来源

关联漏洞

描述

This repository includes two PoC scripts for CVE-2025-57819 in FreePBX: one to create a new admin user (poc_admin.py), and another to extract credentials using sqlmap (poc_auto_get_username_pass.py). For educational and authorized use only.

介绍

# 🛡️ CVE-2025-57819 – FreePBX Unauthenticated SQL Injection to RCE (PoC)

This repository contains two Python Proof-of-Concept (PoC) scripts targeting **CVE-2025-57819**, a critical **unauthenticated SQL injection vulnerability** in **FreePBX**.

---

## 🧠 About the Vulnerability (CVE-2025-57819)

**CVE-2025-57819** affects multiple versions of FreePBX and allows **unauthenticated remote attackers** to execute **arbitrary SQL queries** via a vulnerable parameter in `admin/ajax.php`.

The flaw exists due to **insufficient input sanitization** in the `module=FreePBX\modules\endpoint\ajax` endpoint, which allows direct SQL injection into backend queries.

### 📊 CVE Details

- **CVE ID:** CVE-2025-57819
- **Type:** SQL Injection (Unauthenticated)
- **Attack Vector:** Remote
- **Impact:** Admin account creation, credential dumping, potential RCE
- **CVSS v3 Score:** 9.8 (Critical)

### 🎯 Affected Versions

| Version       | Status     |
|---------------|------------|
| ≤ 15.0.65     | Vulnerable |
| ≤ 16.0.88     | Vulnerable |
| ≤ 17.0.2      | Vulnerable |
| ≥ 15.0.66     | Patched    |
| ≥ 16.0.89     | Patched    |
| ≥ 17.0.3      | Patched    |

---

## 📁 Repository Structure

| File                          | Description                                                                 |
|-------------------------------|-----------------------------------------------------------------------------|
| `poc_admin.py`                | Creates a new admin user via raw SQL injection                              |
| `poc_auto_get_username_pass.py` | Automates mass extraction of credentials using sqlmap on multiple targets     |

---

## ⚙️ Usage

### 1️⃣ `poc_admin.py` – Add Admin User

This script sends a specially crafted SQL query to create a new FreePBX admin user.

#### ✅ Requirements

- Python 3
- `requests` module (`pip install requests`)

#### ▶️ Usage

```bash
python3 poc_admin.py http://target/
```

#### 💡 Example Output

```
[+] Creating admin user: orange0Mint_k9l3zq / X9sfL30wlKp1
[+] Done. Try logging in at: http://target/admin/config.php
[+] Credentials -> Username: orange0Mint_k9l3zq | Password: X9sfL30wlKp1
```

---

### 2️⃣ `poc_auto_get_username_pass.py` – Dump Credentials via SQLMap

This script uses `sqlmap` to extract usernames and password hashes from the vulnerable `ampusers` table across multiple targets.

#### ✅ Requirements

- Python 3.x
- `sqlmap` cloned locally as `sqlmap-master/`
- File containing list of target URLs

#### 📂 Targets file format

Each line in the file should be a base URL:

```
http://192.168.1.100/
http://pbx.example.com:8080/
```

#### ▶️ Usage

```bash
python3 poc_auto_get_username_pass.py targets.txt
```

#### 💡 Features

- Logs output of each target to `log/target.txt`
- Automatically waits on:
  - Internet disconnection
  - Presence of `stop.txt` file
- Uses `--batch` and `--ignore-code=404` flags in SQLMap

---

## 📦 Output

All results from `sqlmap` will be saved inside the `log/` directory, named by the target host:

```
log/
 ├── 192.168.1.100.txt
 ├── pbx.example.com_8080.txt
```

---

## 🔐 Mitigation

- Upgrade to patched versions of FreePBX:
  - 15.0.66+
  - 16.0.89+
  - 17.0.3+
- Restrict access to the `/admin/` interface
- Use Web Application Firewalls (WAFs)
- Monitor access to `ajax.php`

---

## ⚠️ Disclaimer

> This PoC is provided for **educational and authorized penetration testing** purposes only.  
> Do not use this code against systems you do not own or have explicit permission to test.  
> The author is **not responsible** for misuse or damages caused by this script.

---

## 👨‍💻 Author

**orange0Mint**  
GitHub: [https://github.com/orange0Mint](https://github.com/orange0Mint)

---

## 🧩 References

- [FreePBX Official Site](https://www.freepbx.org/)
- [sqlmap GitHub](https://github.com/sqlmapproject/sqlmap)
- [CVE-2025-57819 @ NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-57819)

文件快照

 [4.0K]  /data/pocs/c8968b43cb485d8595802b35909c935874ea43dc
├── [2.2K]  poc_admin.py
├── [5.1K]  poc_auto_get_username_pass.py
└── [3.9K]  README.md

0 directories, 3 files

备注