 lab (Docker) + Nuclei POC for unauth SQLi (time-based).
介绍
# (Work in Progress) FreePBX CVE-2025-57819 Lab - Unauth SQLi → RCE Chain (Nuclei POC)
Spin up a reproducible FreePBX 15 lab (Docker) to validate CVE-2025-57819 — a critical unauthenticated SQL injection in `userman` AJAX endpoints that can be chained to RCE. Includes a working Nuclei template (behavior-based, not version checks) and a debug-friendly test harness.
## Highlights
- Unauthenticated time-based SQLi POC (SLEEP) on `userman` endpoints
- Minimal Docker Compose (MariaDB + FreePBX 15)
- Nuclei POC template with `-debug` validation
- Make targets for quick bring-up and test
## Quick Start
Prereqs: Docker + Docker Compose. For Nuclei, either install locally or use the official container (used by default).
```bash
# bring up the lab
make up
# wait until FreePBX is responding
make wait
# quick timing check (expect ~6s delay on injected request)
make check
# run nuclei POC with debug (via Docker)
make test-nuclei
# all-in-one
make test
```
If you have Nuclei installed locally, you can run:
```bash
nuclei -u http://127.0.0.1:8080 -t templates/CVE-2025-57819.yaml -vv -debug -debug-req -debug-resp
```
## How It Works
- Vulnerable endpoints:
- `/admin/ajax.php?module=userman&command=checkPasswordReminder`
- `/ucp/ajax.php?module=userman&command=checkPasswordReminder`
- The template sends a baseline POST and a SLEEP-injected POST. A ≥5s delay on the injected request indicates likely SQLi.
- This is a detection-only POC (non-destructive). Do not attempt file writes in shared environments.
## Repository Layout
```txt
.
├── docker-compose.yml
├── Makefile
├── scripts/
│ └── test.sh
└── templates/
└── CVE-2025-57819.yaml
```
## References
- FreePBX advisory: <https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h>
- PoC 1: <https://github.com/blueisbeautiful/CVE-2025-57819>
- PoC 2: <https://github.com/net-hex/CVE-2025-57819>
## Disclaimer
For educational and authorized testing only. Test only assets you own or have explicit permission to test.
## SEO Keywords
freepbx cve-2025-57819, freepbx sql injection, freepbx rce, userman ajax.php exploit, nuclei template cve-2025-57819, freepbx security lab, pentest lab freepbx
文件快照
[4.0K] /data/pocs/8c22cbb163eee2e256485370d8a84ed034f3d3a9
├── [ 761] docker-compose.yml
├── [1.7K] Makefile
├── [2.2K] README.md
├── [4.0K] scripts
│ ├── [1.5K] seed-admin.sh
│ └── [1.0K] test.sh
└── [4.0K] templates
└── [3.3K] CVE-2025-57819.yaml
2 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。