This repository includes two PoC scripts for CVE-2025-57819 in FreePBX: one to create a new admin user (poc_admin.py), and another to extract credentials using sqlmap (poc_auto_get_username_pass.py). For educational and authorized use only.# 🛡️ CVE-2025-57819 – FreePBX Unauthenticated SQL Injection to RCE (PoC)
This repository contains two Python Proof-of-Concept (PoC) scripts targeting **CVE-2025-57819**, a critical **unauthenticated SQL injection vulnerability** in **FreePBX**.
---
## 🧠 About the Vulnerability (CVE-2025-57819)
**CVE-2025-57819** affects multiple versions of FreePBX and allows **unauthenticated remote attackers** to execute **arbitrary SQL queries** via a vulnerable parameter in `admin/ajax.php`.
The flaw exists due to **insufficient input sanitization** in the `module=FreePBX\modules\endpoint\ajax` endpoint, which allows direct SQL injection into backend queries.
### 📊 CVE Details
- **CVE ID:** CVE-2025-57819
- **Type:** SQL Injection (Unauthenticated)
- **Attack Vector:** Remote
- **Impact:** Admin account creation, credential dumping, potential RCE
- **CVSS v3 Score:** 9.8 (Critical)
### 🎯 Affected Versions
| Version | Status |
|---------------|------------|
| ≤ 15.0.65 | Vulnerable |
| ≤ 16.0.88 | Vulnerable |
| ≤ 17.0.2 | Vulnerable |
| ≥ 15.0.66 | Patched |
| ≥ 16.0.89 | Patched |
| ≥ 17.0.3 | Patched |
---
## 📁 Repository Structure
| File | Description |
|-------------------------------|-----------------------------------------------------------------------------|
| `poc_admin.py` | Creates a new admin user via raw SQL injection |
| `poc_auto_get_username_pass.py` | Automates mass extraction of credentials using sqlmap on multiple targets |
---
## ⚙️ Usage
### 1️⃣ `poc_admin.py` – Add Admin User
This script sends a specially crafted SQL query to create a new FreePBX admin user.
#### ✅ Requirements
- Python 3
- `requests` module (`pip install requests`)
#### ▶️ Usage
```bash
python3 poc_admin.py http://target/
```
#### 💡 Example Output
```
[+] Creating admin user: orange0Mint_k9l3zq / X9sfL30wlKp1
[+] Done. Try logging in at: http://target/admin/config.php
[+] Credentials -> Username: orange0Mint_k9l3zq | Password: X9sfL30wlKp1
```
---
### 2️⃣ `poc_auto_get_username_pass.py` – Dump Credentials via SQLMap
This script uses `sqlmap` to extract usernames and password hashes from the vulnerable `ampusers` table across multiple targets.
#### ✅ Requirements
- Python 3.x
- `sqlmap` cloned locally as `sqlmap-master/`
- File containing list of target URLs
#### 📂 Targets file format
Each line in the file should be a base URL:
```
http://192.168.1.100/
http://pbx.example.com:8080/
```
#### ▶️ Usage
```bash
python3 poc_auto_get_username_pass.py targets.txt
```
#### 💡 Features
- Logs output of each target to `log/target.txt`
- Automatically waits on:
- Internet disconnection
- Presence of `stop.txt` file
- Uses `--batch` and `--ignore-code=404` flags in SQLMap
---
## 📦 Output
All results from `sqlmap` will be saved inside the `log/` directory, named by the target host:
```
log/
├── 192.168.1.100.txt
├── pbx.example.com_8080.txt
```
---
## 🔐 Mitigation
- Upgrade to patched versions of FreePBX:
- 15.0.66+
- 16.0.89+
- 17.0.3+
- Restrict access to the `/admin/` interface
- Use Web Application Firewalls (WAFs)
- Monitor access to `ajax.php`
---
## ⚠️ Disclaimer
> This PoC is provided for **educational and authorized penetration testing** purposes only.
> Do not use this code against systems you do not own or have explicit permission to test.
> The author is **not responsible** for misuse or damages caused by this script.
---
## 👨💻 Author
**orange0Mint**
GitHub: [https://github.com/orange0Mint](https://github.com/orange0Mint)
---
## 🧩 References
- [FreePBX Official Site](https://www.freepbx.org/)
- [sqlmap GitHub](https://github.com/sqlmapproject/sqlmap)
- [CVE-2025-57819 @ NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-57819)
[4.0K] /data/pocs/c8968b43cb485d8595802b35909c935874ea43dc
├── [2.2K] poc_admin.py
├── [5.1K] poc_auto_get_username_pass.py
└── [3.9K] README.md
0 directories, 3 files