Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2023-48123 PoC — Netgate pfSense CE 安全漏洞

Source
https://github.com/Farzan-Kh/CVE-2023-48123
Associated Vulnerability
Title:Netgate pfSense CE 安全漏洞 (CVE-2023-48123)
Description:An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file.
Description
CVE-2023-48123 exploit
Readme

# pfSense 2.7.0 Command Injection Exploit (CVE-2023-48123)

This Python script is a Proof-of-Concept (PoC) exploit for the command injection vulnerability (CVE-2023-48123) in pfSense CE 2.7.0 and pfSense Plus 23.05.1. The vulnerability allows authenticated attackers to inject and execute arbitrary commands via the `diag_packet_capture.php` component.

## Features
- Command injection capability to run arbitrary shell commands.
- Netcat reverse shell handling with automatic thread management.
- Debug mode for enhanced visibility of request data.

## Prerequisites
Before running the script, make sure you have:
- Python 3.x installed on your system.
- And run `pip install -r requirements.txt` to make sure the depndecies are satisfied.
- Add a .env file with required variables (explained down bellow) to the projects directory.

## Usage

### Basic Example (Command Injection)

This command executes the exploit and runs the command that you specified in the .env file:

```bash
python3 exploit.py
```

##### .env variables

- `username` --> Username for pfSense admin login
- `password` --> Password for pfSense admin login
- `target` --> Target pfSense IP (e.g., http://10.101.1.1)
- `interface` --> On which interface to capture the packets (e.g. em0)
- `command` --> Command to inject
- `debug` --> Enable debug mode to print response data (True or False)
- `insecure` --> Allow insecure server connections when using SSL (True or False)
### Example Output
When the exploit runs successfully, you should see output similar to this:

```bash
[2024-10-24 03:57:59] [SUCCESS] Target http://10.101.1.1 is reachable
[2024-10-24 03:57:59] [INFO] Fetching CSRF token from: http://10.101.1.1/
[2024-10-24 03:57:59] [SUCCESS] CSRF token extracted successfully
[2024-10-24 03:57:59] [INFO] Sending exploit request to http://10.101.1.1/diag_packet_capture.php
[2024-10-24 03:57:59] [SUCCESS] Exploit sent successfully
```

### Notes

- **Privilege Requirement**: You must have valid user credentials for the pfSense instance.
- **Target System**: This exploit is specific to pfSense CE 2.7.0 and pfSense Plus 23.05.1. Note that **it does not affect earlier versions**.
- **Reverse Shell**: Ensure your firewall settings allow incoming connections on the specified port when setting up a reverse shell.

### Debug Mode

If you want to see more details about the requests being sent, you can enable debug mode by setting `debug` variable to true in the .env file. This will print out response data and help you troubleshoot any issues.

### Troubleshooting
- Ensure the target system is reachable.
- Double-check the credentials being used for login.
- Use the debug mode for more detailed logging if needed.

### License

This project is licensed under the MIT License.
File Snapshot

 [4.0K]  /data/pocs/32de75c3cf53f1ca8b9f41dd379a7713b0f90937
├── [6.0K]  exploit.py
├── [1.0K]  LICENSE
├── [2.7K]  README.md
└── [  42]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →