Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-25257 PoC — Fortinet FortiWeb SQL注入漏洞

Source
https://github.com/segfault-it/CVE-2025-25257
Associated Vulnerability
Title:Fortinet FortiWeb SQL注入漏洞 (CVE-2025-25257)
Description:An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Description
A working (at least for me :] ) exploit for CVE-2025-25257
Readme
# CVE-2025-25257
Exploits for CVE-2025-25257 released by watchtowr and others I found on github did not work on my installations of fortiweb
downloaded from the official vendor website. I ripped some of these exploit codes to make a poc capable to pop a reverse shell 
on my environment. IP address and port of the reverse shell are hardcoded and must be changed ofc.

Exploit analysis and walkthough have been described in a two-part videos in my youtube channel (ITA language, ENG subtitles):
- Part 1: https://youtu.be/Z6I4adGuJ1c
- Part 2: https://youtu.be/Z6I4adGuJ1c
File Snapshot

 [4.0K]  /data/pocs/743796bb6a8fc17b0818000a2e12c9c7c661de93
├── [ 573]  README.md
└── [3.3K]  watchtowel.py

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →